The cybersecurity industry is confronting a fundamental shift after the release of Anthropic’s advanced vulnerability discovery model, Mythos.
As a result, the rise of AI-powered vulnerability discovery systems is prompting security leaders to question whether CVSS scoring remains fit for purpose.
As organizations face an unprecedented volume of newly discovered vulnerabilities, many argue that traditional severity-based prioritization models can no longer accurately reflect real-world risk, exploitability, or customer impact.
Speaking with CX Today, Shimon Tolts, CEO of Copperhelm, argued that this new reality is rendering traditional vulnerability prioritization models obsolete.
“Prioritization is dead,” he said.
“The National Vulnerability Database (NVD) essentially pausing its scoring earlier this year proves that static CVSS is becoming an obsolete metric.”
Why CVSS Scores No Longer Reflect Reality
CVSS, the Common Vulnerability Scoring System, is the industry-standard framework for assigning numerical severity ratings to vulnerabilities, used by organizations as the primary method to determine which should be remediated first.
And whilst a higher score indicated a greater risk, the growing volume of vulnerabilities discovered by advanced systems like Mythos has uncovered a major flaw with this approach.
When severity measures the potential impact of a vulnerability, it is incapable of determining whether it can really be exploited within a specific environment, as real-world risks are influenced by several immeasurable factors.
In this case, a vulnerability rated as critical on the CVSS may actually pose little practical danger if it is isolated from attackers.
On the other hand, a medium-severity vulnerability rating on an internet-facing system could represent an immediate threat.
“Severity labels are irrelevant,” Tolts noted.
“It doesn’t matter what a scanner rates a flaw; what matters is whether it’s actually exploitable in your specific environment.”
As organizations face an increasing number of findings generated by AI-assisted security tools, security teams are recognizing that numerical scores alone cannot accurately represent risk.
As a result, effective prioritization now requires additional understanding of how vulnerabilities interact with the organization’s specific environment, rather than relying solely on generalized severity ratings.
Why Scores Miss the Threat
The emergence of AI-driven vulnerability discovery systems such as Mythos has reinforced the reality that attackers rarely rely on a single vulnerability to achieve objectives.
Instead, they frequently engage in attack chaining, linking individual minor vulnerabilities together to create a more serious compromise.
When CVSS scoring evaluates vulnerabilities independently, it often fails to capture how seemingly insignificant weaknesses can interact within a real environment.
From a CX perspective, this limitation is particularly important because customers do not perceive incidents through the lens of vulnerability ratings, but through service consequences.
This can appear as service outages, account compromises, data exposure, degraded application performance, and diminished trust in the organization.
As a result, a vulnerability that appears low risk in isolation may contribute to a major customer-facing disruption.
“Mythos proves the model is broken,” explained Tolts.
“It demonstrates exactly how attackers chain ignored, so-called ‘low-severity’ flaws into devastating, high-impact attacks.”
These systems demonstrate that risk often results from the accumulation of numerous overlooked weaknesses, meaning that organizations that focus solely on individual scores may be underestimating the likelihood of customer-impacting incidents.
Modern security strategies are increasingly emphasizing attack path analysis, exploitability, and the relationships between vulnerabilities, providing a more accurate understanding of how system weaknesses can lead to operational disruption and customer harm.
Why CX Demands Machine-Speed Security
This increasing speed of vulnerability discovery and exploitation is forcing organizations to reconsider traditional approaches, as systems like Mythos highlight a growing mismatch between modern threat environments and conventional remediation processes.
Historically, vulnerability management programs have relied on SLAs that establish fixed remediation timelines based on CVSS severity scores, developed during a period when vulnerability discovery and attack execution moved at a slower pace.
Today, however, security research has significantly compressed the time between vulnerability disclosure and potential exploitation, reducing the effectiveness of remediation models.
“Timeframes are a liability,” highlighted Tolts.
“Relying on a 24-hour or 30-day remediation window means you are actively vulnerable to attackers for 24 hours or 30 days.”
From a CX perspective, this issue extends beyond technical risk as customers expect continuous, secure, and uninterrupted experiences.
When vulnerabilities remain unresolved, organizations must accept that this could result in reputational damage, with many security leaders advocating for a shift toward more adaptive approaches that prioritize exploitability and automated response.
When threats can emerge and evolve in the space of a few hours, maintaining customer trust increasingly depends on an organization’s ability to detect and prioritize vulnerabilities at machine speed rather than predetermined timelines.
