Mythos, Glasswing, and the New Velocity of Cyber Risk

The zero-day exploitation window just went under one day. By end of year, it’ll be under one hour. In this episode of Exposed, Luke Stephens sits down with Jorge Monteiro and André Baptista, Co-Founders of Ethiack, to cut through the Mythos hype and get into what actually changed in offensive security — and what didn’t. From autonomous AI trying to escape production infrastructure, to the collapse of the security buffer, to why your meantime-to-detect metric is now the wrong thing to measure entirely: this is the most technically grounded conversation on AI and cybersecurity you’ll find. If you’re a security researcher, pentester, or security leader trying to figure out what this AI moment actually means for how you work, this episode of Exposed by HackerOne gives you the framework to think about it clearly. Key points: 00:00 Introduction 00:58 What was the real reaction to Mythos inside the security community 03:35 What Mythos actually changed: reliability, not discovery 05:35 Downstream effects: Firefox, live hacking events, and the awareness shift 07:24 Project Glasswing and researcher incentives 07:57 How AI has changed research throughput and workflow 10:59 Where AI moves the needle: bypasses, library analysis, autonomous pivoting 13:23 AI chaining vulnerabilities, and trying to escape your own infrastructure 15:08 What doesn’t scale: cost, consistency, and the limits of AI alone 17:53 The operational layer problem: testing complex enterprise infrastructure continuously 17:53 Why guardrails are a two-year research problem, not a prompt 21:17 What makes a vulnerability report fast to fix 23:37 The security buffer is gone: discovery and exploitation are now simultaneous 23:23 Why teams overinvest in detection and starve on validation 25:59 Stop measuring meantime to detect. Start measuring meantime to validate. 27:39 AI-assisted remediation and the role of MCPs 31:57 The four metrics that actually prove you’re reducing real risk 33:51 Return on mitigation: reframing cybersecurity as a profit center 35:17 The zero-day clock: from two years to under one day, and heading to under one hour 36:53 Closing thoughts Jorge Monteiro is Co-Founder at Ethiack. He brings a business and operational perspective to offensive security at scale and has been one of the clearest voices on the shift from detection-first to validation-first security programs — long before the market caught up. André Baptista is Co-Founder and lead technical researcher at Ethiack. He has built autonomous penetration testing systems and run AI agents against real production infrastructure at scale. André brings a practitioner’s view of where AI-assisted hacking actually works, where it breaks down, and what guardrails actually require. Luke Stephens is the host of Haksec and a veteran security researcher. He brings deep hands-on expertise in offensive security and a talent for translating complex technical shifts into practical guidance for security teams and researchers. Website: https://ethiack.com LinkedIn:   / ethiack   Twitter/X:   / ethiack   Enjoy our show? YouTube:    / @haksec   #cybersecurity #AIsecurity #haksec #offensivesecurity #pentesting #ClaudeMythos #Glasswing #zerodayexploit #vulnerabilitymanagement #agenticsecurity #infosec #bugbounty #Ethiack #remediationasymmetry #CISO