Cybersecurity stocks dipped the day Anthropic released Mythos Preview. LinkedIn feeds filled with founders and security leaders sounding the alarm. The reaction was understandable. Every executive should assess what a model capable of finding thousands of zero-day vulnerabilities means for their business.
That assessment should be precise, however. Mythos represents a real step forward in vulnerability detection. Through Project Glasswing, Anthropic has committed up to $100 million in usage credits to help organizations scan codebases for bugs. That is valuable work.
But patching bugs and stopping abuse are two different problems.
Fully Patched, Still Exploited
Every business deliberately opens paths for customers, employees, partners, and now AI agents. Web applications. APIs. MCP servers powering support, commerce, and autonomous workflows. These channels are fully patched, fully intended, and fully open for business.
What happens on those same paths? Credential stuffing. Loyalty point fraud. Price scraping. Fake account creation at scale. These are not vulnerabilities. They are business logic abuse running through legitimate channels that work exactly as designed.
A tool that finds every buffer overflow in your codebase will not stop an attacker who logs in with stolen credentials and drains a loyalty account through your own API. That attack uses your front door, and it uses it correctly. This is the gap that behavioral security fills. The code is fine. The behavior is not.
Bad Actors First: We Are Already Stopping This
Start with the human adversaries. We recently helped a global consumer technology company defend its authentication infrastructure against a coordinated campaign driven by an open-source AI agent ecosystem. The agents were originally built as convenience tools for end users. Over time, they evolved into a distributed automation network, authenticating at machine speed from thousands of IP addresses worldwide.
Over 31 days, Cequence detected and blocked more than 3.5 million unauthorized authentication attempts. At peak, we were blocking over 240,000 requests in a single day. The attackers rotated user agents, switched authentication flows, and eventually pivoted to headless browser automation. None of it worked.
Here is the critical detail: the attackers never identified Cequence. Community forums attributed the blocks entirely to the company’s own infrastructure. Every evasion attempt was calibrated against the wrong theory. That asymmetry, where the defender operates from behavioral truth while the attacker chases surface-level hypotheses, is a structural advantage of server-side behavioral analysis.
This is what traditional detection cannot do. These agents presented with plausible user agents, valid credentials, and legitimate-looking headers. Signature-based rules would have missed them. Simple rate limits would have been too blunt. And browser-based detection was never an option, because AI agents do not run browsers.
Then the Agents Gone Rogue
Not every rogue agent is malicious by design. Many are simply relentless in their determination to get the job done, by hook or by crook.
Through the Cequence AI Gateway, we recently observed an AI coding agent tasked with analyzing a large legacy codebase. Over 48 hours, the agent made thousands of tool calls. It was authenticated, authorized, and performing useful work.
Then it hit dead ends and went off script. Rather than asking what files existed in the repository, the agent decided it already knew. It began guessing filenames based on build system conventions and probing for them directly. When those guesses failed, it did not pause or ask for guidance. It tried again. And again. Across multiple sessions spanning days, the agent re-derived the same wrong guesses because it had no memory of prior failures. It was stuck in a loop of confident improvisation, each attempt pushing it further outside its intended scope.
When the agent eventually concluded it needed to create files to complete the task, it attempted write operations its credentials did not authorize. No one asked it to write. No one approved the escalation. The agent decided on its own that the job required it.
The infrastructure was healthy. The credentials were valid. The agent was simply determined to finish what it started, and that determination, unconstrained, turned a productive tool into an uncontrolled operator. This is not a hypothetical risk. This is what we observed through real gateway telemetry.
Google DeepMind’s “AI Agent Traps” paper documents the same pattern at scale: agents weaponized not by external attackers, but by their own drive to complete a task. Content injection techniques hijacked agents in up to 86% of scenarios tested. The attack surface is not the model. It is the behavior at runtime.
Why Human-Driven Detection Signals Are Dead
The cybersecurity industry spent a decade building detection around human behavioral signals. On the consumer side: JavaScript challenges, browser SDK telemetry, client-side device fingerprinting, CAPTCHA gates. On the enterprise side: UEBA platforms that baseline how employees access internal applications, flagging deviations from normal login times, access patterns, and data volumes.
Both approaches share the same foundational assumption: the entity on the other end is a human, and humans produce recognizable behavioral patterns that machines can baseline and monitor.
AI agents break that assumption on both fronts. On consumer-facing assets, agents make direct HTTP requests from clean residential IPs with plausible headers. They never execute JavaScript. They never render a page. They cannot be challenged with a CAPTCHA because there is no browser to render one.
On employee-facing assets, the shift is equally fundamental. Employees are now deploying 24/7 “mini-me” agents that act on their behalf: reading emails, pulling Slack threads, querying internal databases, filing tickets, and executing workflows around the clock. These agents do not follow human access patterns. They do not log in at 9am and log off at 6pm. They do not take weekends off. Every UEBA baseline built on human behavioral norms is now irrelevant for the growing share of enterprise traffic generated by autonomous agents operating continuously on behalf of credentialed employees.
In the authentication campaign we blocked, 82% of the traffic scored below 50 on traditional bot confidence scales. These agents did not look obviously automated by any header or signature-based measure. They were caught because their behavioral fingerprints, including cookie orchestration, session sequencing, and traffic distribution patterns, could not be replicated by library code, regardless of how carefully operators tuned their HTTP headers.
This is the detection layer that matters now. Server-side behavioral analysis, trained on years of real API traffic, operating on mathematical models that do not depend on the entity being human. Cequence was built on this approach from day one. That bet is more relevant than it has ever been.
What This Means for Security Leaders
Vulnerability scanning and behavioral security are complementary, not competing. Patch everything Mythos finds. Adopt AI-powered vulnerability detection as aggressively as you can.
Then ask the harder question: what happens on the paths you opened on purpose?
If every known vulnerability in your stack were fixed tomorrow, would your authentication APIs still face automated abuse? Would your agents still need guardrails to prevent scope creep? Would your UEBA baselines still hold when half your enterprise traffic comes from always-on agents? Would your detection still work when the adversary never opens a browser?
The answer to all four is yes. That is exactly where behavioral security operates.
If you want to see how Cequence protects the channels businesses open on purpose, from both human attackers and autonomous agents, let’s talk.
