The NVD Funding Crisis Was Bigger Than Mythos

Everyone is calling Claude Mythos a watershed moment. I’d like to offer a slightly different take.

Not because the capability isn’t real, it is. But if Mythos is the moment that finally convinced your organization that rapid vulnerability discovery is an existential threat, you’ve been watching the wrong thing.

We saw this coming. Vulnerability Management has been moving in this direction for years, and we built Nucleus with this trajectory in mind. What surprises me is the surprise.

The Moment That Actually Mattered Was the NVD

While the industry spent the last year debating AI hype, the National Vulnerability Database, the foundational enrichment layer on which every scanner, every risk score, and every compliance workflow in the industry depends, quietly began breaking down. NIST’s backlog of CVEs ballooned to tens of thousands. Analysis timelines collapsed. Organizations that assumed the data infrastructure underpinning their entire vulnerability program was stable found out it wasn’t.

That was a structural crisis. It exposed something fundamental: most vulnerability management programs are built on dependencies and 3rd parties, not infrastructure. They work when everything goes right. They don’t have contingency when something goes wrong.

That’s the conversation we should have been having, but at the time we barely had it.

Mythos Accelerates a Problem You Already Have

Mythos is stressing the system that already couldn’t keep up. Regardless of how capable AI-assisted discovery becomes: your team is already managing a backlog it cannot close. The constraint has never been finding vulnerabilities. We’ve had million plus finding backlogs for a decade. It’s been doing something about them that has been the challenge. 

Remediation fails for reasons unrelated to detection. Findings that don’t route to the right team. Tickets that get created and never verified. Risk scores that don’t reflect real-world exploitability. Security and engineering that don’t share a workflow. These are coordination failures, and AI doesn’t fix coordination failures, it exposes them faster.

It doesn’t surprise me that the main outcome of new technology is finding more vulnerabilities faster, as this is the same pattern we’ve seen my entire career. Most investment ends up in discovering new vulnerabilities, and the remediation processes are left to the devices of various business units, teams, and engineering departments. If Mythos surfaces vulnerabilities at unprecedented speed and your remediation infrastructure isn’t operational, you don’t have an AI problem. You have the same problem you’ve always had, now exacerbating the challenge to levels we’ve not seen before. 

Speed to Remediation Was Always the Job

The organizations that navigate this well won’t be the ones who react to Mythos. They’ll be the ones who spent the last few years building the operational layer that turns findings into closed exposure — normalized data across tools, clear ownership, integrated remediation workflows, verified closure.

That’s been the job the whole time. This just makes it harder to defer. But at least now vulnerability management is becoming mainstream.