Patching as we know it is dead. Even without Mythos. I know that's a strong statement, but there is no other way to say it. MOAK launched this week by Yair Saban & Niv Hoffman. You paste in a CVE… | Sergej Epp | 57 comments

Patching as we know it is dead. Even without Mythos. I know that's a strong statement, but there is no other way to say it. MOAK launched this week by Yair Saban & Niv Hoffman. You paste in a CVE. You get a working exploit back in under an hour. No skills required. Our team at Sysdig watched a vulnerability drop for Marimo - a Python notebook most people have never heard of. 9 hours and 41 minutes later, someone was inside. No CVE. No public exploit code. They read the advisory and built the attack themselves. Credentials stolen in under 3 minutes. The ZeroDayClock data across 5 years of vulnerabilities: 2018 → 771 days from disclosure to exploitation 2026 → under 24 hours And the number that really stops me: two thirds of exploited vulnerabilities are weaponized on day0 or before a patch even exists. You cannot patch what hasn't been patched yet. The defenders who survive this are the ones who pick up the same offensive tools and use them to verify what's real before the attacker does. If you want to understand what that actually means in practice - not theory, not vendor slides - Gadi Evron wrote a practical guide to getting started yourself. You don't need to understand code. You need English and an afternoon. I am working on a piece that stress-tests scenearious the industry might respond: from "just patch faster" to "change cybersecurity operating model". But first what scenario worries you most right now? | 57 comments on LinkedIn