Almost every security advisory on Mythos right now ends in the same place: shields up, patch faster. One thing nobody’s saying — and somebody needs to — is that maybe you should be preparing to patch fewer vulnerabilities, not more.

Ed Bellis, Michael Roytman, and Jay Jacobs at Empirical Security are about as credible as it gets in this space — they built EPSS, the standard for exploit prediction, and literally wrote the book on data-driven security. Their latest piece responds to Anthropic’s recent defender guidance — patch your KEV list, then use EPSS to triage the rest — with a sharp addendum: that’s step one. The hard part is local context. Knowing which globally-ranked vulnerabilities are actually dangerous in your environment, not your neighbor’s.

They’re right. But there’s a layer under that point worth naming explicitly.
In a world where AI also generates vulnerabilities — through code synthesis, automated fuzzing, novel attack surface discovery — the CVE population is going to grow faster than any team can remediate. The advantage goes to the team making the best choices, not the most patches. You should be preparing to patch a smaller percentage of reported vulnerabilities, not a larger one. Maybe a smaller absolute number too.

That’s probably a hard message to sell internally. It sounds like doing less. It’s actually doing smarter.

What’s still missing from this entire conversation is the financial layer. Ed, Michael, and Jay are building toward local precision on exploit likelihood. The next frontier is translating that into expected loss — dollar-denominated risk that belongs in a boardroom conversation alongside insurance and capital allocation. That’s where I hope this goes, and Empirical is the closest foundation I’ve seen for getting there.​​​​​​​​​​​​​​​​