April Newsletter: Claude Mythos, the Impending Patch Tsunami, a New Zero Trust Training Course, and berry desserts.

Hello, and greetings from Numberline headquarters in New England, where springtime allergy season is upon us. As we move deeper into April, this month’s edition focuses on a shift that’s quickly becoming impossible to ignore: Securing Agentic AI.

Across recent conversations at RSA Conference and in our ongoing work with enterprises, we’re seeing the early stages of a new kind of security challenge: the combination of rapid AI adoption and rapidly accelerating vulnerability discovery. Organizations are deploying agentic AI systems today, often without clear constraints or visibility, while at the same time facing a future where vulnerabilities may be identified faster than they can realistically be patched.

Collectively, these trends point to a simple but important conclusion: security strategies that depend primarily on detection and patching are going to struggle to keep up.

In this issue, we explore what this means in practice, and why a more durable approach—grounded in Zero Trust principles like default-deny access and strong identity controls—is becoming increasingly important.

We’re also excited to announce the release of our new self-paced training course, A Practical Approach to Zero Trust: Part 1: Planning, which is designed to help security leaders translate these challenges into a clear, structured path forward.

Of course, our newsletter would be incomplete without the much-awaited recipe recommendation. While it’s not quite berry season, that’s never stopped us before. Our local supermarket (and yours) hosts a variety of frozen berries that are a fine substitute for fresh, and can be used to great acclaim in fruit dessert recipes. With that, we point you to our friends at The Food Lab, and their guide to cobblers, buckles, crisps, slumps, grunts, pandowdys, and sonkers. (While these terms may resemble somewhat-dubious brand names from Amazon, they are actual regional names for delicious berry desserts).

Finally, Scully the Terrier would like to remind those of you dealing with spring allergies that, while this season may bring sniffles and discomfort for humans, he remains alert and vigilant to defend the household from the plethora of birds, rabbits, and squirrels.

---

News

New Training Released: A Practical Approach to Zero Trust (Part 1: Planning)

We’ve launched our new self-paced training course, focused on the Assessment and Strategy phases of the Zero Trust Blueprint. Based on our real-world advisory work, the course walks through how to evaluate readiness, define a Zero Trust vision, and build a structured program—producing outputs that can be directly applied within your organization.

AI Adoption Is Creating Security Debt in Real Time

In this RSAC recap blog, we explore one of the clearest themes to emerge from this year’s conference: enterprises are moving quickly to adopt agentic AI, often without the guardrails needed to manage risk. Jason Garbis explains why unmanaged or unconstrained AI systems should be treated as a current, not future, concern, and how security teams can respond by reinforcing foundational controls like identity, access, and visibility.

Why the Industry Needs to Prepare for a “Patch Tsunami”

Recent developments in AI-driven vulnerability discovery, including Anthropic’s announcement of Claude Mythos and Project Glasswing, point to the possibility of large-scale, simultaneous waves of software updates across the ecosystem. This creates a practical challenge for enterprises: even well-run organizations may struggle to absorb and apply patches at that scale. In this context, we examine why a Zero Trust approach—reducing exposure through default-deny access—provides a more durable layer of defense alongside patching efforts.

New Video Series: Securing Agentic AI

We’ve also launched a new short-form video commentary series, Securing Agentic AI, featuring our CEO and CTO, Jason Garbis and Jerry Chapman. Across the first three installments, the series explores why basic security controls remain surprisingly effective for agentic AI, whether AI agents should be treated as a different type of identity, and how organizations can think more clearly about different classes of agents and their associated risks. Together, the videos offer a practical, accessible look at some of the most immediate security questions surrounding agentic AI.

---

The information security universe was abuzz this past week, with seemingly 2/3 of my LinkedIn feed being commentary on Claude Mythos, Project Glasswing, and Anthropic’s decision to hold back on releasing it publicly. While much of the commentary focused on the application security side of things, my blog post centered on the operational and patch management implications. Specifically, I warned about the impending patch tsunami that enterprises need to be prepared for (read my blog post here).

There are also commentators who are critics of Anthropic, either accusing them of using the alleged “danger” of Mythos as a marketing stunt, or of overstating its capabilities. There may or may not be elements of truth in their criticism, but it frankly doesn’t matter. Even if new AI models “only” provide incremental improvements in their ability to discover and weaponize software vulnerabilities, as opposed to the alleged step-function increase in Mythos, you still need to anticipate and prepare for a significant increase in the number and frequency of software patches as well as library updates. This patch tsunami is coming, one way or the other.

I provide recommendations about applying Zero Trust principles in my blog post. Take a look, and please, take action.

---

Take A Practical Approach to Zero Trust
Explore our new self-paced training course covering the Assessment and Strategy phases of the Zero Trust Blueprint. Learn how to evaluate your current state, define a clear Zero Trust vision, and build a structured program using practical, real-world methodology. Full details here.