Cyber Resilience

Mythos Hype Index

Consensus estimates and our own modeling predict a flood of new CVEs due to AI-enabled vulnerability detection. But what if we are wrong? How will we know? Our daily tracker compares 2026 CVE growth with prior years to discern whether the flood is here.

(For the detailed paper predicting CVE volume, see “LLMs Discovering Vulnerabilities” above.)

Last updated: 04 July 2026 00:28 UTC

87
Mythos Hype Score
10-day trend
-1 pts vs. 10d ago
Daily Mythos Hype Score
0 — predictions on track 100 — pure hype

Computed from CVE volume only: this year's annualised CVE rate against the four 2026 predictions (0 = predictions on track) and the pre-LLM baseline (100 = back to 48k/year). The LLM-credit share is tracked separately below as an adjacent signal — not part of this score.

So far this year, increased use of LLMs to find vulnerabilities has not resulted in the predicted explosive growth in CVEs.

Annual growth in published CVEs

Five prior years of year-over-year growth, with a daily-updated estimate for 2026 (annualised from 37,760 CVEs published in the first 185 days). Asterisk and dashed border = estimate.

LLM-credit share — separate signal

Tracked independently of the Hype Index above. This is an adjacent indicator of LLM activity in the disclosure pipeline, not part of the headline score.

Weekly percentage of newly-published CVEs that publicly credit Anthropic / Claude / Project Glasswing / GPT / Gemini / Grok / Llama / Copilot / etc. as the discoverer. Numerator: CVEs in our LLM-attribution collection (NVD inline + scraped vendor advisories + manual list). Denominator: all CVEs published that week. Hover for exact counts.

Caveat: we are likely underestimating vulnerabilities found with LLMs. The chart counts only CVEs whose public credit names an LLM. Two structural reasons make the real LLM-discovery rate much higher. First, vendors don’t have to name how a vulnerability was found, and most don’t. Second, the biggest pool of LLM-discovered vulnerabilities is what vendors find in their own pre-release code and quietly fix; those never get a CVE at all. The Mythos paper puts this silent-fix pool at about 32,000 a year today, dwarfing the public-credit set. Treat the line as the visible tip of the iceberg, not the iceberg.

Expected CVEs vs. worst predictions

Since the Mythos paper was published on 2026-04-01, 21,514 CVEs have been published across 94 publishing days (out of 95 elapsed calendar days) — an expected annualised rate of 83,538 CVEs/year (★ our best estimate). The chart below highlights this “Expected” bar in sky blue with a bolded label, since it is the only point grounded in observed post-paper data. For context, 2025 saw 49,972 CVEs in total. The 2026 Prediction (no LLM) bar of 65,887/year is computed by annualising the 16,246 CVEs published in the first 90 days of 2026 (the run-rate before the Mythos paper landed).

Our four projections assuming LLM-based discovery of new vulnerabilities ranged from 268,800/year (S2 · floor (20% disc., 80% LLM)) to 588,800/year (S1 · worst case (10% disc., 80% LLM)). The most aggressive Year-1 projection (Scenario S1) was 588,800/year.