Tuskira Research Finds 95% of AI-Discovered Vulnerabilities Were Not Yet Visible in Public Advisories

SAN FRANCISCO--(BUSINESS WIRE)--Tuskira, the Agentic SecOps platform, today released new research showing that AI-driven vulnerability discovery is outpacing the security industry’s ability to disclose, patch, ingest, and operationalize new findings.

The report, “The Emerging Patch Gap: What Anthropic Mythos Data Reveals About AI-Driven Vulnerability Discovery and Enterprise Remediation,” analyzes publicly available data from the first 63 days of Anthropic’s Claude Mythos Preview disclosure program. During that period, Mythos disclosed 1,596 verified vulnerabilities across 281 open-source projects, but most were not yet visible through the public advisory channels enterprises depend on. Key findings include:

• 95% of Mythos disclosures had no public advisory at the time of the research snapshot, meaning they were not yet visible through standard CVE, NVD, GitHub advisory, or scanner-driven workflows.
• AI discovery outpaced visible Mythos-attributed remediation by roughly 16.5x: Mythos generated about 25.3 disclosures per day, while about 1.5 were marked as patched per day.
• Only 6.1% of disclosures were marked as patched in response at the snapshot, despite 90.9% maintainer acknowledgment, showing that maintainers are responding quickly but patch capacity remains constrained.

AI Discovery Exposes the Limits of Advisory-Led Defense

The report finds that responsible disclosure is working as intended, but the broader enterprise security model is under pressure from AI-scale discovery. CVEs, vulnerability databases, scanner updates, and patch bulletins remain essential, but they may no longer be early enough to serve as the first signal of risk. Two additional findings show how that pressure reaches enterprise security teams:

• The end-to-end window from private disclosure to enterprise patch-in-production can stretch 90 to 150 days, leaving defenders exposed before scanners and patch cycles catch up.
• One upstream vulnerability can trigger many downstream alerts, with a single ImageMagick CVE propagating to 18+ NuGet variants via Magick.NET.

“Most security leaders already understand that AI is finding vulnerabilities faster than teams can patch them,” said Om Moolchandani, Co-Founder, CPO, and Head of Threat Research, Tuskira. “What’s been missing is a concrete benchmark for how wide that gap is becoming. The new problem isn’t that every AI-discovered vulnerability is urgent. The problem is that CISOs need to know which vulnerabilities are reachable, exposed, and exploitable before the traditional advisory pipeline catches up.”

As AI increases the volume of valid findings, security teams must determine which vulnerabilities are actually present, reachable, exposed, and insufficiently defended before public advisories or scanner alerts arrive. The research shows that this is especially urgent in open-source software, where a single upstream issue can ripple through package managers, Linux distributions, containers, commercial products, and internal applications.

Download the report, The Emerging Patch Gap: What Anthropic Mythos Data Reveals About AI-Driven Vulnerability Discovery and Enterprise Remediation

About Tuskira

Tuskira is an Agentic SecOps platform that unifies detection, exposure management, investigation, and response through a shared Security Context Graph. Tuskira’s AI agents reason across identity, cloud, endpoint, network, exposure, telemetry, and business context to detect attack paths, validate defenses, investigate threats, and orchestrate response across the tools organizations already own, helping them reduce breachable risk and build breach resilience at AI speed.