| On April 7, 2026, Anthropic announced Claude Mythos Preview and Project Glasswing — and the open source security landscape changed permanently. Here is what it means for Kyverno, and what we are doing about it. |
Something shifted recently.
Anthropic revealed that its new Claude Mythos Preview model had autonomously found tens of thousands of zero-day vulnerabilities across every major operating system and browser — including a 27-year-old OpenBSD vulnerability that had survived decades of expert human review and millions of automated tests. It did this using a prompt that amounted to: “Please find a security vulnerability in this program.”
Anthropic chose not to release Mythos publicly, forming instead Project Glasswing — a defensive consortium including AWS, Google, Microsoft, Apple, the Linux Foundation, and JPMorgan Chase — to use the model to harden critical software before models with similar capability become broadly available. That window: 6 to 18 months.
As maintainers of Kyverno, we want to share our honest assessment of what this means — for the open source ecosystem, for Kubernetes security, and for what we are going to do about it.
Why Kyverno Is Worth Discussing in This Context
Kyverno is not just another CNCF project. It runs as a Kubernetes admission webhook, which means it has cluster-wide authority over what gets deployed. It is the policy enforcement layer that decides whether a privileged container, an unverified image, or an excessively permissioned service account can run. For thousands of organizations, Kyverno is the last programmatic line of defense before a misconfiguration or malicious workload enters production.
That makes it an extremely high-value target. A zero-day in Kyverno’s admission handler is not just a Kyverno problem — it is a policy bypass for every security control built on top of it.
Kyverno parses complex, user-supplied YAML, CEL expressions, and JMESPath queries. These are exactly the kinds of rich input parsers where subtle logic bugs can hide — the kind that Mythos-class models are now extraordinarily effective at finding.
The Transition Period Is the Danger Zone
Anthropic’s own red team made an important observation in their release: the same capabilities that make Mythos powerful for defense also make it powerful for offense. And critically, they did not train Mythos to find vulnerabilities. These capabilities emerged as a downstream consequence of general improvements in code understanding and reasoning.
This means the capability trajectory is not Anthropic’s alone to control. Similar models will emerge from other labs. The researchers at AISLE independently tested Mythos’s showcase vulnerabilities on small, cheap, open-weight models and found that models with only 3.6 billion parameters could recover much of the same analysis. The moat, it turns out, is not the model — it is the system built around it.
The transition period — right now, the next 6 to 18 months — is the most dangerous phase. Defenders with responsible access to Mythos-class tools can use this window to find and fix vulnerabilities before they are exploited. But that window is narrow.
| “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.” — Microsoft, Project Glasswing partner |
What We Are Seeing in the Community
The Mythos announcement gave a name and a face to something Kyverno and other open source maintainers have been quietly observing for several months. The signals were subtle at first, then impossible to ignore. AI-assisted vulnerability research has already arrived in our issue tracker causing a rise in the amount and complexity of security findings — it just arrived without a press release.
A surge in CVE reports — and a pattern worth noting.
Over the last several months, we have seen a substantial increase in the volume and the complexity of CVE findings submitted to the Kyverno project. On its face, this looks like a healthy sign — more eyes on the code, more vulnerabilities caught before exploitation. But look closer at the reports and a pattern emerges: many of them are structurally similar. The same classes of issues, described in nearly identical language, filed in rapid succession, often within short windows of time. The fingerprints of automated, AI-assisted scanning are visible throughout.
This is not inherently a problem. AI-assisted discovery is finding real issues. The concern is what comes with it — or rather, what does not: fixes. The same reporters who file detailed, well-structured vulnerability reports are rarely the ones submitting patches. Discovery has been automated. Remediation has not.
Maintainers are absorbing the gap.
Kyverno is maintained by a small, dedicated team of contributors who are also responsible for delivering new features, reviewing a large volume of pull requests and contributions many of which are also AI-assisted, managing releases, and supporting the community. The increase in CVE volume and complexity has added a significant and largely uncompensated burden to that team. Triaging an AI-generated report requires the same careful human judgment as triaging a manually written one — you still need to understand the codebase, assess the real-world impact, determine exploitability, and write and validate a fix. That work does not scale automatically just because the reports are being generated faster.
The practical effect is a tension that every open source security project will increasingly recognize: the rate of vulnerability discovery is outpacing the community’s capacity to fix. Features slow down. Review queues lengthen. Maintainers burn out. And the users who depend on the project are left in an uncomfortable in-between — aware that issues have been found, waiting for fixes that take longer than anyone would like.
| This is not a Kyverno-specific problem. It is the structural challenge facing every open source project that sits in a security-critical position: AI has made finding vulnerabilities cheap and fast, but fixing them still requires deep human expertise. The ecosystem has not yet built the institutions to close that gap at scale — and that is exactly what we are working to address. |
What We Are Doing
We, at Nirmata, are not waiting. Here is our concrete response:
Doubling Down on Kyverno OSS Security
As a CNCF graduated project, Kyverno already adheres to rigorous security standards, including SLSA v3 compliance and continuous fuzzing. We are now intensifying this commitment by dedicating significant additional maintainer hours to security hardening and collaborating with the community on a comprehensive end-user security guide.
Hardening Pipelines and AI Workloads
We are extending Kyverno’s policy engine to cover the entire software lifecycle. This includes:
- Security for CI/CD and IaC: Validated policy sets to inspect configurations in repositories and pipelines.
- AI/ML Governance: New controls specifically for AI workloads, including egress restrictions for inference pods, GPU privilege boundaries, and namespace isolation. We are also curating a library of AI governance policies mapped to the NIST AI RMF and CISA frameworks.
Democratizing Enterprise-Grade Security
Following JPMorgan Chase’s guidance on acquiring open-source software with verified provenance, we are removing barriers to entry for enterprise-grade security. We have unbundled and repackaged our product offerings, making the Nirmata Enterprise Kyverno distribution—which includes long-term patch support and guaranteed SLAs on CVEs—available at a significantly more accessible price point.
What This Means for Open Source, Broadly
We want to be direct about the larger picture. The Mythos announcement is not just a story about one AI model. It is a signal that the economics of vulnerability discovery are changing permanently.
Open source software has always operated with a security model that implicitly assumed finding vulnerabilities required expertise held by relatively few people. That assumption is breaking down. The barrier is dropping from ‘elite security researcher’ to ‘anyone with API access and curiosity.’
This does not mean open source is doomed — the same tools available to attackers are available to defenders, and open source has always had the structural advantage of transparency. But it does mean that open source projects can no longer rely on obscurity, low adoption counts, or the assumption that exploiting a bug requires rare skill.
The projects that thrive will be those that invest in security infrastructure — fast patch cadences, formal disclosure processes, supply chain integrity, and continuous scanning — not as occasional projects but as core operational practices.
| The open source security social contract is changing. Maintainers who step up to meet the new bar will earn more enterprise trust, not less. This is an opportunity as much as a threat. |
Nirmata Enterprise for Kyverno: Available Now
Nirmata Enterprise for Kyverno — is available today. It is a hardened, commercially supported distribution built by the upstream Kyverno maintainers: the same people who write the code, triage the CVEs, and know where the sharp edges are.
Enterprise Kyverno gives you contractual CVE response SLAs, LTS backports so you can stay on a pinned version without accumulating unpatched vulnerabilities, the Admission Integrity Monitor to catch webhook misconfigurations and bypass patterns before attackers do, and continuous configuration drift detection. This is not a fork. Community Kyverno remains fully open source and free — and every security investment Enterprise Kyverno funds flows back into the upstream project.
The 6-to-18-month window before Mythos-class capability is broadly available is not a planning horizon — it is an operational deadline. Every week you run community Kyverno without a contractual CVE SLA is a week where a critical patch could be sitting in a volunteer queue while automated scanners probe your admission webhook. If you are running Kyverno in production and the Mythos announcement made you pause, that pause is the signal.
Visit nirmata.com/nirmata-enterprise-for-kyverno to get started today.
We have also partnered with Chainguard to make Nirmata Enterprise For Kyverno available as part of Chainguard Commercial Builds program.
What You Should Do Right Now
Whether you use Kyverno or not, here are concrete steps every Kubernetes operator should take in light of Mythos:
- Upgrade to the latest versions of Kyverno, or use a commercial distribution with trusted builds and SLAs for CVEs and critical fixes.
- Pin all admission webhook images to specific digests — not tags — and verify signatures.
- Implement egress allow-listing for all production namespaces, especially AI/ML workloads.
- Generate and track SBOMs for every tool in your Kubernetes control plane
- Define and publish your internal CVE patch SLA — if you don’t have one, make it this week
- Review privilege levels of all cluster-level components: what has cluster-admin or cluster-wide webhook access?
- If you run AI workloads in Kubernetes, audit egress rules now — this is the Log4Shell equivalent for AI-era infrastructure
