Mythos finds. Moderne fixes. Every repo, at once.

Anthropic's Mythos surfaces vulnerabilities at AI scale. A coding agent equipped with Moderne closes every one with a deterministic recipe, runs it across every repository in your code estate at once, and leaves a full audit trail behind.

Scanning is solved. Remediation is not.

A decade of scanner investment has produced findings, not fix capacity. Anthropic's Mythos and the AI security tools that follow it will surface vulnerabilities faster than any AppSec team can triage them. Manual review cannot keep pace. Probabilistic agent edits cannot close findings reliably across a fleet. The bottleneck has moved from discovery to deterministic, auditable remediation across thousands of repositories.

One CVE in one OSS library lands in every repository that pulls the dependency, directly or transitively. Exposure does not close until every one of those repositories closes. That is the work AI-class discovery has now made unignorable.

252days
Average time to fix an application vulnerability, up 47% since 2020. The work after the finding lands has been getting slower, not faster.Veracode · State of Software Security 2025
45.4%
Of enterprise vulnerabilities are still unpatched after twelve months. The unpatched stack keeps growing as new disclosures land on top.Edgescan · 2025 Vulnerability Statistics Report
59,427
Median CVE forecast for 2026, the first year ever to cross 50,000. Discovery is not the constraint.FIRST · 2026 CVE Forecast
80–90%
Of a typical enterprise application is OSS or third-party code. One CVE in one library becomes a live vulnerability in every application that ships it.Industry estimate · cited across SoSS, Edgescan, OWASP reports

Mythos compressed every pressure at once, breaking the AppSec playbook.

Each was already enough to strain the AppSec playbook on its own. Mythos makes them all unavoidable at once.

The downstream CVE flood

Mythos-class discovery in kernels, browser engines, and shared OSS libraries feeds a steady stream of new disclosures into the vulnerability pipeline. They land in your scanner queue with the same severity ratings as everything else. The backlog multiplies by orders of magnitude before you act on any of it.

Probabilistic fixes leave coverage in doubt

LLM-based remediation produces partial fixes. The agent declares victory; the human re-prompts it all evening trying to confirm coverage. A vulnerability fix has to be complete to count.

Agents need a deterministic blueprint

Without a recipe, an agent's fix is a guess at one instance. The recipe is the blueprint that lets the same agent verify every occurrence across the portfolio, identically each time.

Token economics break at scale

Fixing one CVE across two thousand repositories by running fresh inference against each one means paying to rediscover the same fix two thousand times. Recipe-based remediation amortizes the work once.

You can't upgrade your way out

For end-of-life frameworks like older Spring, "just upgrade" is a multi-quarter migration. Mythos does not grant the runway. Backpatching the fix into the version you're running may be the only path that fits the window.

Board-ready answers, in hours

CISOs will be asked "what is our exposure to the latest Mythos disclosure?" within hours of each release. Without a deterministic remediation pipeline with an audit trail, the honest answer is "we don't know."

Two halves of the same problem. Solved by architecture.

Mythos finds a vulnerability. The coding agent equipped with Moderne writes the deterministic recipe to close it. The Moderne Platform scales the fix, running that recipe across every repository in your code estate, in parallel.

Red team

Mythos

!

Finds it.

Blue team

Equip agent with Moderne

Copilot, Cursor, Windsurf, Devin, Codex, Claude Code, Gemini, + more

Moderne

Fixes it.

Moderne Platform

Distributes it.

How the agent gets a deterministic blueprint.

The Lossless Semantic Tree is the source of the determinism: the foundation that makes every capability below it reliable enough to put a board behind. From there, six capabilities turn one finding into one recipe, and one recipe into a fix across the entire portfolio.

  1. 01

    The Lossless Semantic Tree

    A type-attributed, semantically complete representation of source code. Supports interprocedural, field-sensitive analysis and follows method summaries across files. Without the LST, an agent's fix is a probabilistic guess. With it, the agent has a verifiable blueprint to execute.

  2. 02

    OpenRewrite recipes

    In an IDE, you trust rename and extract-method refactorings because they are deterministic. OpenRewrite takes that determinism out of the editor and makes it programmatic. Each recipe is a small, verifiable program that produces the same change every time it runs, against any repository in your portfolio.

  3. 03

    Agent Tools and MCP

    Connect any coding agent (Copilot, Cursor, Windsurf, Devin, Codex, Claude Code, Gemini) to Moderne via MCP. With LST-based tools in hand, the agent both authors and executes deterministic recipes. Agent-agnostic by design.

  4. 04

    Portfolio-scale distribution

    One recipe runs across thousands of repositories in parallel. The unit economics of fixing one CVE across 2,000 repos should not be 2,000× the cost of fixing one. With Moderne, they aren't.

  5. 05

    Backpatching

    For end-of-life frameworks you can't upgrade fast enough, Moderne backports the security fix to the version you're running and distributes it, with no forced migration and no lost runway.

  6. 06

    Audit and determinism by default

    Every recipe run is deterministic and produces a verifiable record of what changed, where, and why. The same pipeline that did the remediation also answers what was changed.

mod run · CVE-2026-22732 $ mod run . --recipe=PreventEarlyResponseCommit Reading organization Found 1 organization containing 2,483 repositories (4s) Running recipe com.acme.security.PreventEarlyResponseCommit # authored by the agent for CVE-2026-22732 · not in the public catalog ▶ acme/checkout-api@main Update(…/OrderController.java) 88 - response.getOutputStream().flush(); 89 + return ResponseEntity.ok(body); Fix results ✓ ▶ acme/payments-svc@main Update(…/PaymentController.java) +1 -1 Fix results ✓ ▶ acme/notif-gateway@main No changes ✓ ▶ acme/orders-bff@main Update(…/CartController.java) +5 -5 Fix results ✓ Done (14m 22s) 49m saved by using previously built LSTs Produced results for 1,712 repositories. What to do next > mod git checkout . -b security/CVE-2026-22732 --last-recipe-run > mod git apply . --last-recipe-run

The vulnerability classes Moderne remediates.

Two buckets, depending on where the vulnerability lives: different remediation paths, but the same deterministic recipe model underneath.

Third-party code

Code you depend on

  • Dependency vulnerability remediation.

    Upgrade to a fixed version across every repository that pulls the vulnerable package. The same upgrade, applied identically, portfolio-wide.

  • Backpatches for end-of-life frameworks.

    When upgrade isn't an option, backport the fix to the version you're running and distribute it across the frameworks you can't move off yet.

First-party code

Code you write

  • OWASP Top 10 remediations.

    Injection, broken access control, cryptographic failures, and the rest of the canonical web vulnerability classes. Closed across every repository where the pattern appears.

  • Data flow and control flow remediations.

    Taint-flow patterns that cross method boundaries, follow object fields, and propagate through wrappers. Closed deterministically against the LST.

  • Post-Quantum Cryptography migration.

    Find and replace deprecated cryptographic patterns ahead of the PQC deadline. One recipe, every repository.

The recipes are running today.

CVE-2026-22732: every way a Spring controller commits a response too early.

Moderne's detection-and-remediation recipe runs to twelve source files, 39 unit tests, and roughly 800 lines, with zero new framework code, built in an afternoon. It catches five code patterns that pattern matching misses: direct flush, print-writer, explicit Content-Length, helper indirection, and field stashing.

Read the walkthrough

Tier-one bank: closed-loop with GitHub Copilot and Moderne MCP.

Scanner output flows through MCP to a Moderne recipe to a distributed fix, with the coding agent as executor, identifying and applying CWE remediation recipes against the scanner output they already have. In the customer's own framing, deterministic recipes beat probabilistic agent fixes.

Major insurance carrier: bridging the EOL Spring gap.

An end-of-life Spring framework had become a board-level concern for the CISO. With 200+ repositories already converted to Moderne and roughly 2,000 applications still in the migration pipeline, the customer asked Moderne for a backpatch directly, to bridge the gap while the larger migration runs in parallel.

You need something scalable, deterministic, and explainable. That's the only way to make progress across an estate this large.

Engineering Director  ·  Large bank (anonymized)
~300
Vulnerabilities Mythos found in Firefox alone, versus roughly 20 from prior Claude models. CNBC · May 5 2026
Tens of thousands
Mythos-discovered vulnerabilities across software, most still undisclosed because they remain unpatched. Anthropic · public disclosure
6–12 mo
Window Anthropic CEO Dario Amodei cited before Chinese AI replicates Mythos-class capability. CNBC · May 5, 2026

See Moderne close a CVE
across your portfolio.

See the closed-loop architecture working against your own stack: recipe-based remediation across thousands of repos, in a concrete pipeline you can deploy this quarter.

Common questions about Mythos and Moderne.

No. The agent stays. Moderne equips it with deterministic tools over MCP, so the same agent both authors and executes a recipe instead of guessing at a fix. Copilot, Cursor, Windsurf, Devin, Codex, Claude Code, and Gemini all reach the same tools the same way.

No. Moderne is the structural counterpart to Mythos by design, not by contract. Mythos finds. A coding agent equipped with Moderne fixes. The Moderne Platform defends the perimeter across the code estate. The architecture works whether your discovery engine is Mythos, an internal scanner, an SCA tool, or an ASPM feed.

The catalog spans Java, Kotlin, Groovy, Python, C#, JavaScript, TypeScript, and more across 10+ languages and 40+ domains. New recipes are added continuously; the agent can also author new recipes against the LST when one doesn't exist.

A recipe is a small, verifiable program that runs against the LST and produces the same change every time it runs, against any repository. An LLM-generated patch is a probabilistic output that varies between runs and across repositories. Closing every instance of a vulnerability needs the first, not the second.

It is a type-attributed, semantically complete representation of source code. Vulnerabilities that cross method boundaries, follow object fields, or pass through wrappers and helpers are followed by the LST instead of missed by it. Pattern matching alone misses indirect cases; the LST does not.

Yes. For end-of-life frameworks where upgrading is a multi-quarter project, Moderne backports the security fix to the version you're running and distributes it across the portfolio, with no forced migration and no lost runway.

Every recipe run produces a verifiable record of what changed, where, and why. Each change is traceable to the recipe that produced it, the input it ran against, and the output it committed.

Yes. Moderne DX is the airgapped deployment for regulated and sensitive environments. The platform, recipes, agent tools, and LSTs all run inside your network with no outbound dependency.