The past four months have been instructive. Mythos-class agents began appearing in production codebases in late 2025; by the first quarter of 2026 they were routine. We have run thirty-eight engagement-week-equivalents against systems built around them. What follows is a summary of the patterns we have seen most often, the ones that keep showing up in Mill Creek's threat-brief inbox, and a frank assessment of which remediation pipelines absorbed them and which broke.
The shape of the cadence
The first thing to notice about the new generation of frontier models is not what they can do but how fast they do it. Discovery-side compression, the well-discussed effect, is real: a Mythos-class adversary can iterate through hundreds of probe variants against a sanctioned agent in the time a traditional red-team operator finishes their first cup of coffee. But the more interesting compression is on the deployment side. Engineering teams are now shipping agentic features as quickly as they are shipping ordinary product features. The result is a constant flow of new agent surface entering production, much of it uninventoried by the security team.
Patch cadences were not designed for this. The defensive assumption embedded in most application security programs is that vulnerabilities are discovered occasionally, prioritized in a backlog, and fixed during a release window. That assumption is breaking. It has not yet broken loudly enough for most boards to notice — but the engagements we are running this quarter look meaningfully different from the engagements we were running a year ago.
Three exploit classes
Three patterns now show up in nearly every engagement against a Mythos-era surface.
The first is expansion-by-tooling: an agent that was originally given access to a narrow tool set has acquired, through ordinary feature work, a meaningfully larger set of tools without a corresponding security review. We have seen scheduling agents acquire calendar-write access, then directory-read access, then email-send authority — each step approved through routine engineering change-management — without any of the steps triggering a security re-review of the cumulative authority. The agent's effective authority is the product of these incremental grants. Its declared authority, the thing the audit committee thinks it has, is the union of nothing more than the original deployment ticket.
The second is prompt-injected supply-chain pivots: a hostile payload, typically embedded in an artifact the agent was authorized to read — a PDF, a customer email, a calendar invite, a document linked from a vendor system — redirects the agent through an authorized integration to take an action the operator did not intend. The class has been understood theoretically since 2023. What is new is its frequency and the diversity of the pivot points. Document pipelines, browser tools, calendar systems, vendor inboxes — all are now reliable injection surfaces in Mythos-class deployments.
The third is policy drift: the gap between the policy that governed the original deployment and the policies that have actually evolved in the agent's runtime configuration as engineering teams shipped features against it. The agent is operating under a policy nobody is reviewing. The CISO's expectation of what the agent does and the engineering team's understanding of what the agent does have diverged.
These three classes are not independent. The expansion-by-tooling pattern creates the surface that prompt-injected supply chains exploit. Policy drift prevents the security team from noticing either. They reinforce. The combined cadence is what compresses the timeline.
The patch pipeline is the bottleneck
The conventional response to a finding is the conventional response to any backlog item: prioritize, schedule, fix in the next available release. That response is timed against discovery cadence. When discovery cadence was monthly, scheduling worked. When discovery cadence is daily — which is closer to where Mythos-class systems put us — the queue grows faster than the engineering team can absorb it.
The bottleneck is no longer at the scanner. It is at the merged pull request.
This is the observation that drove us to build Olympus the way we did. A scanner that produces ten findings a day is useful. A scanner that produces ten findings a day in an environment where the engineering team can absorb three of them is, in practice, a backlog generator. The fixed surface is the rate at which the engineering team can review and merge security pull requests.
Most security firms still operate as if the discovery problem were the hard one. The discovery problem is solved. The remediation problem is the new hard one.
What works
The remediation pipelines that survive Mythos-class cadence have three things in common.
They produce diffs, not advisories. The traditional security report — a paragraph describing the vulnerability, a paragraph describing the recommended fix, an open ticket assigned to an engineering lead — is no longer fast enough. Engineering teams operating at agentic-era cadence can absorb a pull request in the same time it takes to read the advisory. The advisory is now the bottleneck, not the diff.
They operate inside the engineering team's normal review surface. The most common failure we see is a security team operating a remediation queue out-of-band — in a separate ticket system, against a separate priority, reviewed by the security team rather than the engineering team. This works at low throughput. At high throughput, it becomes a parallel system that the engineering team learns to ignore. Olympus pull requests open as ordinary contributions in the engineering team's main repository under the engineering team's existing CODEOWNERS and CI gates. They get treated as ordinary engineering work because they look like ordinary engineering work.
They preserve evidence with the diff, not separately. The auditable record of what was found, why it was severe, what the fix changed, and what the rollback plan is needs to live with the merged commit. Detached evidence systems get out of sync the moment they exist. The pull request body should be the audit artifact.
A note on incentives
The remediation problem will not be solved at the discovery layer for the same reason discovery was not solved at the patch layer: the incentive gradient runs the other way. Building a better scanner is glamorous and trivially monetizable. Building a system that ships pull requests inside the customer's repository, under the customer's review process, with rollback plans attached and CODEOWNERS respected, is unglamorous and requires the firm to take on operational responsibility for software that other people merge.
We took on the operational responsibility deliberately. It is a strategic choice that shaped the architecture, the engagement letter, and the partner-engagement model. It will not surprise us if the rest of the security industry follows in the next twenty-four months. It will only happen if firms are willing to be accountable for the diff, not just the finding.
The Mythos-class threat window is not closing. It is what application security looks like now.