Glasswing partners are, broadly, the companies whose infrastructure most of the internet runs on. Hardening their systems benefits everyone downstream. That is genuinely good news.

The gap is everyone else. The mid-market commercial operator, the public sector organisation, the cultural institution, the charity, the challenger brand. These organisations are not getting early access. They are running the same systems they had last month, facing a hacker baseline that is rising.

Meanwhile, the window between vulnerability discovery and exploitation has collapsed from months to minutes. Defenders now need to move at the speed of AI. Most organisations do not. 

Your website runs on a CMS you didn’t write. That CMS runs on a stack of software libraries maintained by people you’ve never met. Your cloud hosting is a service. Your plugins are other people’s code. Your analytics, your tag manager, your payment gateway, your email automation. Every layer has potential vulnerabilities that have been around for years simply because finding them required more effort than most hackers were capable of.

That is no longer true.

Mythos class capability, used by defenders, will surface these flaws fast. This is good. But some people have described this as a “Patch Tsunami”, your systems will need patching more often, sometimes urgently, sometimes with downtime. The “we built this three years ago and it’s been fine” argument no longer holds. The next security review will surface more issues than the last one. Clients will receive invoices they didn’t budget for, and conversations they didn’t expect to have.

This isn’t a reason to panic. It is a reason to rebuild digital systems as live operational infrastructure rather than a finished project from a few years ago.  

A few things, none of them revolutionary.

1. Know your software dependency tree. If you can’t list what is in your stack, you can’t defend it. The basics of supply chain security now matter more than ever.
2. Treat AI driven security testing as part of build cost, not an optional extra. The economics of adding it now are far better than the economics of responding to an incident later.
3. Patch software often and regularly. Boring, unglamorous, essential. The organisations that patch weekly will fare better than the ones that patch quarterly.
4. Pair AI driven scanning with human judgement. AI will surface more than humans can, but humans still need to decide what matters, in what order, and how to fix it without breaking something else.

Small agencies with a handful of developers and no dedicated security practice will struggle with this. Not because they lack intent, but because the attack surface area is too large for a small team to credibly cover. This is uncomfortable to say, but it is true, and clients are entitled to ask the question.

We don’t know what the next Mythos looks like. We don’t know which other AI labs are close, or how close. We don’t know who has access to what right now. We don’t know how quickly defensive tools will reach the mid-market.

This is not a reason to freeze. It is a reason to move deliberately, to tighten what you can tighten, and to make sure your partners are doing the same. 

Bolser has been building digital systems for mature organisations for over twenty years. We hold Cyber Essentials Plus. We pass an externally validated Microsoft security audit every year. We take the infrastructure we run seriously because the people we run it for rely on it.

We are in an evaluation stage on how AI driven security testing fits into our client delivery, and we are talking with clients about the implications of all this rather than pretending we have all the answers. If you run a digital platform that matters, to your customers, your revenue, your reputation, and you want a conversation about what Mythos class AI means for the systems we’ve built, or the ones you built elsewhere, get in touch.

This is not a time to panic, nor is it for agencies who dabble. It is a moment for digital partners who take this seriously.