A Common Vulnerability Exposure (CVE) that cannot reach the privilege plane is operationally ineffective — even at a CVSS Score of 10. This should be a core philosophy that is embedded into the fabric of software engineering that spans across software development and software maintenance activities. While vulnerabilities increase year-over-year due to improved reporting and better detection capabilities, the Mythos Preview represents a breakthrough in vulnerability detection and discovery that security testing tools obviously missed, and a powerful offensive capability that greatly accelerates the timeline for discovery, disclosure, exploitation, and remediation. The timing of the Mythos Preview could not be more telling, as the White House looks to leverage offensive cyber to shape adversary behaviors. This changes the math on which CVEs threat actors can afford to weaponize. The 33,000 privilege-path dependent CVEs sitting dormant in Exploit Prediction Scoring System (EPSS) are now squarely in the crosshairs. 

After the announcement of this breakthrough in accelerated vulnerability detection and discovery, industry has been focusing on the potential reality of more CVEs, the strain it will have on vulnerability management programs, and the increased blast radius for threat actors to target. While vulnerability management and patching remain necessary, they are not sufficient to address the new reality that Mythos represents. Threat actors are weaponizing these vulnerabilities and CVEs in minutes, and in many cases as part of zero-day campaigns. 

The Vulnerability Management Treadmill

Pre-Mythos, many organizations struggled to keep pace with the year-over-year increase in CVEs. The thought of an increased patching workload has government officials and industry reeling, looking for answers. The Cloud Security Alliance in their rebuttal notes that existing CVE/NVD infrastructure was built for dozens of critical CVEs per month, not hundreds. Mythos does not just strain the CVE/NVD process — it obliterates the assumptions it was built on. Dr. Mehdi Mirakhorli, Computer Scientist and Professor at the University of Hawaii, calls this a never-ending cycle that has become an upgrade-and-patch treadmill. The truth is that faster discovery does not lead to or can be met with faster remediation. Patch and vulnerability management programs were never designed for human-speed remediation against machine-speed exploitation.

The Privilege Path Dependency (PPD)

There are approximately 326,000 CVEs published in the Exploit Prediction Scoring System (EPSS) database, of which approximately 33,000 CVEs are privilege path dependent, meaning these CVEs require existing privileges to exploit, or they grant and accelerate privilege access as an outcome.  CISA’s Known Exploited Vulnerabilities catalog confirms this: 70% of CVEs confirmed in active attacks are privilege-path dependent — not a theory about CVE structure, but a measurement of adversary selection behavior. Once exploited, these CVEs will produce meaningful progression and impact. Pre-Mythos these CVEs were only protected by threat actor resource constraints. 

This is an important note worth mentioning because the Mythos Preview makes what was uneconomical for threat actors, economical. These CVEs require an architectural response that operates independent of discovery and remediation timelines. An appropriate response for CVEs that require and accelerate privilege access is called Privilege Disruption — designed to collapse attack chains and paths that lead to privilege. Privilege Disruption puts the CVEs threat actors target and depends on in a chokehold to make them operationally ineffective.

In my work with federal agencies, I have seen organizations patch 95% of critical CVEs within SLA windows and still experience significant breaches — because the one CVE that mattered was a privilege-path dependent CVE that sat below the priority threshold. The breach was not about volume. It was about which CVE reached the privilege plane.

The CVEs No One Is Talking About

Everyone has been focusing on two major arguments from the revelations of Project Glasswing.

The first argument contends that more vulnerabilities discovered faster will lead to larger, unmanageable backlogs, more rationalized risk acceptance, and misaligned vulnerability management practices at higher velocity.

The second argument contends that AI will not change the fundamental economics of adversary selection of CVEs to exploit. This is based on the notion that the exploitation rate is already low — roughly 1 to 2 percent of published CVEs have ever been weaponized. While these arguments are not wrong, they completely miss the CVEs that actually matter — the ones that allow threat actors to convert their initial access into mission capability and meaningful control. This is where the 33,000 come in. That sweet spot poses significant risk precisely because those CVEs can reach the privilege plane across our software ecosystem. 

Flipping Dormant and Uneconomical CVEs 

Up until now or pre-Mythos, these CVEs have been dormant because of structural barriers like chaining complexity and reliability engineering cost. Each year approximately 74-95% of CVEs are dormant. Threat actors have had close to a decade to weaponize these CVEs but probably haven’t done so because these CVEs have been considered uneconomical. Now that it is possible with Mythos, weaponization costs could drop to $2000 (as cited in Mythos report), bringing the sweet spot of CVEs into focus for threat actors. Threat actors will not need to exploit and weaponize new CVEs as part of their campaigns — the sweet spot of 33,000 represents an extremely attractive and realistic selection target. 

The real danger and potential impact Mythos creates today can simply be characterized by some portions are already being weaponized by nation-states unobserved, some are within reach of mid-tier actors now, and some will cross the threshold as Mythos-class tools commercialize and other AI vulnerability detection tools emerge.  

Contextualizing the 33,000 CVEs

The 33,000 CVEs deserve more context and analytical precision because it represents a major attack surface that threat actors can now weaponize in their campaigns. Mythos removes the dormancy of these CVEs and make them economically feasible to weaponize. Once threat actors target these privilege-path dependent CVEs, it will give them the fuel (privilege) to establish meaningful control and exploit the vulnerability prevalence that exists across an environment or sector. This is not speculation; this is based on cyberattacks we have seen like Salt Typhoon that targeted various telecommunications companies worldwide. Salt Typhoon did not just find a foothold in telecom infrastructure — the threat actors weaponized privilege-path CVEs that gave them the privilege plane to move laterally across carriers, harvest credentials, pre-position, and establish persistent access. This is exactly the operational pattern that privilege-path dependent CVEs enable. 

The Salt Typhoon CVE selection illustrates this precisely. CVE-2023-20198 (Cisco IOS XE, CVSS 10.0) granted unauthenticated privilege — full administrative control — as its primary outcome, a textbook Tier 1 PPD CVE. It was immediately chained with CVE-2023-20273 to escalate further to root and write a persistent implant — a compound privilege chain where neither CVE achieves the campaign objective alone. CVE-2024-21887 and CVE-2023-46805 on Ivanti Connect Secure were deliberately paired the same way: authentication bypass enabling command injection in a privileged runtime context. Salt Typhoon did not select these CVEs randomly — they selected CVEs that gave them the privilege plane.

This is the same structural weakness categories that define the sweet spot of 33,000 CVEs. This is not coincidence — this is threat actor selection in action. They weaponize CVEs that are going to give them strategic advantage and bypass security controls.   

This CVE problem should not be ignored because the numbers reveal a tremendous exposure. Two independent analytical methods converge on the same answer from different directions. CWE Tier 1 structural analysis — examining weaknesses where privilege-path dependency is definitional — identifies approximately 38,000 CVEs in the NVD corpus that explicitly meet this classification. EPSS exploitation probability analysis of the April 2026 dataset identifies approximately 4,986 CVEs in the pre-Mythos active attack surface that are privilege-path dependent. The gap between those two numbers — roughly 33,000 CVEs — represents vulnerabilities that are structurally built to reach the privilege plane, but that adversary economics has kept dormant. Mythos closes that gap. 

CISA KEV Correlation

Threat actors’ selection matters — they need privilege access to fuel their operations and campaigns. Not only does Salt Typhoon confirm this, but CISA KEV makes this concrete — 70% of confirmed weaponized CVEs involve the privilege plane. This is a measurement of threat actor behavior, and not a theory about CVE structure. This further confirms that threat actors think in capability gaps, not CVEs because there are some CVEs that do not make sense economically for threat actors to weaponize — they only need one path to privilege. This extends to software supply chain targeting, where threat actors are increasingly focused on finding those CWEs that land on the privilege plane in widely deployed vendor or open-source software code.   

Privilege Disruption: The Architectural Response

This is precisely the psychology the White House cyber strategy is encouraging — defend against the sweet spot and impose cost, risk, and uncertainty on threat actors’ operations and campaigns. Privilege Disruption is that mechanism. When the privilege plane is architecturally constrained, the path threat actors depend on collapses — regardless of how many CVEs Mythos or any other AI vulnerability detection tool generates. Federal agencies cannot patch their way to adequately defend against Mythos-speed exploitation. The 33,000 privilege-path dependent CVEs that Salt Typhoon and campaigns like it depend on require an architectural response. Privilege Disruption is that response — and it operates before the exploit is written.

Architecturally, Privilege Disruption operates at three chokepoints across the MITRE ATT&CK lifecycle. At Persistence, credential vaulting and rotation ensure that foothold access cannot be converted into standing privilege. At Privilege Escalation — the decisive chokepoint — endpoint least-privilege enforcement removes the execution context that makes CVE exploitation produce privileged outcomes. At Lateral Movement, privileged session governance collapses the pathways that converts a single compromised asset into campaign-scale access. This is distinct from traditional PAM, which governs privileged accounts reactively. Privilege Disruption, as part of a privilege-centric identity security strategy, governs the privilege plane architecturally — making it structurally unavailable to threat actors regardless of which CVE they weaponize.