AI Is Removing Your Organization’s Head Start on Cybersecurity

Anthropic recently announced their Claude Mythos Preview model was capable of autonomously finding thousands of critical vulnerabilities across every major operating system and browser. The company chose not to release the model publicly because the risks were too great.

Anthropic’s decision to not release Claude Mythos Preview is one data point in a much larger shift and points to how quickly the landscape is moving.

“The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.”

That’s not a warning from a researcher or a think tank. It’s from Elia Zaitsev, the CTO of CrowdStrike, responding to a new cross-industry cybersecurity initiative that brought together some of the largest technology companies in the world around a single, urgent premise: AI has fundamentally changed the cost, effort, and expertise required to find and exploit software vulnerabilities, and organizations that treat that as a future problem are already behind.

We asked Centric Consulting experts what this moment demands from organizations right now. Their answers touch security architecture, risk and compliance, operations, and organizational readiness, and they urge leaders to prepare now.

The Real Weapon Is Volume

“Security exploits are concerning, but they’re not new. Criminal elements aren’t new. Humans being the weakest link isn’t new. So, the solutions aren’t new either: security as a cultural imperative, layered defenses, zero trust, monitoring, containment, and mitigation. All of it should be augmented with AI so organizations can respond at machine speed.

“The bigger issue is signal integrity. How good are your alerting mechanisms at filtering noise while retaining meaningful signals? AI dramatically lowers the cost of generating noise while simultaneously raising the stakes for filtering it out. The threat model isn’t just ‘AI finds vulnerabilities faster.’ It’s that AI makes volume cheap, and volume is the weapon.”

— Joseph Ours, AI Solutions Director

Your Vulnerabilities Already Exist

“Your vulnerabilities exist right now. AI didn’t create them — it just removes the time advantage defenders once had. While responsible actors debate what’s safe to release, others aren’t waiting for permission. IT can’t respond by slowing delivery. It has to make security continuous, with AI-powered scanning built into every pipeline. The teams that win will be the fastest at finding what was already broken.”

— Shawn Wallace, Principal Architect

Test Your Own Code Like an Adversary Would

“When agents produce code, they make the same assumptions human developers do: that their output fits the bill. Adversarial testing breaks that assumption. Centric’s Agent framework uses stand-alone adversarial agents to test the work of other agents, avoiding those exact blind spots. It’s the equivalent of penetration testing your own code, built into the process rather than bolted on afterward.”

— Jeremy Gruenwald, National Data and Analytics Practice Co-Lead

Retire the ‘Too Difficult to Exploit’ Assumption

“The threshold for what counts as ‘too difficult to exploit’ needs to be seriously reevaluated at best and abandoned entirely at worst. If exploitation is possible, current models will find a way. Even today’s generation of AI is remarkably capable at complex exploit chaining. Organizations still calibrating risk on the old scale are working with a broken instrument.”

— Donavan Stanley, Senior Architect, AI Agents and LLMs

Get Ahead of It Before the Models Scale

“Companies need to act now. AI-driven discovery operates at machine speed, not human speed, which demands shorter patch cycles, complete software inventories, stronger dependency controls, and faster incident response. The goal is to make your systems harder to break, quicker to detect a breach, and faster to fix than the time it takes any AI to find the weaknesses.”

— Leigh Helsel, Partner and Retail Lead

Don’t Abandon What Works

“The same core cybersecurity controls remain the best defense against evolving AI-related threats. Maintain clear visibility into your assets and know where sensitive data resides. Back that with a disciplined vulnerability management program that prioritizes risk rather than producing an unfiltered list of findings, and patch management processes that meet defined SLAs. And plan for failure: A well-documented, tested incident response plan ensures you’re prepared for the worst even while relying on what still works.”

— Brandyn Fisher, V-CISO Capability Lead and Senior Pen Testing Technical Lead

Break Down the Silos Before You Need To

“One foundational capability organizations cannot afford to lose is centralized issues management. Security teams still need to get out of their silos and into a room together to regularly share identified issues. A vulnerability the red team found may also be a compliance exposure the HIPAA team doesn’t know about. A risk flagged in one geography may have implications for operations on the other side of the world. When that kind of cross-functional visibility is missing, the response window shrinks even further. The technology will keep evolving, but the organizations that respond fastest will be the ones that already know how to talk to each other.”

— Shane O’Donnell, Vice President, Cybersecurity

Invest in People Before the Tools Arrive

“The landscape is shifting fast, and internal capacity won’t build itself. The most practical path is also the most durable one: Invest in your people. Upskill or hire. If you don’t have someone on staff today who truly specializes in AI, not someone who picked it up as a side responsibility, you’re already behind. Taking it on as part of an existing role isn’t a strategy. It’s a stopgap. The tools will evolve and eventually become more accessible. The teams that know how to use them responsibly won’t.”

— Traci Whetzel, National Salesforce Practice Lead

Risk Still Needs a Business Translation

“As cybersecurity roles become more specialized, one foundational skill organizations cannot afford to lose is the ability to evaluate and communicate risk from a business perspective. When security conversations drift into technical territory that doesn’t resonate with leadership, critical risks get misunderstood, deprioritized, or underfunded. The ability to step back and ask, ‘What does this mean for the business?’ and translate technical exposure into financial loss, operational disruption, or regulatory consequence is what keeps security grounded in reality and connected to the decisions that matter.”

— Bethany Deeds, Data Protection and Audit Manager

An Arms Race With a Known Outcome

“This isn’t radically new, but it intensifies a problem that software creators already have. They will be forced to adopt AI scanning as a standard part of their development pipelines to uncover vulnerabilities before release. The pressure to stay current with software patches grows. Legacy systems that can’t be patched become greater liabilities. Security continues to be an arms race, one that will demand ever-greater allocation of IT resources.”

— Martin Higgins, Insurance Practice Lead

Centric Consulting is an international management consulting firm with unmatched in-house expertise in business transformation, hybrid workplace strategy, technology implementation and adoption. Founded in 1999 with a remote workforce, Centric has established a reputation for solving its clients’ toughest problems, delivering tailored solutions, and bringing deeply experienced consultants centered on what’s best for your business.