For years, the warnings about Active Directory (AD) have been easy to push aside.

Security teams know that identity is getting harder to manage. Permissions are stacked, and trust is expanding — across the cloud, M&A, vendors, and remote access.

Teams understand Active Directory’s “legacy-debt” risks in theory. But in practice, untangling it all takes time and resources. And because Active Directory is still working — authenticating users, managing access, and keeping operations running — the danger may not feel urgent.

Then came Mythos — cybersecurity’s Cassandra moment — forcing organizations to confront warnings they’ve heard for years.

In Greek mythology, Cassandra could see the future but was cursed so that nobody would believe her warnings. She predicted the fall of Troy and warned of catastrophe again and again, yet she was ignored every time.

The Vulnpocalypse is here

AD risk has always been real. Mythos made it immediate.

Just weeks after Anthropic unveiled Mythos, Project Glasswing participants uncovered more than 10,000 high- and critical-severity vulnerabilities across critical infrastructure, software, and widely used open source.

Cloudflare found 2,000 vulnerabilities, including 400 rated high or critical severity.  

It’s a new reality: AI is finding vulnerabilities at a pace impossible just six months ago.

The Mythos challenge facing banks

In response to Mythos, U.S. banking regulators, including the Federal Reserve and the OCC, have paused some cyber exams for several of the country’s largest banks.

The irony is hard to miss. AI is speeding up vulnerability discovery and exploit development. Meanwhile, some U.S. banks and regulators are pausing cyber exams just to keep up.

That is the paradox: AI moves at machine speed, while organizations are patching, governing, and managing risk at human speed.

“Finding vulnerabilities and turning them into access are the first steps,” explained Illumio security architect Christer Swartz. “The next concern is where that access leads to — and how fast attackers can move.”

Mythos-to-Active Directory threat vector

“The major risk of Mythos for Active Directory is speed,” Swartz said. “It doesn’t create a new threat vector — it speeds up existing ones.”

That matters because most attacks already follow a familiar path: gain a foothold, move laterally, escalate privileges, and target identity systems like Active Directory. ‍

For many threat actors, Active Directory is the goal.

Recent identity attacks show why. Researchers have linked the Marks & Spencer breach to Scattered Spider, a group of U.K.- and U.S.-based attackers, some reportedly as young as 16. Once inside a network, groups like these just need a path to identity systems that can unlock the rest.

“Active Directory has the keys to the kingdom for enterprise infrastructure,” Swartz said. “If attackers get control of AD, they can hijack your entire environment.”

Swartz explained that “security teams can't move as fast as machine-speed attacks.” They need time to test patches, approve changes, and make updates across the business.  

The problem is that machine-speed attacks won’t wait for all that to happen. ‍

The vulnerability window is closing

The pressure is growing. New guidance from India's Computer Emergency Response Team (CERT-In) recommends patching or mitigating known, exploited vulnerabilities affecting internet-facing and critical systems within 12 hours when possible.  

This guidance shows how quickly things are changing. "We're seeing a shift in expectations," Swartz said. "The question is no longer whether you can patch. It's whether you can patch fast enough."

China, open source, and the AI race

Mythos is a wake-up call. What happens next may be even more important. New releases from Anthropic, OpenAI, and others are matching or approaching Mythos capabilities.  

At the same time, China’s AI models are closing the gap.  

"The real story isn't a single model," Swartz said. "It's how quickly these capabilities are spreading and how much faster attackers can move toward critical systems like Active Directory."

Defending Active Directory

Swartz compared losing control of AD to “losing your house keys and then negotiating with whoever stole them.”

Protecting Active Directory starts by closing the paths attackers rely on:

• Find and control privileged access. Know which accounts have elevated permissions, where they can connect, and whether they still need that access.
• ‍Understand trust relationships. Attackers often move through trusted connections between users, systems, applications, and domains. Mapping those paths can reveal weaknesses before attackers find them.
• ‍Limit lateral movement. Attackers reach Active Directory one step at a time. The key is seeing those paths and stopping them before they lead to compromise.

Watch a live demo on how Illumio Insights and Segmentation protect Active Directory and mitigate its risks:

You can't patch everything in a few hours. But you can reduce attack paths, limit lateral movement, and make Active Directory harder to reach.

Download our ebook, In Defense of Active Directory, to see how attackers move toward Active Directory and how microsegmentation helps stop them before they get there. Schedule your demo today to see how Illumio closes the paths to Active Directory before attackers find them.