Much of the commentary on AI-generated exploits is aimed at the wrong problem.
The trend itself is undeniable. Mythos pushed the issue onto board agendas, and the VulnCheck data backs it up: 40 CVEs attributed to Anthropic-affiliated researchers using Claude, including 28 high-severity Firefox vulnerabilities disclosed in just two drops. This will not be the last wave.
The window between bug discovery and a working exploit has collapsed from months to hours, and that shift is permanent. The industry’s response, however, is moving in the opposite direction.
Here is what most post-Mythos commentary is missing: attackers don’t teleport. A vulnerability only matters if an attacker can reach it. And reaching anything in a well-architected environment means crossing layers.
Consider the root password on your core router’s console port. In isolation, it is a catastrophic vulnerability: Full administrative access, no meaningful authentication, no logging, game over.
But to actually use it, someone has to reach the console port. That means getting into the building, past badge readers, through the mantrap, onto the datacenter floor, into the right cage, to the right rack, on the right device, without tripping cameras or alarms, or alerting the SOC analyst to badge anomalies. The vulnerability is real. It is also irrelevant to any realistic attacker.
That is defense-in-depth. It isn’t a buzzword. It is the answer to this moment.
The honest caveat: the layers in front of your datacenter aren’t the only ones that matter.
Public-facing assets, cloud workloads, and above all, identity can give an attacker a path that skips the physical analogy entirely. That’s the point. Identity is the new console port.
MFA gaps, stale OAuth grants, over-privileged service accounts, unmanaged SaaS tenants — These are the doors that don’t require a mantrap to walk through. The layers still matter. They just have to cover every path, not just the ones that start at the front door.
Here is the uncomfortable truth: almost every CISO already has a well-designed defense-in-depth architecture on a whiteboard.
Firewall at the perimeter. EDR on endpoints. SASE for remote access. WAF in front of applications. Email security. Identity is the real perimeter, with MFA, conditional access, and privilege boundaries. Network segmentation. Egress controls. Vulnerability management. A plan for every layer.
The architecture is fine. The deployment is the problem.
What most organizations actually have is a half-deployed, drifted, and partially configured version of the architecture they designed three years ago.
EDR is on 87% of endpoints, not 100%. The SASE rollout stalled at the third business unit. The WAF is in detection mode on half the apps. Three email security policies are running in “monitor” because nobody wants to be the person who blocks a CEO's email.
Segmentation exists between tiers but not within them. The golden image drifted six months after it was published.
The hard part is that these gaps are rarely visible in one place. They sit across tools, policies, exceptions, identities, assets, and configurations, too many layers for humans to continuously reconcile manually.
This is security debt. And in the post-Mythos era, security debt is what attackers actually exploit.
They don’t need a novel zero-day. They need the layer you never finished deploying.
A defense-in-depth program that actually works, the kind that makes the next AI-discovered CVE irrelevant to your business, must continuously answer four questions across the entire stack:
Not “do I have EDR.” Everyone has EDR. The real question is whether it’s tuned: prevention on or detection-only, exclusions reviewed this year, SASE policies aligned with your actual access model, WAF rules current, and email defenses resilient against AiTM phishing.
Controls that look deployed are often not doing the work they were bought to do.
Every unmanaged device, every user without MFA, every unmonitored SaaS tenant is a path around your layers.
Coverage gaps are the industry’s most reliable entry point for attackers, and they are almost entirely invisible without a unified view across tools.
Golden images drift. Policies accumulate exceptions. Configurations change without anyone tracking them.
A control that was correctly configured on day one but has drifted for two years provides false assurance.
Continuous configuration validation is the difference between architecture on paper and architecture in production.
A critical CVE on an asset protected by segmentation, strong EDR, and identity-gated access poses a fundamentally different risk than the same CVE on an exposed, undercovered asset with no compensating controls.
Prioritization that ignores the defensive context is prioritization that wastes your team’s time on the wrong fixes.
These sound like simple questions, but answering them manually across EDR, SASE, WAF, identity, cloud, email, SaaS, and vulnerability data is where most teams get stuck.
You do not need a new platform to start. Three moves, none of which require a budget cycle:
None of this requires outside help, but all of it will tell you whether your architecture on paper matches your architecture in production.
Every one of those four questions is a management problem, not a tooling problem. You already bought the tools. What’s missing is the layer that tells you, continuously and honestly, whether your architecture is actually standing.
That is Discern.
Discern AI continuously reasons across your security layers to identify the control gaps, coverage gaps, and configuration drift that are almost impossible for humans to track manually at scale.
Here is what we see almost every time a new customer connects their stack:
The gap is never zero — it is almost always larger than the team expected.
Discern connects to the security and IT tools you already own (EDR, SASE, WAF, Email security, IdP, cloud, vulnerability management) and gives you a single source of truth across all of them.
The result is a defense-in-depth program you can actually defend: every layer visible, every gap prioritized, every improvement measurable. And when your board asks whether the program is working, you have evidence, not assertions.
Mythos did not break defense-in-depth. It raised the cost of not finishing it.
The companies that survive this era will not be the ones with the fastest patching program. They will be the ones whose architecture on paper matches their reality in production, with every control fully deployed, every asset covered, every configuration held to standard, and every vulnerability judged in the context of the layers around it.
You probably already own the badge readers, the mantrap, the cameras, the cages, the locks, and the segmentation presented as EDR, SASE, WAF, MFA, email security, and the rest of the stack.
The work now is finishing the build, proving it holds, and making it easy to keep it that way.
Discern AI identifies where the intended defense-in-depth model breaks down — which controls are missing, misconfigured, drifting, or not covering the assets and users they were supposed to protect.
That is the work Discern was built for.
