The emergence of Mythos has brought about a dramatic shift in tone within the world of cybersecurity. Faced with artificial intelligence (AI) capable of automating the search for vulnerabilities and accelerating attacks at an unprecedented speed, Tim Vanacker, an Orange cybersecurity expert based in Atlanta, is calling on companies to thoroughly review their risk management, technical exposure and internal organisation. His message stands in stark contrast to purely alarmist approaches: in his view, companies must not slow down the adoption of AI, but learn to survive in an environment where attackers now have tools capable of operating “24/7”.
“AI is set to fundamentally change the way we think about cyber defence,” he said. According to the Orange expert, Mythos serves primarily as a public demonstration of what cybersecurity teams were already fearing: AI’s ability to automate certain stages of attacks. “We are seeing that AI is increasing the speed, complexity and scale of cyberattacks. And what’s even worse is that they operate autonomously.”
Move away from logic designed for human attackers
In this new reality, Tim Vanacker believes that companies must move away from a cybersecurity approach designed for human attackers. “You need to shift your risk management from an attacker operating at human speed to one operating at the speed of AI.”
The example he uses is that of security patch management. Historically, companies have had to balance security against operational stability, waiting for maintenance windows before applying certain critical patches. But this approach becomes dangerous when the time it takes to exploit vulnerabilities drops to a matter of minutes. “What is the greater risk? […] Waiting two weeks and implementing this patch on an edge firewall […] or potentially leaving your entire environment open to an AI-powered attack?” he asks.
But one of Tim Vanacker’s most interesting points probably concerns the concept of the ‘attack surface’. In his view, companies will not always be able to patch all their vulnerabilities immediately. They must, therefore, minimise the amount of their systems exposed to the internet. In his second talk, he emphasised that systems accessible from the outside must be treated as a top priority. “The front-end is the most important because it is open to attacks.”
If you have a weak password, you’ll be hacked. […] If you have an unpatched vulnerability, you’ll be hacked. If you have an open port, it will be exploited.
In the banking sector, this comment is aimed directly at client applications, remote access, APIs, VPNs, edge devices and publicly accessible interfaces. “Managing your exposure is also becoming very, very, very important,” he stresses.
The idea is simple: in a world where autonomous AI systems are constantly scanning the internet, every exposed service becomes a potential target. Reducing the number of open ports, restricting public access, segmenting environments and minimising the number of systems visible from the internet are becoming measures that are just as strategic as patch management itself.
This approach also explains why Tim Vanacker places such strong emphasis on the fundamentals of cybersecurity, which are sometimes regarded as trivial. “If you have a weak password, you’ll be hacked. […] If you have an open vulnerability, you’ll be hacked. If you have an open port, it will be exploited.”
A sign of poor practices
According to him, the automation of attacks turns poor technical practices into vulnerabilities that are almost certain to be discovered. “You need to adopt the mindset that any mistake will be detected and exploited.”
The Orange expert emphasises in particular the importance of MFA (multi-factor authentication), which he continues to regard as a particularly effective defence against many automated attacks. However, he also calls on companies to maintain a continuous inventory of their assets in order to quickly identify configuration flaws or inadequately protected systems.
Tim Vanacker’s comments become even more worrying when he turns to banking applications and critical infrastructure. If Mythos can detect vulnerabilities in security systems designed specifically to protect networks, consumer software becomes an obvious target. “I am very concerned about banking software at the moment,” he admits.
Embracing AI rather than viewing it as a strategic obstacle
However, the expert rejects a strategy of technological obstruction. On the contrary, his third key piece of advice is to integrate AI swiftly into security operations and business processes. “You cannot afford to be left behind.”
In security operations centres, AI will need to automate certain repetitive tasks in order to enhance the capabilities of human analysts. “An AI-powered cyberdefender is far more powerful than one that isn’t.” But this acceleration also puts cybersecurity managers in a tricky position. “How can you accelerate your business with AI without putting your organisation at too much risk?” he sums up.
Your employees need to become more resilient to protect your organisation against AI-enabled attacks.
The final pillar of his argument concerns the employees themselves. According to Tim Vanacker, companies still underestimate the cultural and psychological impact of AI-fuelled attacks. Voice deepfakes, fake video calls from senior management, manipulated content: employees will have to learn to systematically question what they see and hear. “When you receive a video call from your CEO, you see them, you hear them. With deepfakes, you can no longer trust that.”
According to the Orange expert, cybersecurity is therefore becoming as much a question of human resilience as it is of technology. “Your employees need to become more resilient to protect your organisation against AI-enabled attacks.”
Ultimately, his message is less one of fear than of a rapid shift in cybersecurity practices. “You need to embrace AI; don’t be afraid of it. […] But don’t just throw the doors wide open to AI either, come what may.”
