Mythos finds.
Moderne fixes.
Every repo, at once.

Anthropic's Mythos surfaces vulnerabilities at AI scale. A coding agent equipped with Moderne closes every one with a deterministic recipe that runs across every repository in your code estate at once, with a full audit trail behind it.

▸ Find once. Fix once. Distribute everywhere.

Book a demo See how it works ↓
Red Team · 01 ▸ Find

Mythos surfaces a defect.

Mythos · CVE-2026-22732 · Spring controller flush
Blue Team · 02 ▸ Fix

Agent writes a deterministic recipe.

-response.getOutputStream().flush(); +return ResponseEntity.ok(body);
Recipe · PreventEarlyResponseCommit · 5 patterns matched · agent-agnostic
Blue Team · 03 ▸ Distribute

One recipe, every repository.

▸ 8 of 8 cured · 1 run · 14m 22s
Platform · in parallel · full audit trail

Scanning is solved. Remediation is not. Mythos collapsed the runway between discovery and disclosure. The fix is the part that never scaled.

This was true before Anthropic's announcement. Mythos made it impossible to defer.

The remediation gap

Found faster than fixed.

A decade of scanner investment has not produced fix capacity, and neither manual triage nor probabilistic agent fixes can close findings at AI scale. The bottleneck is no longer discovery; it is deterministic, auditable remediation across thousands of repositories.

The attacker only needs to find one instance of a vulnerability. The defender has to close every instance, in every repository that pulls the affected dependency, before the business is no longer exposed.

252days
Average time to fix an application vulnerability, up 47% since 2020. The work after the finding lands has been getting slower, not faster.Veracode · State of Software Security 2025
45.4%
Of enterprise vulnerabilities are still unpatched after twelve months. Most of them never close before the next disclosure lands on top.Edgescan · 2025 Vulnerability Statistics Report
59,427
Median CVE forecast for 2026, the first year ever to cross 50,000. Discovery is not the constraint.FIRST · 2026 CVE Forecast
80–90%
Of a typical enterprise application is OSS or third-party code. One CVE in one library becomes a live vulnerability in every application that ships it.Industry estimate · cited across SoSS, Edgescan, OWASP reports

Why doing nothing fails

Six pressures every CISO is facing at once.

Mythos did not change any of these in isolation. It compressed the timeline on all of them at once. Each one is a reason that the next disclosure cannot be answered the way the last one was.

01

The downstream CVE flood

Every Mythos-discovered flaw in a kernel, browser engine, or shared OSS library becomes a published CVE that lands in your scanner queue. The backlog multiplies by orders of magnitude before you act on any of it.

02

Probabilistic fixes don't close findings

LLM-based remediation produces partial fixes. The agent declares victory; the human re-prompts it all evening trying to confirm coverage. A vulnerability fix has to be complete to count.

03

Agents need a deterministic blueprint

The attacker finds one instance. The defender has to close every instance, or the business stays exposed. Without a recipe, there is no way to confirm every occurrence has been closed.

04

Token economics break at scale

Fixing one CVE across two thousand repositories by running fresh inference against each one means paying to rediscover the same fix two thousand times. Recipe-based remediation amortizes the work once.

05

You can't upgrade your way out

For end-of-life frameworks like older Spring, "just upgrade" is a multi-quarter migration. Mythos does not grant the runway. Backpatching the fix into the version you're running may be the only path that fits the window.

06

Board-ready answers, in hours

CISOs will be asked "what is our exposure to the latest Mythos disclosure?" within hours of each release. Without a deterministic remediation pipeline with an audit trail, the honest answer is "we don't know."

The architecture

Every red team needs a blue team.

Two halves of the same problem, solved by structure rather than competition. Mythos finds a vulnerability. The coding agent equipped with Moderne writes the recipe to close it. The Moderne Platform defends the perimeter, distributing that recipe across every repository in your code estate, in parallel.

Red Team

Mythos

Anthropic's agentic discovery model

Finds vulnerabilities at AI scale. Nearly 300 zero-days in Firefox in a single sweep, versus roughly 20 from prior Claude models. Anthropic describes tens of thousands of vulnerabilities across software, most still undisclosed because they remain unpatched.

▸ Finds it.
Blue Team · 01

Equip Your Agent with Moderne

Any coding agent. Via MCP.

Connect the coding agent your team already runs to Moderne over MCP. With LST-based tools in hand, the agent both authors and executes a deterministic recipe to close the vulnerability. Agent-agnostic by design.

Copilot Cursor Windsurf Devin Codex Claude Code Gemma + more
▸ Fixes it.
Blue Team · 02

The Moderne Platform

Distributes the recipe across the code estate

The same fix runs identically across every repository in your portfolio, in parallel, with full audit trail. The board-ready answer to "what is our exposure" is a query against the same pipeline that did the remediation.

▸ Defends the perimeter.

Mythos finds. Moderne fixes. Every repo, at once.

How Moderne works

How the agent gets a deterministic blueprint.

The Lossless Semantic Tree is the source of the determinism: the foundation that makes every capability below it reliable enough to put a board behind. From there, six capabilities turn one finding into one recipe, and one recipe into a fix across the entire portfolio.

  1. 01

    The Lossless Semantic Tree

    A type-attributed, semantically complete representation of source code. Supports interprocedural, field-sensitive analysis and follows method summaries across files. Without the LST, an agent's fix is a probabilistic guess. With it, the agent has a verifiable blueprint to execute.

  2. 02

    OpenRewrite recipes

    In an IDE, you trust rename and extract-method refactorings because they are deterministic. OpenRewrite takes that determinism out of the editor and makes it programmatic. Each recipe is a small, verifiable program that produces the same change every time it runs, against any repository in your portfolio.

  3. 03

    Agent Tools and MCP

    Connect any coding agent (Copilot, Cursor, Windsurf, Devin, Codex, Claude Code) to Moderne via MCP. With LST-based tools in hand, the agent both authors and executes deterministic recipes. Agent-agnostic by design.

  4. 04

    Portfolio-scale distribution

    One recipe runs across thousands of repositories in parallel. The unit economics of fixing one CVE across 2,000 repos should not be 2,000× the cost of fixing one. With Moderne, they aren't.

  5. 05

    Backpatching

    For end-of-life frameworks you can't upgrade fast enough, Moderne backports the security fix to the version you're running and distributes it, with no forced migration and no lost runway.

  6. 06

    Audit and determinism by default

    Every recipe run is deterministic and produces a verifiable record of what changed, where, and why. The board-ready answer to "what is our exposure" is a query against the same pipeline that did the remediation.

mod run · CVE-2026-22732 $ mod run . --recipe=PreventEarlyResponseCommit Reading organization Found 1 organization containing 2,483 repositories (4s) Running recipe com.acme.security.PreventEarlyResponseCommit # authored by the agent for CVE-2026-22732 · not in the public catalog ▶ acme/checkout-api@main Update(…/OrderController.java) 88 - response.getOutputStream().flush(); 89 + return ResponseEntity.ok(body); Fix results ✓ ▶ acme/payments-svc@main Update(…/PaymentController.java) +1 -1 Fix results ✓ ▶ acme/notif-gateway@main No changes ✓ ▶ acme/orders-bff@main Update(…/CartController.java) +5 -5 Fix results ✓ Done (14m 22s) 49m saved by using previously built LSTs Produced results for 1,712 repositories. What to do next > mod git checkout . -b security/CVE-2026-22732 --last-recipe-run > mod git apply . --last-recipe-run

▸ Recipe authored by the coding agent, run against the LST.

What Moderne closes

The vulnerability classes Moderne remediates.

Two buckets, depending on where the vulnerability lives: different remediation paths, but the same deterministic recipe model underneath.

Third-party code

Code you depend on

  • Dependency vulnerability remediation.

    Upgrade to a fixed version across every repository that pulls the vulnerable package. The same upgrade, applied identically, portfolio-wide.

  • Backpatches for end-of-life frameworks.

    When upgrade isn't an option, backport the fix to the version you're running and distribute it across the frameworks you can't move off yet.

First-party code

Code you write

  • OWASP Top 10 remediations.

    Injection, broken access control, cryptographic failures, and the rest of the canonical web vulnerability classes. Closed across every repository where the pattern appears.

  • Data flow and control flow remediations.

    Taint-flow patterns that cross method boundaries, follow object fields, and propagate through wrappers. Closed deterministically against the LST.

  • Post-Quantum Cryptography migration.

    Find and replace deprecated cryptographic patterns ahead of the PQC deadline. One recipe, every repository.

▸ Out of scope: the network edge, secrets management, infrastructure misconfiguration. Different problems, different tools.

You need something scalable, deterministic, and explainable. That's the only way to make progress across an estate this large.

Engineering Director  ·  Large bank (anonymized)
~300
Vulnerabilities Mythos found in Firefox alone, versus roughly 20 from prior Claude models. CNBC · May 5 2026
Tens of thousands
Mythos-discovered vulnerabilities across software, most still undisclosed because they remain unpatched. Anthropic · public disclosure
6–12 mo
Window Anthropic publicly cited before adversaries replicate Mythos-class capability. Amodei · CNBC, May 5 2026

Proof is in production

The recipes are running today.

Real CVE remediation, real recipe code, and real customer deployments, not slideware.

CVE walkthrough · public

CVE-2026-22732: every way a Spring controller commits a response too early.

Jonathan Schneider's detection-and-remediation recipe runs to twelve source files, 39 unit tests, and roughly 800 lines, with zero new framework code, and he built it in an afternoon. It catches five code patterns that pattern matching misses: direct flush, print-writer, explicit Content-Length, helper indirection, and field stashing.

Read the walkthrough →
9.1 severity · published Apr 15 2026
Closed-loop · live

Tier-one bank: closed-loop with GitHub Copilot and Moderne MCP.

Scanner output flows through MCP to a Moderne recipe to a distributed fix, with the coding agent as executor, identifying and applying CWE remediation recipes against the scanner output they already have. In the customer's own framing, deterministic recipes beat probabilistic agent fixes.

Live deployment · name pending approval
Backpatch · pilot

Major insurance carrier: bridging the EOL Spring gap.

An end-of-life Spring framework had become a board-level concern for the CISO. With 200+ repositories already converted to Moderne and roughly 2,000 applications still in the migration pipeline, the customer asked Moderne for a backpatch directly, to bridge the gap while the larger migration runs in parallel.

Backpatch candidate · quote in approval

Frequently asked

Common questions about Mythos and Moderne.

No. The agent stays. Moderne equips it with deterministic tools over MCP, so the same agent both authors and executes a recipe instead of guessing at a fix. Copilot, Cursor, Windsurf, Devin, Codex, Claude Code, and Gemma all reach the same tools the same way.

No. Moderne is the structural counterpart to Mythos by design, not by contract. Mythos finds. A coding agent equipped with Moderne fixes. The Moderne Platform defends the perimeter across the code estate. The architecture works whether your discovery engine is Mythos, an internal scanner, an SCA tool, or an ASPM feed.

The catalog spans Java, Kotlin, Groovy, Python, C#, JavaScript, TypeScript, and more across 10+ languages and 40+ domains. New recipes are added continuously; the agent can also author new recipes against the LST when one doesn't exist.

A recipe is a small, verifiable program that runs against the LST and produces the same change every time it runs, against any repository. An LLM-generated patch is a probabilistic output that varies between runs and across repositories. Closing every instance of a vulnerability needs the first, not the second.

It is a type-attributed, semantically complete representation of source code. Vulnerabilities that cross method boundaries, follow object fields, or pass through wrappers and helpers are followed by the LST instead of missed by it. Pattern matching alone misses indirect cases; the LST does not.

Yes. For end-of-life frameworks where upgrading is a multi-quarter project, Moderne backports the security fix to the version you're running and distributes it across the portfolio, with no forced migration and no lost runway.

Every recipe run produces a verifiable record of what changed, where, and why. The board-ready answer to "what is our exposure to the latest Mythos disclosure" is a query against the same pipeline that did the remediation.

Yes. Moderne DX is the airgapped deployment for regulated and sensitive environments. The platform, recipes, agent tools, and LSTs all run inside your network with no outbound dependency.

See it work against your stack

See Moderne close a CVE across your portfolio.

See the closed-loop architecture working against your own stack: recipe-based remediation across thousands of repos, in a concrete pipeline you can deploy this quarter.

Book a demo Read the CVE-2026-22732 walkthrough →