In January, we estimated somewhere around 55,000-60,000 CVEs would be published in 2026. Mythos and other LLMs should drastically increase this number, but we have not seen that uptick yet. And fewer than 200 CVEs credit LLMs.
What this means: signal versus enthusiasm
At a hype score of 94, the Mythos Hype Index reflects a gap between expectations and measurable outcomes. That does not mean AI‑assisted vulnerability discovery is failing—but it does suggest that its real-world impact is arriving more slowly, and more unevenly, than predicted.
There may be practical explanations. CVE publication pipelines remain constrained. Disclosure practices vary widely. Many organizations experimenting with AI‑assisted discovery may not be attributing tooling use at all. And some issues discovered by AI may never reach CVE status.
The implication is not complacency—it is prioritization. Patch management, asset visibility and exposure reduction remain more predictive of risk than headline CVE counts.
What’s next: watching for inflection points, not headlines
The Mythos Hype Index is designed to change over time. If AI‑assisted discovery begins to measurably alter vulnerability economics, the data should show it—first in attribution, then in volume and eventually in exploit timing.
That is what we are watching for:
- Sustained deviation from historical CVE growth curves
- Increased, consistent disclosure of AI‑assisted discovery
- Shorter discovery‑to‑exploitation timelines correlated with AI use
Until those signals appear, bold claims about AI “revolutionizing vulnerability discovery” should be treated as hypotheses, not conclusions.
Mythos gives us a way to test those hypotheses in public, with live data. As the year progresses, the index will either validate the hype—or quietly falsify it.
Both outcomes are useful.
As additional data emerges, we’ll share observations from CVE disclosures along with deeper analysis of how—and whether—these trends matter for security teams and business leaders. In the meantime, keep security controls current and follow the discussion here, and join us on LinkedIn and Reddit.
Methodology: How the Mythos Hype Index score is calculated
The index is the geometric mean of two sub‑scores, each scaled from 0 to 100:
- CVE Volume Score – how fast vulnerabilities are being published
- LLM Attribution Score – how often vulnerabilities publicly credit an LLM
Using the geometric mean (the square root of the multiplied data) ensures that one strong signal cannot mask a weak one.
To determine the CVE Volume Score
- Count CVEs published since April 1, 2026
- Count publishing days (calendar days with at least one CVE; zero‑CVE days such as Sundays are excluded)
- Convert to a yearly rate = (CVEs published ÷ publishing days) × 365
This annualised rate is compared with a baseline (normal historical levels), and an average prediction (the expected surge). The result is converted to a 0–100 score, which is capped to avoid extremes.
To determine the LLM Attribution Score
- Count CVEs since February 2, 2026 that explicitly credit an LLM
- Divide by total CVEs in the same period –
- The LLM attribution % = LLM‑credited CVEs ÷ total CVEs
The observed LLM attribution is compared with a target attribution of 12.8% (the share that would be expected if predictions were tracking.) The result is again scaled to 0–100, capped at the limits.
Calculating the Mythos Hype Index
The two sub‑scores are combined using the geometric mean and rounded to determine the Index:
The Mythos Hype Index = √(CVE Volume Score × LLM Attribution Score)
Understanding the results:
- Below 50: Observed activity is tracking closer to predictions
- Above 50: Observed activity is tracking closer to baseline expectations
- Closer to 100: Predictions appear increasingly overstated