Company and market updates

Machine-speed
Operational resilience
The CISO role
Market reset

Mythos and the machine-speed era

The defining moment in cybersecurity for H1 2026 was Anthropic's Mythos disclosure on April 7.

The disclosure changed the cybersecurity conversation in a way no other macro event has in my career. It was the moment our industry was forced to admit that complexity, not capability, is the real enterprise vulnerability.

What we know now:

      • The U.S. Department of the Treasury and the Federal Reserve convened an emergency meeting with major bank CEOs the day after the original disclosure.
      • Anthropic's Project Glasswing revealed that their "Claude Mythos Preview" AI identified over 10,000 high- or critical-severity vulnerabilities across 50 partner organizations in roughly 30 days.
      • The IMF flagged Mythos-class capabilities as a financial-stability risk.
      • Initial access to Mythos was restricted to roughly 40 hand-picked organizations under what Anthropic called Project Glasswing. Equivalent capability in adversarial hands is estimated to arrive within 6 to 24 months.
      • On June 12, the U.S. government issued an export-control directive and Anthropic suspended access to both Fable 5 and Mythos 5.
      • 87% of global organizations experienced an AI-powered cyberattack in the past year (SoSafe Cybercrime Trends 2025).

The strategic implication is uncomfortable but clear: time-to-exploit is collapsing from months to hours, and neither the traditional patching cycle nor the traditional vulnerability management workflow can match that pace. The traditional cyber maturity program - multi-year, capital-intensive, sequential - wasn't built for this kind of environment either.

As one CISO put it during a discussion in May: "The widespread reliance on non-deterministic tools is the systemic risk."

The Panaseer answer in this environment is the answer we've offered for years, just with the urgency dial turned up. It starts with trusted control data and business service prioritization, with AI-augmented decision-making layered on top of those foundations, and human-led execution for the things that matter most.

Operational resilience moves from compliance project to board strategy

DORA is in force. The PRA has been actively examining UK financial services on Important Business Services implementations. The CRI Profile v2.1 has launched.

Phil Venables - Ballistic Ventures, formerly Goldman Sachs and Google Cloud CISO - delivered the capstone address at the CRI Annual Meeting in May. He framed operational resilience as strategic infrastructure rather than compliance overhead.

For the customers I've spoken with this half, the practical implication is a multi-year program of work: mapping technical controls to business services, evidencing resilience continuously rather than at audit time, and demonstrating to regulators that you know what matters and can prove it.

Business Service Lens is our product response, and for most customers it's the start of a long journey rather than the end of one.

The forces redefining the CISO role

I hear CISOs describe how their role is evolving, and 2026 expectations are being shaped by three external forces:

      • Regulation has codified the role. The U.S. SEC cyber disclosure rules are now in force. DORA assigns explicit cyber accountability to management bodies in EU financial services. The PRA Senior Managers Regime applies to named accountability at UK regulated firms. EU NIS2 has expanded the scope of who falls under regulated cyber oversight. The role is now legally defined in ways it wasn't three years ago.
      • Personal liability has risen. Enforcement actions against CISOs in 2023 and 2024 reshaped how cyber leadership operates, regardless of individual case outcomes. CISO conversations now center on evidencing what was done and when, a shift from two years ago.
      • AI has expanded the role's scope. CISOs are now expected to govern AI as attack vector, AI as defender, AI as tool, and AI as risk category. That expansion has not been matched by headcount in most cases.

Three numbers from our 2026 Security Leaders Peer Report illustrate the strain:

      • 84% of CISOs say they've been blindsided by incidents their existing controls and tools should have prevented.
      • 93% agree continuous controls monitoring would improve both compliance and risk management.
      • 65% say fragmented dashboards and tool sprawl are overwhelming teams and creating intelligence blind spots.

The translator-and-arbiter function has become the dominant work: less technical depth, more business translation, and more accountability for what gets prioritized and what doesn't.

The agentic AI market reset

The cybersecurity software market is going through its own transformation as a consequence of agentic AI.

In February 2026, what the industry has since called the "SaaSpocalypse" wiped hundreds of billions in value from per-seat SaaS vendors. The cause is structural. When an AI agent does work that previously required a human seat, the per-seat economic model breaks.

For customers, two implications matter.

      • First, many of your existing vendors will face commercial pressure to re-architect their economics or consolidate. Tooling decisions made today need to assume a market that looks different in two years.
      • Second, the vendors who emerge stronger will be those whose pricing reflects the value of what they protect or enable, not the count of users they license.

Panaseer's pricing model is built around the complexity of what we cover - organizations, control domains and asset estate - rather than the seats licensed. That model is positioned for this shift, and the new Cyber Advisor extends it: there are no per-user fees, so opening Panaseer to more stakeholders in your business doesn't increase your cost.

Gartner Peer Insights

Gartner introduced a Continuous Controls Monitoring category in Peer Insights last year. If you've been getting value from Panaseer this half, a Peer Insights review is one of the most useful things you can do for us. We also welcome direct feedback through your Panaseer contact or via the Executive NPS submission on the platform.

Submit a review

Jonathan Gill

CEO, Panaseer

© 2026 Panaseer Limited.

Reg in England and Wales with the company registration 09098199 Reg address: Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ UK.