Richard Stiennon is a seasoned analyst in cybersecurity. When he writes, I read carefully. His piece this week on Claude Mythos Preview is essential reading for anyone who cares about the future of data security.
TLDR: Richard is 100% right. Mythos is a break-glass moment.
But I want to add a dimension to his argument that I think is equally important — and that the industry is not yet talking about loudly enough.
Mythos isn't just a break-glass moment. It's a walls-crumbling moment. And it may be the last straw that finally breaks the back of perimeter-centric security thinking for good.
Richard's analysis of Mythos is sobering. A single AI model — still in preview, still restricted to select partners — identified a 27-year-old vulnerability in OpenBSD, one of the most hardened operating systems on the planet. The same model has been used to surface thousands of zero-day vulnerabilities in a matter of weeks. Thousands.
As Richard points out, this feels like 2010 — when virus signatures exploded from a handful a week to 60,000 a day and the antivirus model simply broke under the weight of its own assumptions. Symantec and McAfee couldn't patch fast enough. The model collapsed. The industry was forced to reinvent itself.
We are at that same inflection point now. Only the stakes are orders of magnitude higher.
If one team using Mythos can increase the total annual CVE count by 30% — what happens when thousands of researchers have access to models like it? We currently have 360,000 cataloged CVEs. Are we heading toward 3.6 million? Can scanners keep up? Can patch management keep up? Can the entire vulnerability management industry — as currently architected — keep up?
The honest answer is no.
I wrote about this same tension on March 30th after returning from RSA 2026. The overwhelming majority of what was on the show floor was vendors selling variations of the same fundamental idea: build a higher wall, a smarter moat, a better lock on the front door. Detect threats faster. Patch vulnerabilities quicker. Stop data from leaking out. Prevent the bad actor from getting in.
These are legitimate problems. But they are the wrong frame for the world Mythos is ushering in.
The threat surface is now expanding faster than any wall can contain it. The attackers — human and AI alike — are getting smarter, faster, and more capable by the month. And the implicit assumption underneath most of what the industry sells — that your job is to prevent data from ever leaving your control — is fundamentally at odds with how modern organizations actually operate.
Mythos didn't create this problem. It just made it impossible to ignore.
When the threat feels existential, the instinct is to go bigger. More tools. More controls. More perimeter. More wall. A bigger boat.
That instinct is wrong. And Mythos makes it more wrong than it has ever been.
Here's the argument I want to make, and I want to make it plainly:
In a world where AI can find and chain vulnerabilities at machine speed, at scale, across any software stack on the planet — the perimeter is no longer an effective defense. It is a liability. Every wall you build is a wall that Mythos — or its successors — can probe, map, and eventually breach. The bigger the boat, the bigger the target.
What we need instead is a tiny speedboat.
Not a bigger wall. Not a wider moat. Not another layer of perimeter defense bolted onto an architecture that was never designed for this threat environment.
A tiny, fast, open-standard speedboat, one that wraps around a single piece of data.
A boat that does two things simultaneously:
That speedboat exists. It is called the Trusted Data Format. And the open standard that defines it lives at opentdf.io.
There is a direct analogy here that I think about constantly — one that comes from my years at Sonatype, living at the intersection of software supply chain security and application architecture.
Twenty years ago, enterprise applications were built as monolithic three-tier systems. A presentation layer. A business logic layer. A database layer. Big, tightly coupled, hard to change, and catastrophically vulnerable at scale — because a breach anywhere in the monolith was a breach everywhere.
Then the industry evolved. Microservices. Kubernetes. Containers. The architectural philosophy flipped: smaller is better. Granular is goodness. Instead of one giant application that does everything and fails catastrophically when it breaks, you build hundreds of small, independently deployable services — each with its own boundary, its own lifecycle, its own blast radius.
The result was not just more resilient software. It was software that could move faster, scale more efficiently, and recover from failure without taking everything else down with it.
We have been building monolithic, perimeter-centric security for thirty years. Big walls. Centralized controls. Network segmentation. The implicit assumption that if you control the perimeter, you control the data.
Mythos — and everything it represents — is the final proof that this model is broken. You cannot build a perimeter strong enough to contain an AI that can find 27-year-old vulnerabilities in OpenBSD in its spare time. You cannot patch fast enough. You cannot detect fast enough. You cannot wall fast enough.
The answer is not a bigger monolith. The answer is to move the control plane to the data itself.
Just as application architecture evolved from monolithic to microservices — where each service carries its own boundary and its own logic — security architecture must evolve from perimeter-centric to data-centric. Where each piece of data carries its own policy. Its own access controls. Its own cryptographic proof of who can touch it, under what conditions, and for how long.
Thisis exactly what TDF was designed to deliver.
Here is the part of this conversation that I think gets lost in the understandable panic around Mythos: The existential threat is not just that our data is becoming more vulnerable, although this is true. But there is also a fundamental threat that centers on business operations: Organizations that cannot figure out how to share data — safely, at speed, with partners, machines, and AI agents — will be disrupted by those that can.
This is the two-sided nature of the crisis:
The organizations that win the next decade will be the ones that solve both sides of this equation simultaneously. Not security OR productivity. Rather security AND productivity.
That is precisely what TDF was designed for. It is the only architecture I am aware of that treats both sides of this equation as first-class requirements — not tradeoffs.
For those unfamiliar: the Trusted Data Format is an open standard for wrapping any piece of data — a file, an email, a database record, a model input — in a cryptographically enforced policy envelope. That envelope travels with the data. Everywhere it goes. Forever.
This is not a new idea. Microsoft tried to build something like it with AD RMS in 2003. They spent two decades and enormous resources on it. As I wrote after RSA, a senior architect with deep Microsoft engineering experience — now at one of the world's largest banks — looked at Virtru's TDF architecture and said simply: "Virtru is a universal RMS."
What Microsoft couldn't achieve — because their approach was trapped inside a single ecosystem, with brittle key management and no true cross-platform interoperability — TDF delivers as an open standard. Vendor-agnostic. Cross-ecosystem by design. Built for the world as it actually exists, not the world as a single vendor wishes it did.
Richard closes his piece with a question that every security leader should be sitting with right now: What happens when thousands of researchers use models like Mythos to discover new vulnerabilities?"
I'll add a companion question: What happens when thousands of AI agents — some friendly, some adversarial — are simultaneously trying to access, analyze, and act on your organization's most sensitive data?
The perimeter cannot answer that question. The perimeter was not designed for a world where the threat isn’t a human attacker probing your firewall, but an AI model that can chain blind SQL injection vulnerabilities into account takeovers, find 27-year-old bugs in hardened operating systems, and do it all at machine speed, at scale, without sleeping.
The only architecture that can answer that question is one where the protection lives in the data itself. Where the policy is cryptographic, not perimeter-based. Where access control is granular, auditable, and revocable — not dependent on whether the wall held.
That is the tiny speedboat. That is TDF. That is the architectural evolution that Mythos makes not just compelling, but urgent.