AI broke cyber-security’s maths – now what?

Cyber-security has long rested on a single, uncomfortable assumption: attackers only have to be right once, while defenders have to be right every time. The odds were bad, but the fight was at least fair. Both sides operated at human speed. Humans found vulnerabilities. Humans built exploits. And humans on the other side drove the defence.

 

That equilibrium is gone.

 

In April 2026, Anthropic announced Mythos Preview, an AI model that autonomously discovered thousands of previously unknown vulnerabilities across every major operating system and browser, including flaws that had survived decades of human review.

 

The implications were severe enough that Anthropic withheld public release, fearing that the model could dramatically accelerate cyber-attacks if it were widely accessible. CEO Dario Amodei warned of a six- to 12-month window to patch tens of thousands of flaws before rival models caught up.

 

Andrew Rubin, founder and CEO of Illumio, calls it a breaking point for cyber-security’s old assumptions. “AI didn’t just raise the stakes,” he says. “It changed the rules.”

 

In a recent episode of The Segment podcast, Rubin lays out what this means for the industry. He’s spent 13 years building Illumio around the premise that breaches must be contained because they can’t be prevented. That’s always been true, he says, but Mythos finally proves it.

 

“We’re investing more and more money to get worse and worse outcomes, but we literally keep doing the exact same thing over and over again,” he said.

 

AI just made the maths asymmetric

 

Some observers suggest AI can also generate patches at machine speed, neatly cancelling out the threat. But Rubin compares that logic to the Covid-19 vaccine rollout. Developing the vaccine was hard, but it wasn’t the hardest part. Manufacturing and distributing billions of doses was.

 

Patching works the same way: writing the fix is step one. Deploying it across billions of systems – some of which can’t be rebooted, some of which can’t be taken offline – is the real problem.

 

“The size and scale of that problem is unlike anything that we’ve ever confronted,” Rubin says.

 

The SolarWinds lesson: risk you discount to zero isn’t zero

 

The post-Mythos world may be unprecedented, but the pattern of underestimating risk is not. At RSAC 2026 in San Francisco, Illumio hosted a panel called Hard Truths in Cybersecurity that featured, among others, Tim Brown – SolarWinds’ CISO during the infamous 2020 supply-chain compromise – and Sherrod DeGrippo, GM of Global Threat Intelligence at Microsoft.

 

Brown’s account was striking. He had told his board that a breach of Orion, SolarWinds’ flagship product, could be an extinction-level event. He had also told them he wasn’t prepared for a nation-state attack – and that the cost to get there wasn’t justifiable. Both facts were known and accepted.

 

The logic was rational. The outcome proved it catastrophically wrong. Attackers didn’t target SolarWinds for what it was. They targeted it for what it was connected to.

 

And AI is collapsing that risk calculus entirely. Capabilities that once required the resources of a government – discovering zero-day vulnerabilities, building working exploits, running co-ordinated supply-chain campaigns – are now within reach of anyone with access to the right AI model.

 

DeGrippo put it in even starker terms. Riffing on Sam Altman’s prediction that a single person could soon run a billion-dollar startup, she warned of a parallel in the threat world: the “unicorn threat actor”, an apex-level adversary with incredible capability, reach and automation capabilities – powered by one human. The disgruntled employee, the lone activist, the single-operator criminal – all of them now potentially armed with nation-state-grade tools.

 

The risk posture that might have made sense for SolarWinds in 2020 is hopelessly outdated in 2026.

 

Risk reduction beats perfection

 

Network segmentation isn’t new – organisations have been chopping up networks with subnets, VLANs and firewalls for decades. But virtualisation and cloud have turned a concentrated hardware problem into a distributed software problem that demanded an entirely new approach.

 

For too long, both vendor and customer chased perfection. Every port closed, every path locked down, every policy airtight before a single control went live. The breakthrough came when the industry reframed the goal. The point wasn’t flawless segmentation. It was risk reduction. Close the risky ports. Separate the critical environments. Shut off services that don’t need to be open.

 

“It may not be perfect segmentation,” Rubin says, “but I have a lot less risk after doing those things than I did before.”

 

The playbook that replaces prevention

 

Rubin doesn’t think the sky is falling. But he insists that the operating model has to change. If more breaches are a mathematical certainty, then recovering from them – smaller and faster – must become the priority. That means resilience through breach containment, and breach containment through segmentation and AI-powered detection and response.

 

The Marks & Spencer breach in 2025 made the cost of getting this wrong painfully concrete. A ransomware attack took the UK retailer offline for weeks, slashing half-year pre-tax profits from £392 million to just £3.4 million.

 

The brick wall was never as solid as the industry assumed. Now AI has handed attackers a wrecking ball. The era of 12-month RFPs and year-long proofs of concept is ending. When a CISO discovers a critical hole and has a day to close it, the old procurement rituals won’t survive contact with reality. The organisations that shift from building higher walls to containing what gets through will be the ones still standing.

 

“The path forwards isn’t pretending breaches won’t happen,” Rubin says. “It’s making sure they can’t become disasters.”

---

Learn more about how Illumio can help your business contain breaches

 

By Zita Goldman, Journalist at Business Reporter, for Illumio