Predict, Don’t Enumerate

2026-06-04 · Source: AI & ML – Radar · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Data Science & Analytics · Depth: Intermediate, medium

Summary

Anthropic, a frontier AI lab, has publicly endorsed the Exploit Prediction Scoring System (EPSS) for prioritizing software vulnerabilities, a notable departure from recommending LLMs for defensive problems. This endorsement, found in their April 2026 security-operations guide, acknowledges the "machine-scale" challenge of cybersecurity, where traditional static severity scoring like CVSS is overwhelmed by millions of findings. EPSS is a statistical model that predicts the probability of a known flaw being exploited in the next 30 days. The article highlights that AI-driven discovery, exemplified by Anthropic's upcoming Mythos model, will generate an order of magnitude more findings, making enumeration-based approaches untenable. It advocates for "knowing machines" that use predictive models and local environmental context to assess true risk, rather than just "pointing machines" that enumerate hazards.

Key takeaway

For CISOs grappling with overwhelming vulnerability backlogs, you must shift from static severity-based prioritization to a probabilistic, data-driven approach. Your vulnerability management SLAs and board reports should reflect exploitability-weighted exposure, not just raw counts. Invest in telemetry to build feedback loops for continuous model improvement, and proactively engage auditors to align compliance frameworks with these modern, context-rich risk assessments. This strategic pivot is crucial to effectively manage the exponentially increasing volume of findings from AI-driven discovery.

Key insights

Cybersecurity's volume problem necessitates a shift from enumerating all vulnerabilities to predicting exploitability using data-driven models.

Principles

• Vulnerability management requires probabilistic prioritization.
• Local context transforms hazards into risks.
• Cybersecurity is a machine-scale problem.

Method

Prioritize vulnerabilities by combining global exploit prediction (e.g., EPSS) with local environmental context, including asset inventory, controls, and attack telemetry, to generate enterprise-specific probabilities.

In practice

• Rewrite SLAs based on exploitation probability.
• Report exploitability-weighted exposure to boards.

Topics

• Vulnerability Management
• Exploit Prediction Scoring System
• AI-driven Vulnerability Discovery
• Risk-Based Prioritization
• Cybersecurity Policy
• Security Operations

Best for: CTO, VP of Engineering/Data, Executive, AI Security Engineer, Security Engineer, Director of AI/ML

Related on AIssential

• AI Just Solved the Wrong Half of Cybersecurity — AI models now possess emergent, autonomous vulnerability discovery capabilities, outpacing human remediation efforts.
• CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices. — Traditional CVSS-based vulnerability prioritization fails to account for chained exploits, rapid weaponization, and non-software identity gaps.
• The growing cyber exposure risk you can’t afford to ignore — Proactive cyber exposure management is crucial for anticipating and mitigating risks in complex digital environments.
• Where Claude Mythos can help — Prioritize vulnerability remediation by validating exploitability to focus on critical security gaps.
• Needles at Scale: LLM-Assisted Target Selection for Windows Vulnerability Research — LLM-assisted target selection can efficiently narrow millions of functions to a manageable shortlist for Windows vulnerability research.
• You Can't Patch a Running Plant: How Mythos Compresses the OT Security Timeline — AI-driven vulnerability discovery drastically accelerates cyberattack timelines, demanding urgent, tailored security responses for operational technology.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI & ML – Radar.