81% of teams ship broken code: Mythos made that inexcusable | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

81% of teams ship broken code: Mythos made that inexcusable

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

For years, cybersecurity was a numbers game. Find more vulnerabilities than attackers can exploit. Patch faster than they can move. Stay vigilant and stay ahead.

But what the latest generation of AI models has shown (especially Claude Mythos) is that AI has become dangerously good at understanding how systems actually work together.

It can trace connections across applications, APIs, identities, cloud services, and third-party components. It doesn’t just find bugs. It exploits hidden fault lines across the enterprise and waits for the right moment to trigger the quake.

Meanwhile, most organizations still operate as if shipping code with known security flaws is an acceptable risk. Last year, a staggering 81% of global App Sec leaders who responded to a Checkmarx study said they knowingly ship vulnerable code.

This happens not because the risk is small, but because the volume is overwhelming. Teams do not have the time, capacity, or resources to fix everything. Exposure is constantly deferred and absorbed into day-to-day operations. In practice, the complexities of the stack limit how often certain vulnerabilities are used in real attacks.

AI code security risk: The need for a smarter layer between detection and remediation

Claude Mythos turns years of security research into 20-hour AI exploits

Nearly all firms admit they have shipped code they know is vulnerable

AI is changing how quickly and easily vulnerabilities can be turned into working exploits. Tasks that once required deep technical knowledge can now be done with tools that guide, accelerate, and in some cases automate parts of the process.

This has direct implications for assessing risk. Many vulnerabilities have historically been deprioritized because exploiting them was impractical for hackers. But as the learning curve to wreak havoc drops, those same vulnerabilities are becoming viable entry points.

This puts pressure on the way we’ve always prioritized risk. Severity scores tell you how dangerous a vulnerability looks in isolation. They don’t tell you how easy it’s become to exploit in the real world. These are now two different calculations, and confusing them is exactly how attackers get ahead.

A small percentage of insecure code sounds manageable. But multiply it across millions of lines and it becomes a massive potential attack surface.

AI tools have made vulnerability exploitation faster and easier

AI is having its "Ford T" moment as Zero Day assembly lines appear

Patch window is officially dead as AI finds bugs faster than humans can squash them

Every line of code generated at machine speed is another line that needs to be secured at machine speed. Coordinated disclosure and patch management efforts help at the margins, but don’t touch the mountain of vulnerabilities already sitting in production: dormant, deprioritized, and increasingly easy to reach.

Most organizations already face a backlog of unresolved vulnerabilities. But what’s new is the pressure to find them. As the new ADLC (Agentic Development Life Cycle) takes shape, the gap between identification and remediation is expanding fast. Security programs that focus heavily on finding vulnerabilities without improving how they are prioritized and fixed will struggle to keep pace.

Traditional App Sec was designed for a world that no longer exists. What's needed now is security that's continuous, embedded directly into development workflows, and capable of assessing real-world exploitability and remediating it in real time. Fixed cycles and delayed feedback are luxuries the current threat landscape can't afford.

The attack surface in modern software development doesn't have a single-entry point, it has four:

● At the moment of code creation in the IDE, where agents generate code faster than any review process was designed to absorb. Security has to live where the code lives.

● In the build and CI/CD phase, where every commit, every dependency update, and every AI-generated change must be assessed for exploitability in context, not just flagged for existence.

● And at runtime, where deployed applications face live threats, security must close the loop between what was shipped and what is being actively exploited.

Protecting these phases takes more than just bolting on another AI tool. One of the most critical actions an organization needs to take is to keep the security system structurally separate from the AI systems it’s meant to govern. When the same LLM writing your code is also the one judging whether it's safe, you've handed the student the answer key and asked them to grade their own exam.

What the AI era demands instead is a hybrid agentic security control layer, one that combines deterministic, rule-based analysis with AI-augmented reasoning, but where the deterministic layer remains the ground truth. That separation isn't a legacy constraint. It's the architectural property that makes the security signal trustworthy.

Even before AI, and now with AI, the goal was never to find every vulnerability. Rather, it was to stop the ones that matter before they're used against you. The organizations that understand that shift and act on it will be better defended and still standing when everyone else is explaining how it happened.

This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

You must confirm your public display name before commenting

111 world-class projectors to scale up your World Cup viewing

2I‘ve had some awesome mobile mice in my time, but I can’t wait to travel with the Logitech Mobi Fold

3 Report warns 'potentially lethal' knock-off phone chargers sold online could risk exploding

4BT becomes first UK firm to join Anthropic Project Glasswing

5 Your pre-Prime Day audio roundup: 8 awesome portable hi-fi products

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Key Takeaways

News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Unlock and manage exclusive Techradar member rewards
Unlock instant access to exclusive member features
Get full access to premium articles, exclusive features and a growing list of member rewards