Anthropic Endorses EPSS Model to Tackle AI-Accelerated Wave of Machine-Speed Software Vulnerabilities
Anthropic recommends EPSS to prioritize vulnerabilities found by its Mythos AI. Discover how machine-speed discovery is changing cybersecurity triage in 2026.
By: AXL Media
Published: Apr 23, 2026, 3:42 AM EDT
Source: Information for this report was sourced from CSO Online
The Advent of AI-Driven Vulnerability Discovery
The release of Anthropic’s Mythos has signaled a fundamental shift in the cybersecurity landscape, moving from human-paced bug hunting to unprecedented machine-speed discovery. This AI-based class of systems can identify and exploit software flaws at a rate that threatens to overwhelm traditional defensive programs. As these models accelerate the offensive side of cybersecurity, the industry faces an immediate crisis of prioritization. Defenders are no longer just struggling with the volume of vulnerabilities but are now racing against an AI that can bridge the gap between discovery and exploitation in a fraction of the time previously required by human actors.
Strategic Endorsement of Probabilistic Triage Models
To combat the coming wave of reports, Anthropic has explicitly pointed toward the Exploit Prediction Scoring System (EPSS) as a primary method for defensive triage. Developed by data scientists at Empirical Security and published via FIRST, EPSS acts as a probabilistic model similar to weather forecasting, predicting which vulnerabilities are likely to be exploited within the next 30 days. Anthropic’s guidance suggests that security teams should prioritize patching the CISA Known Exploited Vulnerabilities (KEV) catalog first, followed by any flaws exceeding a specific EPSS threshold. This machine-learning approach is designed to distill thousands of open CVEs into a focused, actionable queue for IT departments.
Structural Strains on Traditional Vulnerability Databases
The emergence of Mythos coincides with significant stress on legacy systems like the National Vulnerability Database (NVD). Recently, the volume of new flaws forced NIST to scale back its enrichment of vulnerability reports, a process that relies heavily on human-driven analysis to assign CVSS scores. Ed Bellis, CEO of Empirical Security, noted that while CVSS remains a human-centric effort, EPSS is entirely machine-driven and updated daily. This distinction is becoming critical as the mean time to exploit a vulnerability is projected to drop to just one hour this year, and potentially to one minute by 2028, rendering manual enrichment processes obsolete.
Categories
Topics
Related Coverage
- Anthropic’s Mythos Model Identifies 271 Security Flaws in Latest Mozilla Firefox Source Code
- Cybeats Technologist Warns Static SBOMs Fail as Anthropic Glasswing AI Collapses Vulnerability Windows
- Anthropic’s Claude Code Sparks Cybersecurity Transformation as Frontier AI Labs Target Defensive Software
- Global Regulators Sound Alarm as Anthropic’s ‘Mythos’ AI Exposes Systemic Banking Vulnerabilities