Vulnerability triage. The same autonomous engine, applied to vulnerability findings.
Anthropic’s Mythos is about to ship. OpenAI’s Codex Security is already producing findings. The flood of AI-discovered vulnerabilities is arriving at machine speed — and the security teams that have done the math know their existing vulnerability triage process will not survive it. A bare CVE advisory takes an analyst 15 to 30 minutes; a Mythos report with exploitation steps and verification results takes 45 to 90 minutes per finding. The richer the finding, the slower manual triage gets — at exactly the moment volume explodes.
Morpheus inverts the curve. The same Attack Path Discovery engine that performs L2-equivalent investigation on every security alert processes vulnerability findings through the same chainability analysis, the same Contextual Playbook Generation, and the same unified audit trail. Already shipping for production scanners — InsightVM, Qualys, Tenable. When Mythos and Codex Security findings arrive, the input format changes. The engine does not.
manual analyst triage — and the volume is about to compound
Morpheus autonomous triage with full chainability analysis per finding
NIS2 · CRA · DORA reporting clocks met by the same audit trail
same self-healing catalog — scanners and AI-discovery models alike
The volume + richness paradox: manual triage is breaking exactly when it’s needed most.
Mythos is on the verge of GA. Codex Security is already producing AI-discovered findings in production. The vulnerability discovery curve has bent — and the per-finding triage curve has bent the wrong way to meet it.
Every AI-discovery model that ships does two things at once: it compounds volume, and it enriches the per-finding payload. A bare CVE advisory was already taking analyst teams 15 to 30 minutes per finding. A Mythos report — with exploitation steps, verification results, blast-radius analysis, and proposed remediation — takes 45 to 90 minutes per finding for a human to read, validate against environmental context, and decide on.
The richer the AI-discovered finding gets, the slower manual triage becomes per finding. And that’s happening at exactly the moment when volume is about to compound 5-10x. The math has already broken; the consequences are still arriving.
The old equilibrium
per CVE-class finding for analyst triage. Volume was manageable: maybe a few hundred findings per quarter across most enterprise environments. Linear scaling worked, barely.
The shape change starts
findings, with exploitation context and verification artifacts. OpenAI’s Codex Security has already shipped and is producing AI-discovered findings in production codebases. Manual triage time per finding rising.
The math breaks
per environment in the first month of Mythos GA — based on D3’s modeling. At 60 minutes per finding manually, that’s 15 weeks of an 8-analyst team’s capacity just to get through the first month’s output. The flood is arriving faster than any hiring pipeline can absorb.
Four reasons static triage fails at AI-discovery scale.
The instinct is to throw more analysts at the volume. The instinct is wrong. The vulnerability triage failure modes are structural — they compound non-linearly with the volume and richness of AI-discovered findings.
CVSS-only prioritization misses chainability.
Static CVSS scoring treats each finding independently. But the most dangerous vulnerabilities in modern systems are chained: individual findings score below threshold, but together they constitute a critical attack path. Mythos reports specifically surface these chainable findings — and CVSS-only prioritization is structurally blind to them.
Manual correlation collapses at machine speed.
Mapping each finding against asset inventory, identity exposure, existing controls, and recent change windows is feasible at 50 findings per quarter. At 600 findings per month it is not — and the correlation accuracy degrades the longer analysts work, exactly when accuracy matters most. The asset-mapping work that traditional triage outsources to “the analyst’s judgment” doesn’t survive at AI-discovery scale.
Static playbooks can’t keep up with novel exploit paths.
Vulnerability management playbooks are typically authored for known exploitation patterns: CVE class X → remediation Y. Mythos and Codex Security surface novel chainability scenarios that weren’t anticipated when the playbooks were written. By the time a SOAR engineer can author and deploy a new playbook for a novel exploit path, the finding is already weeks old in the wild.
Compliance clocks make manual triage non-viable.
NIS2 requires initial notification within 24 hours. DORA requires initial notification within 4 hours. CRA requires a final report within 14 days. Manual triage of an AI-discovered finding flood — at 45-90 minutes per finding — cannot meet these regulatory windows even with unlimited overtime. The reporting clock is tighter than the analyst capacity curve. The same audit trail produces evidence for all three frameworks by design.
How Morpheus processes vulnerability findings.
The capabilities that make Morpheus’s alert investigation autonomous — Attack Path Discovery, Contextual Playbook Generation, the unified audit trail — extend cleanly extend cleanly to vulnerability findings without a separate product, separate pricing, or separate audit trail. Agentic on architecture. Autonomous on outcomes. Accountable on every decision.
Chainability analysis across findings.
The same engine that maps cross-alert attack paths maps cross-finding exploit paths. APD evaluates each vulnerability against your environment — asset inventory, identity exposure, existing controls, network reachability — and identifies which findings combine to form critical exploit paths.
- Cross-finding chainability detection — CVSS-scored findings that combine into critical exploit paths
- Environment-specific impact — asset criticality, reachability, blast-radius scoping
- MITRE ATT&CK technique mapping per finding
- Same vertical/horizontal hunting that handles alert investigation
Regulation-specific response playbooks at runtime.
The same Contextual Playbook Generation that drafts incident response playbooks drafts vulnerability response playbooks tailored to each regulatory regime. NIS2 24-hour notification format. DORA 4-hour notification format. CRA 14-day final report structure. Drafted at runtime against the specific finding.
- NIS2 notification draft within the 24-hour window
- DORA notification draft within the 4-hour window
- CRA final report structure within the 14-day window
- Customer-specific remediation playbook tailored to environment
Bounded reasoning for novel zero-day chains.
When Mythos surfaces a novel chainability scenario that no existing playbook covers, Agentic Task uses bounded agentic reasoning to investigate the finding within explicit policy bounds — iteration cap, cost cap, tool scope, approval gates. The reasoning runs inside policy; the audit trail is defensible.
- Bounded reasoning under $0.50 cost cap per finding
- Iteration cap and tool-scope inherited from vulnerability management playbook
- Approval gates before any state-changing remediation action
- One unified audit trail per finding — same format as alert investigation
One audit trail. Every regulator.
The audit trail Morpheus produces for a vulnerability finding is the same format and structure as the audit trail for an alert investigation — and the same artifact that produces evidence for SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, CRA, and EU AI Act requirements. One trail per finding. Every regulator reads the same record.
- Immutable, timestamped, attributed at the reasoning step level
- Maps to NIS2, DORA, CRA, SEC, NYDFS, HIPAA, NERC CIP, EU AI Act
- Exportable for litigation discovery, audit committee review, regulator examination
- Same format whether the finding came from a scanner, Mythos, or Codex Security
600 findings arrive. What happens next.
of an 8-analyst team’s capacity. 600 findings at 60 minutes each = 600 analyst-hours. By the time triage completes, 200 findings have already been actively exploited in the wild.
for the full batch. Each finding carries a chainability verdict, an asset-impact map, and a recommended remediation order. 23 high-priority chainable findings escalate to analyst review with full evidence; 577 enter the tracked remediation backlog.
NIS2 + DORA + CRA. One audit trail.
Three reporting clocks. Three disclosure formats. Three regulatory regimes. One unified audit trail per vulnerability finding — by design, not by reconciliation.
| Framework | Initial notification clock | Final report clock | Morpheus output |
|---|---|---|---|
| NIS2 | 24 hours — early warning notification to competent authority | 1 month — final incident report with root cause and remediation | Draft notification generated at finding time; final report assembled from unified audit trail. Same evidence chain. Both clocks met. |
| DORA | 4 hours — initial notification to competent authority for major ICT-related incidents | 1 month — final report with full incident chronology | DORA-format draft assembled inside the 4-hour window. Same audit trail; different output format. Same evidence chain. Both clocks met. |
| EU CRA | 24 hours — early warning of actively exploited vulnerability | 14 days — final report to ENISA | CRA disclosure structure drafted at runtime against the specific finding. Same evidence chain. All three clocks met. |
| U.S. SEC Item 1.05 | 4 business days — material cybersecurity incident disclosure | Ongoing — amend filings as material updates emerge | Same audit trail format as NIS2/DORA/CRA. Item 1.05 disclosure assembled from unified evidence chain. |
| NYDFS 500 | 72 hours — cybersecurity event reporting to the Department | Ongoing reporting | Same audit trail; NYDFS format drafted at runtime. Auditor-ready. |
Morpheus is not a scanner. Morpheus sits above your scanner.
Per the public product positioning of Tenable, Qualys, Rapid7 InsightVM, and Wiz, those platforms focus on vulnerability discovery — identifying findings across your environment. Morpheus focuses on triage — what to do about each finding, in what order, with what evidence, under which compliance clock.
These categories are complementary, not competing. You still need your scanner. What you need above your scanner is an autonomous triage layer that scales with the volume and richness of AI-discovered findings — and produces the audit trail every modern regulator demands.
The vulnerability triage stack
Mythos Meets NIS2: vulnerability disclosure under the new EU regime.
“Mythos Meets NIS2: Vulnerability Disclosure Under the New EU Regime” documents the regulatory collision between AI-discovered vulnerability volume and the EU’s reporting clocks — NIS2’s 24-hour early warning, DORA’s 4-hour initial report, the CRA’s 24-hour ENISA notification — with the math showing why manual triage of even 500 Mythos findings forces 84% to miss the DORA deadline. The paper also lays out how a single autonomous triage pass produces compliance artifacts for all three regulations simultaneously. Required reading before the next compliance committee meeting.
About autonomous vulnerability triage.
What is autonomous vulnerability triage?
Autonomous vulnerability triage is the process of evaluating each new vulnerability finding — for severity, exploitability, environmental impact, chainability against other findings, and required response timeline — without requiring a human analyst to read, validate, and prioritize each finding manually.
Morpheus uses the same Attack Path Discovery engine that handles security alert investigation to process vulnerability findings. Same engine, different input format. The output per finding includes a chainability verdict, environment-specific impact analysis, and a recommended remediation order — produced inside compliance reporting windows that manual triage cannot meet.
How does Morpheus differ from a vulnerability scanner like Tenable, Qualys, or Rapid7?
Morpheus is not a vulnerability scanner. Morpheus sits above your scanner. Per the public product positioning of Tenable, Qualys, Rapid7 InsightVM, and Wiz, those platforms focus on discovery — identifying findings across your environment. Morpheus focuses on triage — what to do about each finding, in what order, with what evidence, under which compliance clock.
These categories are complementary. You still need your scanner. What you need above your scanner is an autonomous triage layer that scales with the volume and richness of AI-discovered findings.
What is Mythos and how does Morpheus handle it?
Mythos is Anthropic’s AI-driven vulnerability discovery platform. Per Anthropic’s public roadmap, Mythos is on the verge of general availability. The platform produces vulnerability findings at machine speed — and produces them with significantly richer per-finding payloads than traditional CVE advisories (exploitation steps, verification results, blast-radius analysis, proposed remediation paths).
Morpheus processes Mythos findings through the same Attack Path Discovery framework that handles security alerts and traditional CVE-class findings from production scanners. The input format changes; the engine does not. Mythos integration is on the D3 roadmap; Morpheus is already shipping vulnerability triage for production scanners (InsightVM, Qualys, Tenable) today through the same engine.
Does Morpheus support OpenAI Codex Security findings?
Yes. OpenAI’s Codex Security has already shipped and is producing AI-discovered vulnerability findings in production codebases. Morpheus processes Codex Security findings through the same Attack Path Discovery framework that processes Mythos findings and traditional scanner output. One engine, three input types — and a unified audit trail per finding regardless of source.
The broader category — multi-LLM vulnerability discovery — is expected to expand significantly over the next 12-24 months as additional foundation model providers ship AI-driven security research tools. Morpheus is architected to support new discovery sources without code changes; new integrations are configuration, not engineering.
How does Morpheus map vulnerability findings to NIS2 / CRA / DORA reporting requirements?
The same Contextual Playbook Generation that drafts incident response playbooks drafts regulation-specific vulnerability disclosure structures at runtime: NIS2 24-hour notification format, DORA 4-hour notification format, CRA 14-day final report structure, SEC Item 1.05 disclosure, NYDFS 500 reporting.
The unified audit trail per finding is the evidence chain underneath all of these — same artifact, different output formats per regulation. The traditional approach reconciles outputs across scanner, ticketing, case management, and analyst notes after the incident; that reconciliation is what fails inside a 4-hour DORA window. Morpheus produces the regulator-readable evidence chain as a normal output of the triage workflow. See “Mythos Meets NIS2” for the full regulatory breakdown →
How does chainability analysis work across vulnerability findings?
Attack Path Discovery evaluates each vulnerability finding against your environment — asset inventory, identity exposure, network reachability, existing controls — and identifies which findings combine to form critical exploit paths. The chain detection is the same logic that maps cross-alert attack paths in alert investigation; the inputs are different but the reasoning is identical.
The canonical example: a CVSS 5.3 information leak plus a CVSS 6.1 privilege escalation plus a CVSS 4.8 sandbox escape individually pass any static CVSS-only filter; together they constitute remote code execution. Static prioritization is structurally blind to this. APD identifies the chain on every finding, every time. See the full Attack Path Discovery capability detail →
What’s the autonomy mode for vulnerability triage — same as alert triage?
Yes. The same four configurable autonomy modes apply to vulnerability triage as to alert investigation. Level 1 (Deterministic) — pure rule-based playbooks; no AI in the chain — runs for AI-prohibited tenants. Levels 2-3 (AI-Assisted / AI-Led) — the AI proposes; the analyst approves at each command-risk tier. Level 4 (Autonomous) — end-to-end execution under configurable approval gates.
For MSSP partners running heterogeneous client portfolios, the per-tenant autonomy configuration means the same Morpheus instance can run Level 1 vulnerability triage for a regulated finance client and Level 4 for a technology client simultaneously. See the autonomy modes detail →
Is vulnerability triage a separate product or a separate license?
No. Vulnerability triage is an extension of the same Morpheus platform — same engine, same integrations, same audit trail format, same operational model. No separate product. No separate audit trail. No second procurement decision. The capabilities that handle alert investigation handle vulnerability findings; the difference is the input format.
Morpheus is sold as an annual platform subscription with included SOC capacity. Talk to D3 about structure that fits your deployment model and autonomy configuration during the demo conversation.
The flood is coming. The engine is already running.
A 30-minute walkthrough on your real scanner output — InsightVM, Qualys, Tenable, or Wiz — with Attack Path Discovery processing every finding for chainability, compliance-clock readiness, and remediation order. See it before Mythos GA forces the decision.