In April 2026, Anthropic released its newest frontier model, codename Mythos, to twelve partners under a gated preview. Not general availability; the company explicitly held it back as it was correctly deemed too dangerous for open release. In its first 14 days inside that sandbox, it wrote 181 working Firefox exploits. The previous state-of-the-art model managed two. It surfaced thousands of zero-days across every major OS and browser, including a 27-year-old bug in OpenBSD, an operating system whose entire reputation is built on not having bugs like that. Over 99% of what Mythos found is still unpatched in production today. That is not a forecast. That already happened.
Machine-Speed Offense Has Arrived
Now pair that reality with what is already in the wild. In February, AWS Threat Intelligence published a postmortem on a FortiGate campaign run by a single operator. One person, low skill, no hands on keyboard. The AI did the work, and it hit 2,516 devices across 106 countries in parallel, taking just minutes per target. Zero days were not required. Known CVEs and misconfigurations were enough; the AI simply operated faster than anyone could respond.
Two data points, one clear message: offense now runs at machine speed. The question every defender should be asking is not “are we compliant?” or “are we covered?” It is more granular and more pressing: “What is actually getting through my controls today, and how far?” If the honest answer involves a quarterly pentest report and some dashboard screenshots, the rest of this piece is required reading.
This is where the concept of auto validation becomes critical. Instead of relying on manual reviews, periodic testing, or human analysis to confirm that security controls actually block attacks, organizations need an automated, continuous mechanism to validate that their defenses work—before attackers exploit a gap.
How Fast Can Attackers Exploit a Published CVE in 2026?
Let us look at the numbers. A decade ago, the median time from a CVE’s publication to a working exploit appearing in the wild was measured in months—long enough for a real patch cycle. By 2024, that window had shrunk to about 56 days. By 2025, it was down to 23 days. Recent CVE-to-exploit pairings from CISA KEV, VulnCheck KEV, and exploit databases now show a median delta of roughly 10 hours.
Reversing a published fix into a working exploit is no longer a specialist craft. It is now a prompt. A malicious actor can feed a patch diff into a large language model and get a working exploit back in minutes. This means the comfortable assumptions of vulnerability management—that CVSS scores meaningfully prioritize, that “exploitability” is a useful filter, that you have time between disclosure and weaponization—have all quietly broken.
The safer working assumption is now: every vulnerability has an exploit, or will, before you finish your next change-management meeting. Over 99% of Mythos findings remain unpatched. The Glasswing public report lands in July. A guide from Picus Labs covers 12 operational recommendations security teams need to close the gap between AI-speed offense and human-speed defense, including five actions for week one. At the heart of those recommendations is a push toward auto validation of security controls.
The Real Bottleneck Isn’t Tooling — It’s the Spaghetti Handoff
Let us start with the attacker first. At second zero, the AI script kicks off. By second five, a CVE is exploited. MFA bypassed by twenty. Web shell dropped at thirty. Credentials dumped at forty-five. By second seventy-three, the compromise is complete. No human in the loop, no hesitation, no team meetings, no coffee breaks.
Now picture the defender. The SIEM alert fires at one minute, after the attacker is already done. A Tier 1 analyst picks it up around minute five. Someone triggers a SOAR playbook, by hand, at minute fifteen. A Jira ticket gets filed an hour in. Four hours later, it lands in the IT ops queue. The patch goes out the next day, twenty-four hours after the breach that took seventy-three seconds to complete.
Notice where the time goes. The time dies between the tools. A Slack message here, a copy-pasted hash there, a PDF report emailed, a ticket waiting for approval, a red team script being rebuilt by hand for the blue team. This is the spaghetti handoff, and it is as messy as it sounds.
Accelerating one node in a graph does not accelerate the graph. You can speed up your SIEM, your SOAR, your patch deployment tool—but if those nodes still talk to each other through human-driven handoffs, the overall response remains stuck at human speed. The attacker completes in 73 seconds. The defender is still writing a Jira ticket an hour later.
Why Manual Validation Fails at Machine Speed
Traditional security validation follows a manual or semi-manual cycle. A vulnerability scanner reports a finding. An analyst reviews it, checks exploitability, consults a threat intelligence feed, writes a ticket, and escalates to the patch team. Meanwhile, the exploit is already in the wild. By the time the analyst finishes their research, the attack may already be inside the network.
Even automated scanning tools have a validation gap. They tell you what is present—a missing patch, a misconfiguration, an open port—but they do not tell you whether your existing controls would actually block an exploit attempt against that vulnerability. A web application firewall might have a rule that theoretically covers a CVE, but nobody knows if it actually works until someone tests it. And testing it manually takes days or weeks.
This is the core problem that auto validation solves. Instead of asking “Is this vulnerability present?” you ask “Can an attacker successfully exploit this vulnerability through my current defenses?” And you ask that question continuously, automatically, without human intervention.
Introducing Auto Validation: The Missing Layer
Auto validation is the practice of continuously and automatically testing whether your security controls successfully prevent known attack techniques, exploits, and misconfigurations from achieving their objective. It moves beyond simple vulnerability scanning into active, safe simulation of real-world threats—at machine speed.
Think of it as a permanent, automated red team that never sleeps. Every time a new CVE is published, every time a rule is added to your firewall, every time a new endpoint is deployed, the validation engine runs a test. It attempts to exploit the vulnerability or bypass the control in a controlled, safe manner. Then it reports immediately: “Blocked” or “Bypassed.”
No human needs to read a threat intelligence report, write a test case, or wait for a quarterly pentest. The validation happens in seconds, and the results flow directly into your ticketing system, your SIEM, or your dashboard. The spaghetti handoff disappears because the validation step is entirely automated.
How Auto Validation Changes the Defender’s Timeline
Let us revisit the defender timeline with auto validation in place.
At second zero, the attacker’s script kicks off. But the defender’s auto-validation engine has already run a test against the exact CVE the attacker is using—perhaps minutes after the CVE was published. It found that the WAF rule expected to block that exploit is misconfigured. It automatically created a ticket, updated the WAF rule, and re-validated that the block now works. All of this happened before the attacker even launched their campaign.
When the SIEM alert fires at one minute, the auto-validation engine already knows that this particular attack path is blocked. The Tier 1 analyst sees a green checkmark: “Validated: blocked.” No need to escalate, no need to manually investigate. The incident can be closed in seconds.
Even better: if the auto-validation engine finds that the current defenses cannot block the attack, it can automatically deploy a virtual patch, adjust firewall rules, or quarantine the vulnerable asset—all within the 73-second window the attacker uses. This is not theoretical. Several platforms already offer this capability, integrating with breach and attack simulation tools, endpoint detection and response systems, and cloud security posture management.
You may also enjoy reading: 5 Ways China Earns $500M Per Hour from AI Exports.
Overcoming the Objections: Safety, Noise, and Culture
Security teams often push back on automated active testing. They worry that auto validation will cause production outages, generate false positives, or overwhelm analysts with alerts. These are valid concerns, but they are manageable.
Safety First: Controlled Simulation
Modern validation engines do not launch live malware or trigger destructive actions. They use benign payloads, emulated techniques, and safe traffic that mimics attacker behavior without causing harm. For example, instead of actually dropping a ransomware binary, the engine might test whether a file with a similar hash would be blocked by the endpoint detection tool. These tests are designed to be non-disruptive.
Noise Reduction Through Context
Auto validation generates far fewer alerts than traditional scanning because it only reports what is actually exploitable. A scanner might list 10,000 missing patches, but auto validation would show that only 47 of those patches correspond to exploits that would actually succeed against your current controls. That is actionable intelligence, not noise.
Cultural Shift: From Blame to Continuous Improvement
Adopting auto validation requires a cultural change. Teams that are used to manual reviews and quarterly pentests may feel threatened by automation. The key is to frame it as a force multiplier, not a replacement. Analysts can focus on the 1% of findings that require human judgment—advanced evasion techniques, business logic flaws, or novel attack chains—while the machine handles the routine validation of known CVEs and misconfigurations.
Practical Steps to Implement Auto Validation
The Picus Labs guide mentioned earlier covers 12 operational recommendations. Here is a distilled action plan for teams ready to start.
Step 1: Map Your Critical Attack Paths
Identify the most likely ways an attacker would enter your environment. Focus on internet-facing assets, privileged access, and email gateways. Use threat intelligence and past incident data to prioritize the attack techniques that matter most to your industry.
Step 2: Select an Auto Validation Platform
Several vendors offer breach and attack simulation (BAS) tools with automated validation capabilities. Evaluate them based on coverage of CVEs, integration with your existing security stack, and safety mechanisms. Look for platforms that support continuous, scheduled validation—not just point-in-time tests.
Step 3: Integrate with Your Ticketing and Response Systems
The value of auto validation multiplies when its results feed directly into your workflow. Configure the validation engine to automatically create tickets for failed controls, trigger SOAR playbooks for urgent bypasses, and update dashboards for leadership visibility.
Step 4: Start with the Most Critical CVEs
Do not try to validate every CVE from day one. Begin with the CVEs that are actively exploited (CISA KEV) and that affect your most critical assets. As the team gains confidence, expand coverage to all published vulnerabilities and misconfigurations.
Step 5: Validate Continuously, Not Periodically
Set the validation engine to run every time new threat intelligence is ingested, every time a control is changed, and at least daily for the highest-priority attack paths. The goal is to achieve a state where the time between “new CVE published” and “validated that defenses block it” is measured in minutes, not days.
The Boardroom Perspective: From Technical Problem to Existential Risk
Six months ago, AI-driven cyber risk was a technical problem to delegate. Today, boards are treating it as existential and governing it directly. The Mythos release and the FortiGate campaign have made it clear that the gap between offense and defense is no longer measured in months or even days—it is measured in seconds.
Boards are now asking the same question that security engineers are asking: “How do we know our controls actually work right now?” A quarterly pentest report no longer answers that question. A SOC 2 audit no longer answers it. The only credible answer comes from continuous, automated evidence—auto validation provides that evidence in real time.
The ability to demonstrate that every critical CVE is blocked, every rule is effective, and every path is secure is becoming a fiduciary requirement. Organizations that cannot prove their defenses work—continuously and at machine speed—will face higher insurance premiums, lost contracts, and regulatory scrutiny.
