Michael George is CEO of Syncro, a SaaS company specializing in PSA and RMM software for managed service providers (MSPs) and IT teams.
Forty-four thousand security professionals, 650 exhibitors and a floor full of solutions built to answer the same question: Once an attacker is inside, how do we stop them faster?
That framing—detect and respond, react and remediate—has defined security investment for the better part of a decade. Walking through the RSAC Conference in San Francisco this year, I kept hearing the same acknowledgment underneath the vendor noise: It isn’t working well enough.
Additionally, a major AI announcement that landed days after the conference closed put an exclamation point on why the industry’s posture needs to change, and urgently.
The Cost Of Responding Has Become Unsustainable
IBM’s 2024 Cost of a Data Breach Report put the average breach at $4.88 million, a 10% increase from the prior year and the largest year-over-year jump since the pandemic. Seventy percent of breached organizations reported significant or very significant disruption to their business operations.
The number that deserves more attention is the root cause data. Security Magazine’s 2024 analysis found misconfigurations driving 80% of security exposures. IBM’s X-Force Threat Intelligence Index found misconfigured cloud services involved in nearly a quarter of all cloud security incidents. These are not sophisticated nation-state intrusions exploiting unknown vulnerabilities. They are failures of environment hygiene, correctable before any attacker arrives.
Incident postmortems keep revealing the same pattern: The organization already owned the tool that would have stopped the breach. The breach happened because the environment carried configuration drift, a policy went unenforced across endpoints or the foundational work fell behind. Reaction was (and is) expensive because prevention was skipped.
AI Is Arming Attackers Faster Than It Is Arming Defenders
The AI conversation at RSAC cut both ways, and the more substantive half was uncomfortable. The most serious discussions were about AI accelerating attack, rather than accelerating defense.
Microsoft’s 2024 Digital Defense Report tracked 600 million cyberattacks per day across its customer base. CrowdStrike’s 2025 Global Threat Report documented adversary breakout times falling to under 30 minutes, meaning the window between initial access and lateral movement inside a network keeps compressing. Threat actors now have access to the same models and automation capabilities that security teams do.
Then, days after RSAC, Anthropic announced something that put a hard edge on those conversations. They built a model, Claude Mythos Preview, that autonomously discovers and chains zero-day exploits across every major operating system and browser.
The model found thousands of critical vulnerabilities entirely without human steering, including a 27-year-old flaw in OpenBSD and a chained browser exploit spanning four separate vulnerabilities. The capabilities were significant enough that Anthropic declined to release it publicly, making it the first time a leading AI lab has openly said a model is too capable for general deployment. They instead launched a controlled defensive program, Project Glasswing, to use the model to patch critical software before those capabilities proliferate.
Once Weaponized, The Attack Surface Expands Faster Than Defenders Can Respond
The core concern is that once Mythos-class capabilities escape controlled programs and reach malicious actors, the number of AI-initiated attacks will increase exponentially, and the speed and sophistication of those attacks will outpace any reactive defense.
A joint analysis from the Cloud Security Alliance, SANS Institute and OWASP concluded that organizations are already likely to be overwhelmed by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. And Anthropic’s own documentation notes that Mythos “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” Detection and response, by definition, requires something to detect. Against autonomous exploit chains moving at machine speed, that window collapses.
The only viable answer is to not be the easiest target when that wave arrives. That means shift-left: investing in prevention now and hardening identities, endpoints and networks before an attacker finds the drift that makes the difference.
The Market Is Repricing Where Security Value Is Created
Q1 2026 cybersecurity financing hit $3.8 billion across 211 rounds, up 33% year over year. AI Security captured 46% of all capital deployed that quarter. The investment community is not waiting to see what AI-enabled attacks look like at scale. It already has a view, and it is directing capital accordingly.
The shift gaining momentum on the RSAC floor, in the technical sessions and in the conversations that happen off the main floor, is back toward prevention. Left of boom. Environment hardening over incident response. Getting in front of the failure rather than cleaning up after it.
The organizations that do this work now will be in a measurably different risk position than those still running reactive playbooks when Mythos-class capabilities become broadly accessible.
Government And Capital Are Paying Attention At The Same Time
On the policy side, Alexei Bulazel, the NSC’s Senior Director for Cyber, delivered a keynote signaling the current administration intends to take a more assertive posture on offensive cyber operations, particularly against nation-state threats from China. That posture moved from conference keynote to active government engagement within days. The Federal Reserve and Treasury briefed major U.S. bank CEOs on the cyber risks the Mythos model represents.
I also attended a Moelis and Company event where former House Majority Leader Eric Cantor spoke about the federal legislative landscape. The convergence of private capital, bipartisan policy interest and enterprise urgency is real. Security is infrastructure now, and the legislative environment is catching up.
What This Means Right Now
The window between RSAC’s conversations about AI-accelerated attacks and AI actually delivering autonomous zero-day exploit chains at scale turned out to be days, not years. The organizations that treat that as a distant problem will be in a fundamentally different position than those that treat it as a present one.
RSAC confirmed the direction. Glasswing confirmed the timeline.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
