In 1949, a crew of smokejumpers parachuted into Mann Gulch to fight what looked like a manageable wildfire. The fire then “blew up” into a fast-moving wall of flames so the foreman ordered them to drop their tools and run. Many did not stop carrying the very gear that defined their trade as firefighters, and they did not survive the fire.

Patching is the tool we refuse to drop while we face a fast-moving wall of vulnerabilities and exploits from Mythos-grade advanced cyber capability proliferation.

Bottom line towards the front:

• After proliferation day, enterprises are going to default-deny internet exposure for mitigation-poor edge appliances unless vendors can demonstrate a modern mitigation stack and rapid patch performance. Many of these are the security appliances themselves.

• Vendors in Glasswing and Project Daybreak, don’t just patch vulnerabilities. You are fixing the newly known-unknowns. Use the models to generate exploits, to tease out how exploits against your products are actually constructed, and to devise generic mitigations that will make your unknown-unknown vulnerabilities far less likely to be exploited. You can use the models to do the heavy lifting mitigations for you.

Anthropic’s Project Glasswing and OpenAI’s Project Daybreak are still running with their heavy chainsaws. We have an industry focused on finding and fixing vulnerabilities before hackers can exploit them. Industry has been trying to find and fix vulnerabilities before hackers can exploit them for how many decades now? So now we’re just gonna run faster.

I conducted a study to tease out from the data if generic exploit mitigations work, and if we can focus resources on mitigations to cut a fire break that buys time for ow fast we know we can run the patching approach.

Not only did the study show where mitigations are effective, the study showed the exploit clock already crossed the patch clock so we have been dependent on exploit mitigations for a few years now.

By roughly 2022, the median weaponized CVE was showing up in CISA KEV (Known Exploited Vulnerabilities) faster than half the exposed install base got patched. By 2023-2024, the typical mass-exploited CVE was in KEV in about a week while half the exposed population was still unpatched 50-60 days later.

During that window, the patch does not protect you. The mitigation stack does.

The precise crossover year is less important than the shape of the curves. Attackers have been getting to weaponized exploitation faster even before the offensive cyber AI models proliferate. Defenders are not getting patches deployed faster. Once those lines cross, “patch faster” stops being a complete macro answer.

The strategic hypothesis survived the data, but in a narrower and more useful form:

Patching is a per-vulnerability response loop. Mitigations are a portfolio-level constraint on exploitability. When vulnerability discovery and exploitation accelerate, and patch deployment cannot keep up, then the portfolio-level constraint becomes the strategic lever.

What I Tested

The research project pulled together:

• 77 exploit mitigations across Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Edge/IE, Safari, Office, Adobe Reader, Adobe Flash, and Java.

• 100,000+ normalized rows from CISA KEV, NVD, MSRC, Project Zero’s in-the-wild 0day spreadsheet, Mozilla MFSA, Chrome Releases, Android Security Bulletins, partial Apple advisories, Exploit-DB, Microsoft SIR archives, StatCounter, DBIR, Mandiant M-Trends, public exploit-price lists, and vendor memory-safety writeups.

• Eight natural-experiment analyses, plus follow-on work on time-to-exploit, patch lag, exploitability prediction, edge-appliance mitigation maturity, gray-market exploit prices, Rust adoption, and MTE deployment.

The limited release formal report is the careful version. This is the strategy level writeup.

The data says five things.

First, patching is losing the clock.

Second, mature platforms keep bug discovery from turning into exploitation at anything close to one-for-one rates.

Third, mitigations are not magic shields. They are cost filters. They move exploitation from the cheap tier to the expensive tier.

Fourth, the current exploitation wave is concentrated where that cost filter is weak: edge appliances.

Fifth, AI vulnerability discovery and exploitation makes the weak-filter category an emergency.

CVEs Are Not Exploits

Microsoft’s own per-CVE exploitation documentation is the cleanest long-run exploit mitigation public signal I found for a mature platform.

From 2016-2026, only a small fraction of patched Microsoft CVEs are marked exploited in the wild. Typically this sits around 1-3 percent per year, with a 0.6 percent low in 2020 and a 3.0 percent ProxyLogon-era high in 2021.

That does not prove mitigations caused the low conversion rate. Public macro data cannot cleanly prove that. But it does show the strategic object we care about.

The defender is not patching because every CVE becomes an exploit. The defender is patching because a tiny fraction does, and the defender does not know which fraction early enough.

Mitigations push down that fraction.

You can see the same thing from the other side. Memory-corruption bugs have not disappeared. They are not even trending away. After LLM-assisted reclassification of NVD CVEs that lacked useful CWE tags, memory-corruption share rises from 26 percent in 2010 to 56 percent in 2024.

That is the point people miss when they argue from CVE counts.

Mitigations do not stop researchers from finding memory corruption bugs. They stop attackers from turning a discovered bug into reliable exploitation at scale. CVE counts measure the bug layer. Exploit mitigations operate on the conversion layer.

If AI makes the bug layer 10x larger, the first question is whether the conversion layer holds with AI native exploit generation.

If it holds, defenders get a bigger patch queue but not necessarily a proportional breach wave.

If it breaks, the patch queue becomes an exploit feed.

Mitigations Are Cost Filters

The old Microsoft Security Intelligence Report has a useful chart, but it is easy to overread.

In 2011, Microsoft tested 184 real-world exploits against three configurations:

• Windows XP SP3 without EMET: 181 of 184 exploits succeeded.

• Windows XP SP3 with EMET 2.1: 21 of 184 succeeded.

• Windows 7 RTM default configuration: 10 of 184 succeeded.

The lazy read is “mitigations made the bugs unexploitable.”

The better read is “off-the-shelf weaponized exploits collapsed when refired at mitigated targets.”

Those exploits were mostly written for the environment they needed to hit: pre-mitigation Windows XP. They did not bring DEP-bypass ROP chains, ASLR-defeating info leaks, or SEHOP-aware payloads because they did not need them. Turn on EMET or move to Windows 7, and the old payloads fall over.

A motivated attacker would still weaponize an exploit chain for many of those CVEs. DEP can be bypassed with ROP. ASLR can be bypassed with an info leak. CFG has gaps. Sandboxes have escapes. The bug is not gone. The exploit got more expensive, less reliable, or impractical at operational scale.

That cost shift and reduction in exploitability is the real point.

The SIR archive shows the same pattern in root-cause telemetry. Stack-corruption exploits fell from 54 percent of exploited Microsoft RCE CVEs in 2007 to 5 percent in 2013 as /GS, SafeSEH, and SEHOP bit. Use-after-free rose from about 5 percent to about 50 percent over the same period.

The total exploit count did not simply vanish. The cheap class got more expensive, and offense substituted into the next class.

That is what successful mitigations look like in macro data. Not a clean cliff. A migration.

The gray market prices that migration in dollars.

Exploit-price data is messy. Zerodium and Crowdfense are not the same buyer. These are list prices, not closed transaction prices. Some categories drift over time. A 2017 Chrome “RCE+LPE” is not exactly the same product as a 2026 Chrome full chain with a V8 sandbox layer.

Still, the direction is hard to ignore. iOS zero-click full-chain prices went from $1.5M in 2017 to $5-7M in 2026. Chrome desktop full chain went from $150K to $1.5M, about 10x. Office Word/Excel RCE went from $50K to $500K.

Exploit buyers are not paying more because they got nicer. They are paying more because modern iOS, Chrome, and Windows require more bugs, more bypasses, more sandbox escapes, more code-integrity work, more uncertainty, and more burn risk.

Mitigation is not making exploitation impossible. It is changing who can afford it.

Removal Beats Mitigation

The cleanest natural experiments were not hardening features. They were attack-surface removal.

Flash died. Exploitation died with it. Adobe’s formal EOL was December 31, 2020, but browser blocking and click-to-play exploitation mitigations had already done most of the work. All 36 Flash CVEs in CISA KEV have CVE IDs from 2009-2018.

Office macros are the other clean case. Microsoft blocked internet-marked macros by default in July 2022. Office-related KEV additions fell from a pre-period rate of 42.7 per year to a post-period rate of 2.9 per year. The pre-period is contaminated by CISA’s early KEV backfill, so do not overinterpret the exact 93 percent drop. The post-period rate is the point.

For a product family that was one of the great enterprise exploitation surfaces of the last decade, roughly three Office KEV additions per year after the macro block is a strategy result.

The best exploit mitigation is still not needing to exploit-mitigate the surface at all. My takeaway for the offensive AI proliferation wave is that we will rip out products from all vendors who are not proactively increasing their exploit mitigation surface, and rapidly patching their vulnerabilities.

The Wave Is Where The Mitigations Are Weak

The public story gets confusing because exploitation is rising again.

DBIR’s exploitation-of-vulnerabilities initial-access share was roughly 5 percent in the 2020-2023 reports. It rose to 14 percent in 2024, 20 percent in 2025, and 31 percent in 2026.

If you stop there, it sounds like mitigations failed.

They did not. The wave is not primarily hitting the places where the mitigation stack is strongest. It is hitting edge appliances: Ivanti, Citrix, Fortinet, Cisco ASA, MOVEit, F5, SonicWall, CrushFTP, SharePoint on-prem, SAP NetWeaver, Oracle E-Business Suite, Palo Alto GlobalProtect.

So I built a mitigation-maturity rubric for those products and compared them with Chrome, Windows, and iOS. It is author-curated, not a formal audit, but the categories are concrete: DEP/NX, default ASLR, stack cookies, CFI, management-plane sandboxing, data-plane sandboxing, kernel hardening, memory-safe rewrite progress, and code signing.

The result is the category gap in one chart.

The baseline high security platforms average 9.3 out of 10. The edge appliances average 3.1 out of 10.

The heatmap is worse than the score. None of the mass-exploited edge appliances ships default-on CFI (Control Flow Integrity). None ships a Chrome-class syscall-filtering sandbox around its management-plane web UI. SharePoint and MOVEit have IIS app-pool isolation, which is a useful process boundary, but not the thing Chrome or iOS would call a sandbox. Most of the category still looks like privileged C or C-like control-plane code on old kernels with enormous exposed management surfaces.

The gray-market exploit snapshot independently says the same thing. In Crowdfense’s 2026 list, Fortinet/Citrix/SonicWall-class RCEs sit around $100K. iOS zero-click full chain is $5-7M.

The exploit market is pricing the mitigation-poor edge exploit at about 1-2 percent of the mitigation-rich mobile exploit.

That is the gradient offense is following.

DBIR Was Late To The Story

One reason this was underweighted is that DBIR undercounted exploitation for years.

Mandiant M-Trends has reported exploits as the top initial infection vector for six consecutive years. Its exploit share stayed in the 29-38 percent band. DBIR reported roughly 5 percent through 2023, then moved toward Mandiant as its methodology and deeper-forensics views improved: 14 percent in 2024, 20 percent in 2025, 31 percent in 2026.

The arithmetic Mandiant-minus-DBIR gap averaged 24 percentage points from 2021-2025. The direction is important: DBIR’s broader notification-heavy dataset was late to what IR-heavy datasets were already seeing.

The operational reason is credential double-counting. A real intrusion can begin with an exploit that steals or mints credentials, or a post-auth exploit that requires credentials. If the incident record captures the login, the breach gets coded as credential abuse; that’s doubly true if the exploit cleans up after itself so there isn’t a crash in the logs.

Spending follows measurement. If your CISO deck said credentials were the top initial-access vector and exploits were a rounding error, exploitability reduction was probably underweighted for the last few years.

Proliferated Offensive AI Changes The Floor

The AI part is no longer theoretical.

In April 2026, Anthropic announced Project Glasswing, built around Claude Mythos Preview. The technical examples Anthropic has disclosed show a model that can find vulnerabilities and build working exploit chains in real software. My previous project forecast that we should see a Mythos-grade offensive cyber capability proliferated to Chinese open weight models around October 3, 2026.

The cost numbers need careful handling. The right framing is not “$50 to $20K per CVE.” Anthropic’s own framing is closer to: about $50 for a best-case successful run identified with hindsight, roughly $2K for a typical successful exploit run, and about $20K total for a broad benchmark pass across roughly 1,000 runs that surfaced several dozen findings.

Still, the strategic meaning is obvious. For the bug classes Mythos handles well, the bottom of the exploit-development market just got much lower.

The public examples of Mythos grade capabilities matter because of what they target. The disclosed technical examples cluster around C/C++ code and targets that do not have the full modern hardware-rooted mitigation stack: older Unix and Linux paths, FFmpeg, kernel/userland code that lacks CET shadow stacks, PAC, MTE, V8 sandboxing, BlastDoor-style containment, or HVCI-style enforcement.

That is not a criticism. It is the threat model today.

Anthropic has not publicly demonstrated Mythos defeating modern iOS, modern Chrome with V8 sandbox, Windows 11 with HVCI/CET, or broad ARM PAC/MTE-protected targets. It may be able to. It may not. The public data does not tell us yet.

For edge appliances, that distinction is almost academic. They look much more like the targets Mythos has been shown to handle than like the targets Mythos has not been shown to beat.

That sharpens the conclusion. The edge-appliance mitigation gap is no longer just an attacker-economics gradient. It is an AI-automation gradient.

If Mythos-class capability lowers the floor for C/C++ exploit work, then the product categories without modern mitigations become the obvious first place where that capability shows up operationally. This will be doubly true if the open-weight models proliferate a sub-Mythos-class capability.

The Whole Problem In One Picture

This is the one chart in the post that is a synthesis, not a direct measurement of natural experiments. Read it that way.

It takes a normalized 10,000-CVE cohort and runs it through the model: platform tier, bug class, mitigation layer, observed outcome, and attacker cost tier. The exact flow widths are author-curated from the findings, not a census. The directional claims are the point.

The mature-platform branch pushes a lot of memory-corruption risk into eliminated, blocked, or expensive outcomes. The weak edge-appliance branch leaves a much larger path from memory-corruption CVE to in-the-wild exploitation and into the cheap, Mythos-reachable tier.

That is the strategic picture: AI is already lowering vulnerability discovery and exploit-development costs, but it does not erase the mitigation gradient. It makes the gradient more important.

The Defenses That Actually Scale

The strongest measured answer is not “prioritize better.” It is “remove bug classes.”

Google’s Android data is the cleanest example in this corpus. In 2019, Android had 223 memory-safety vulnerabilities, representing 76 percent of Android vulnerabilities. By 2024, Google’s published count was below 50. By 2025, the share was below 20 percent. Over the same period, Rust grew from effectively zero to millions of lines in the Android platform.

This is vendor-self-reported data, not an independent audit. It should be treated as directional. But even with that caveat, it is the best macro evidence we have for a defender move that changes the size of the bug pool itself.

Memory-safe rewrites do not make a memory-corruption exploit more expensive. They remove the memory-corruption primitive from the rewritten code.

That matters in the Mythos era. If AI makes it cheap to search for and exploit memory bugs, the best answer is not to make humans triage 10x more memory bugs. It is to stop manufacturing the class.

Chrome provides a second, narrower example. MiraclePtr reportedly prevented 57 percent of use-after-free vulnerabilities in privileged Chrome processes between 2022 and 2024, measured against 168 real UAF reports. Fontations, the Rust replacement for FreeType in Chrome’s font stack, has gone through a staged rollout with no security-critical bugs reported in that component to date. Again: vendor data, but strategically coherent.

Hardware memory tagging is the other important lever, and it is where deployment details matter.

Android MTE is not absent. On Pixel 8/9/10, Android enables MTE async mode by default for the security-critical zero-click system-process set: networking daemons, Bluetooth HAL, NFC HAL, SecureElement HAL, system_server, zygote64, and statsd.

But MTE is still not default-on for the Android kernel, GPU drivers, Chrome’s renderer/PartitionAlloc, or most user apps. Users can opt into broader app coverage through Android 16 Advanced Protection Mode, but the default deployment is still partial.

That explains the observed attacker movement. The recent Android chains and Mali GPU bypasses do not show “MTE failed” so much as “MTE did not cover the surface attackers chose.” When one component gets expensive, offense moves to the next soft component.

Apple’s iPhone 17 Memory Integrity Enforcement is the first broad consumer deployment that tries to close that gap: kernel plus more than 70 userland processes, always-on synchronous mode, built on enhanced MTE. Apple’s claim that six historical exploit chains could not be rebuilt around MIE is vendor-self-reported and not independently verified. But it is the shape of the answer: not an MTE toggle, a deployment program.

So the 2026 mitigation plan is not abstract:

• Remove high-risk attack surfaces where possible.

• Move parser-heavy and protocol-handling code into memory-safe languages.

• Put management-plane web UIs in real sandboxes, not just process pools.

• Ship default-on CFI/CET/PAC/MTE where the hardware exists.

• Extend Android-style MTE from selected daemons to kernel, GPU, browser, and user-app surfaces.

• Retrofit edge appliances with the mitigation stack browsers and operating systems already learned to need.

• Keep patching KEV-class bugs aggressively, but stop pretending patching can win the pre-disclosure and first-week windows.

Where This Can Be Wrong

There are real caveats.

Public macro data cannot cleanly isolate individual hardening mitigations. DEP, ASLR, CFG, CET, PAC, MTE, site isolation, and BlastDoor shipped into moving systems with changing market share, researcher attention, bug bounty economics, and attacker objectives. The cleanest causal evidence usually lives inside vendors.

The edge-appliance maturity score is not a formal audit. It is a structured comparison of public mitigation posture. The exact score for any one product should not be treated like a lab measurement. The category-level gap is the point.

Exploit-price lists are list prices. They are not transaction prices. They are also buyer-specific. The 2017-to-2026 multipliers should be read as directionally useful, not as precise economic measurement.

The Rust, MiraclePtr, and Apple MIE numbers are vendor-self-reported. They are still useful, but they are not independent measurements.

The biggest unknown is Mythos-class capabilities against the mitigation-rich tier. If Mythos or Mythos-class models already defeat CET, PAC, MTE, V8 sandboxing, and modern iOS/Chrome/Windows containment, and the vendors are simply not saying so, then the mature-platform story gets worse. The public evidence does not answer that yet.

None of these caveats rescue the patch-only strategy.

They mostly strengthen the same conclusion: when discovery gets cheaper, exploitability reduction gets more valuable.

The Conclusion

The strategic hypothesis was close, but the precise version matters.

Exploit mitigations are not “more important than patching” in the lazy sense. You still need both.

The sharper claim is this:

Patching is how you close known holes. Mitigations are how you survive the period when the hole is unknown, undisclosed, unpatched, or not yet deployed.

That period is getting longer in practice even as exploitation gets faster.

The exploit mitigation scissors crossed around 2022. By 2023-2024, attackers were getting to weaponized CVEs in about a week while half the exposed install base was still unpatched after 50-60 days. By 2026, DBIR and Mandiant both put exploitation-of-vulnerabilities around one-third of initial access. The wave is concentrated in edge devices missing default-on exploit mitigations that major platforms shipped years ago. The gray market prices that gap at roughly 50-70x. Mythos-class automation makes the weak side of the gap newly urgent.

So the answer is not “patch faster” or “mitigate instead.”

The answer is: patch what is known, but invest like the unknown bug is already in an attacker’s hands.

Because increasingly, it is.