AI just found the bugs. We just patched yours.

May 13, 2026

AI just found the bugs.
We just patched yours.

Today, Palo Alto Networks disclosed a set of vulnerabilities that were found, in part, by Mythos, Anthropic’s new agentic security model. By the time you read this, every affected ON2IT customer has already been patched.

What actually happened

Palo Alto Networks, one of the most respected security engineering teams on the planet, pointed an AI agent at their own source code. Mythos read the code the way a senior researcher would, tracing execution paths, modelling attacker behaviour, asking the awkward questions, and it found things. PANW fixed them, coordinated disclosure, and shipped patches today.

This is what good looks like. A vendor with the discipline to audit themselves harder than their attackers can, using a tool built for exactly that job. Every issue Mythos surfaces inside PANW before disclosure is one that does not get sold on a forum, weaponised in a ransomware kit, or burned in a supply chain attack six months from now.

If your instinct is to read this as “even the big vendors have bugs,” you are reading it wrong. The right reading: the defenders just got faster than the attackers. That has not been true for most of the last forty years.

Why this is the start of something, not a one-off

The software industry has spent four decades writing code faster than anyone can audit it. AI changed the writing side two years ago. The auditing side was lagging. Mythos, and the models that will follow it, close that gap.

Expect the bar for software quality to rise across the industry. Quickly. In a world of AI-assisted development, AI-assisted assurance is not a nice-to-have, it is the only sane response. The vendors who lean into this will be safer to buy from. The ones who do not, will not.

What we did about it, while the advisory was still warm and before you had to ask

This is the part most security stories skip, so we will not.

The moment the advisory landed, our GSOC™ already knew which of your firewalls were affected, which maintenance windows applied, and which patches had been validated against your stack. We did not have to call you to find out. We did not have to ask which device matters most. We patched, we verified, we logged it. You can read the report when it suits you.

This is what Zero Trust as a Service is for. Not a dashboard. Not a quarterly review. A team that is already moving before you know there is something to move on.

A note on AI-native, because it matters

We have been working AI into the loop for years, not as a feature we announce, but as the way the work gets done. Mythos finding vulnerabilities inside PANW is the same pattern at the vendor layer that we run at the operations layer. AI does the unglamorous, exhaustive, around the clock work. Humans do the judgement calls. The chain holds because every link got stronger.

This is not the future of cybersecurity. It is Wednesday.

The Takeaway

Credit to Anthropic for building a model that earns its keep. Credit to PANW for using it on their own house first. And if you are an ON2IT customer: you can stop reading now. You are already patched.