Ireland's NCSC Warns of AI-Driven Vulnerability Race as Anthropic's Mythos Identifies Thousands of Zero-Days
Ireland's cyber security chief tells parliament AI vulnerability discovery is accelerating beyond threat actor capabilities—but the gap is closing fast.
The Vulnerability Discovery Crisis Ireland Didn’t Know It Had
Ireland’s National Cyber Security Centre has sounded an unusually direct alarm: the country’s critical infrastructure faces a new kind of race condition—one where AI can now discover vulnerabilities faster than humans can patch them.
The trigger is Anthropic’s Claude Mythos Preview, a model that autonomously identified and exploited a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747) requiring no human involvement in discovery or exploitation. In recent weeks alone, Mythos has identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old bug in OpenBSD that evaded detection for nearly three decades.
This capability is now at the centre of Ireland’s cybersecurity policy conversation. The NCSC director will tell Ireland’s Oireachtas Committee on Artificial Intelligence that the implications are “both vast and inherently unpredictable,” and that Ireland is “in a race” as “the technical frontier is leaping ahead every week.”
Why This Matters Beyond the Headlines
The NCSC’s position is notably balanced. In reviewing Anthropic’s published technical material, the centre acknowledged that no comparable autonomous vulnerability discovery capability is currently available to threat actors. But it also flagged something more urgent: organisations should expect accelerated vulnerability disclosure in coming months.
That’s not reassuring—it’s a warning dressed in diplomatic language. If vulnerabilities are being discovered at scale faster than patches can be deployed, the window between disclosure and exploitation shrinks. For Irish financial institutions, healthcare providers, and state infrastructure operators, that window is already narrow.
Anthropoic is moving fast. The firm’s head of UK, Ireland and northern Europe announced plans to release Mythos to UK financial institutions in the coming week, suggesting Irish deployments may follow shortly.
Project Glasswing—Anthropic’s initiative to distribute Mythos access with over $100 million in usage credits to 50+ tech organisations—will only accelerate the discovery curve. This isn’t a niche capability; it’s being mainstreamed.
What Irish Organisations Need to Do Now
For Irish tech teams and security operations, the practical implication is stark: assume your current patch management velocity is insufficient.
The NCSC’s implicit message is that threat actors are “heavy users of AI tools” and advances enable “greater automation of attack processes.” A 17-year-old vulnerability sitting in production is no longer an inconvenience—it’s an exploit waiting to be automated at scale.
Irish organisations should:
- Audit your vulnerability disclosure timelines. How long does your organisation take from patch availability to deployment? That timeline is now your risk window.
- Prepare for disclosure acceleration. Expect vulnerability reports to accelerate through 2026. Budget and staffing for incident response should reflect this.
- Engage with sectoral regulators. Ireland’s distributed AI enforcement model places oversight with 15 sectoral authorities. Know which regulator covers your organisation and understand their expectations around AI-enabled security risks.
The Bigger Picture: AI Security as National Infrastructure
The NCSC’s Oireachtas testimony signals that Ireland is beginning to treat AI-enabled cybersecurity as a critical infrastructure question, not just a technology trend. That’s appropriate. When a single model can autonomously compromise firewalls across 55 countries (as documented in recent breaches), vulnerability discovery is a sovereignty question.
The EU AI Act’s August 2026 enforcement deadline now carries new weight. High-risk AI systems will require documented compliance, transparency, and human oversight. For organisations deploying or relying on AI-driven security tools, that framework matters immediately.
Open Questions
What remains unclear: Will Mythos-class capabilities be limited to authorised organisations, or is autonomous vulnerability discovery on a path toward proliferation? And how will Ireland’s sectoral regulators coordinate rapid response when vulnerabilities are disclosed at machine speed? The NCSC’s warning suggests these questions are no longer theoretical.