Continuous VulnOps: Why AI Is Changing Cyber Security Faster Than Most Organisations Realise
by Sara Vecchini
Continuous VulnOps is rapidly becoming one of the most important disciplines in cyber security.
As frontier AI models such as Anthropic’s Mythos accelerate vulnerability discovery and exploit development, organisations can no longer rely on vulnerability management processes designed for a slower, more predictable world.
You’ve probably seen the headlines. AI is supposedly unleashing a “zero-day tsunami” and changing cyber security forever. There is certainly some truth in this. The speed at which vulnerabilities can be discovered, analysed and weaponised is increasing. However, much of the discussion around models like Mythos risks oversimplifying what is actually happening.
The reality is both less dramatic and more important.
What Is Mythos and Why Is Everyone Talking About It?
Very little has been publicly disclosed about Mythos itself. We know it performs exceptionally well on public benchmarks and that it has been designed to operate with significantly greater autonomy than previous models. However, what makes Mythos genuinely interesting is not simply its intelligence.
The real innovation lies in its ability to operate within an agentic workflow.
Rather than acting solely as conversational assistants, models like Mythos can execute code in isolated environments, launch debugging tools, observe their own results, and refine their hypotheses based on feedback. This allows them to participate in vulnerability research and exploit development workflows with minimal manual intervention.
That does not mean AI has suddenly become an autonomous cyber security researcher.
When you hear that “AI found a zero-day vulnerability”, a more accurate statement is that an AI model, operating within a purpose-built vulnerability research pipeline, found a vulnerability. The model is powerful, but it still depends on the surrounding engineering, tooling and human oversight.
This distinction matters because it highlights an important truth about cyber security and AI. The technology itself is not magic. Success still depends on how effectively organisations build and operate the systems around it.
The Myth of Autonomous Cyber Security
There is a tendency in our industry to treat each technological leap as a replacement for what came before it.
That is not what we are seeing with AI.
Traditional security tools remain extremely valuable because they excel at analysing the logic of software. Static analysis tools identify known coding weaknesses and insecure patterns. Dynamic analysis and fuzzing uncover behaviours that lead to crashes or exploitable conditions.
AI contributes something different. It is exceptionally good at understanding context and intent.
Large language models can infer what developers intended code to do. They can interpret comments, variable names and function definitions, identifying situations where software behaves correctly according to its logic but incorrectly according to its intended purpose.
This makes AI complementary to traditional tooling rather than a replacement for it. The organisations seeing the greatest benefit are those combining AI-assisted reasoning with proven security engineering techniques.
Why Continuous VulnOps Matters
The bigger challenge is not whether AI can find vulnerabilities. It is what happens when it can find them faster than organisations can respond.
The time between vulnerability discovery and exploitation is compressing. Activities that previously required weeks of investigation can increasingly happen in days or even hours.
This has significant implications for defenders.
Many organisations still approach vulnerability management as a periodic exercise. They run scheduled scans, produce reports, prioritise findings and remediate issues over extended patch cycles. In an environment where attackers can rapidly chain together weaknesses and develop exploits at machine speed, these processes increasingly create avoidable exposure.
Continuous VulnOps is designed to address this problem.
Rather than treating vulnerability management as a periodic compliance activity, Continuous VulnOps treats vulnerability discovery and remediation as an operational capability that is integrated into daily security activities. It emphasises continuous visibility, faster validation, AI-assisted triage and the ability to reduce exposure windows before vulnerabilities become exploitable.
This is not simply about patching faster. If it were that easy, we would already be doing it.
Continuous VulnOps requires organisations to rethink how they measure risk and how they organise security operations.
Questions such as how quickly a vulnerability can be understood, how rapidly exploitability can be assessed and how effectively attack chains can be disrupted are becoming more meaningful than simply counting vulnerabilities or reporting severity scores.
AI Is Also a Defensive Opportunity
Much of the discussion around AI focuses on offensive capabilities, but the opportunities for defenders are equally significant.
AI can help reduce alert fatigue by acting as a first point of triage within Security Operations Centres. It can enrich alerts with context, provide initial risk assessments and help analysts focus their attention on genuinely high-risk investigations.
Similarly, AI-assisted vulnerability analysis can improve prioritisation and support remediation at scale.
The objective should never be to remove people from the process. Instead, it should be to enable security professionals to focus on the problems that genuinely require human judgement and expertise.
Cyber security jobs are not disappearing.
They are evolving.
The future security practitioner will increasingly need to understand how to orchestrate AI-assisted workflows, validate AI outputs and engineer resilient pipelines that combine automation with human oversight.
Secure by Design Is the Only Sustainable Approach
The most important lesson from Mythos is not that AI has become extraordinarily capable. It is that the economics of cyber security are changing.
If one person can discover vulnerabilities using AI, we should assume others can too.
That reality places even greater emphasis on Secure by Design principles and Continuous VulnOps. Organisations must assume vulnerabilities will be discovered faster and build systems that limit blast radius, reduce exposure and support rapid response.
AI is undoubtedly changing cyber security. However, the future is not one of autonomous security platforms replacing human expertise. It is one of AI-assisted orchestration, continuous vulnerability operations and more resilient security engineering practices.
The zero-day tsunami is only a threat if our processes remain static.
Continuous VulnOps is ultimately about adapting our operating models to a world where vulnerabilities emerge and evolve at machine speed. In that environment, secure-by-design principles and operational resilience are no longer aspirational goals. They are becoming fundamental requirements for modern cyber defence.
What This Means for Security Operations
At 2T Security, we’ve spent years helping organisations design and operate security capabilities for some of the UK’s most demanding environments, from government and defence to critical national infrastructure. As AI reshapes cyber security, we see Continuous VulnOps as a natural evolution of effective Security Operations rather than a standalone technology.
Our approach combines proven security monitoring with AI-assisted analysis to help organisations reduce alert fatigue, improve prioritisation and respond more effectively to emerging threats. The objective is not to replace analysts with AI, but to equip experienced security professionals with better information, greater context and faster decision support.
That work is led by our Security Operations team, headed by Dr Sara Vecchini, a data scientist with a PhD in Astrophysics whose research background in extracting meaningful signals from vast, complex datasets directly informs how we apply artificial intelligence to modern cyber defence. By combining data science, threat intelligence and operational security expertise, we focus on practical applications of AI that improve resilience while keeping people firmly at the centre of security decision-making.
As vulnerability discovery accelerates and attack timelines continue to shrink, organisations need security operations that can adapt just as quickly. AI is becoming an important part of that capability, but only when it is integrated into robust processes, sound engineering and experienced operational teams.
