Mythos Hype Index
Consensus estimates and our own modeling predict a flood of new CVEs due to
AI-enabled vulnerability detection. But what if we are wrong?
How will we know? Our daily tracker compares 2026 CVE growth with prior
years to discern whether the flood is here.
(For the detailed paper predicting CVE volume, see
“LLMs Discovering Vulnerabilities” above.)
Last updated: 04 July 2026 00:28 UTC
10-day trend
-1 pts vs. 10d ago
0 — predictions on track
100 — pure hype
Computed from CVE volume only:
this year's annualised CVE rate against the four 2026 predictions
(0 = predictions on track) and the pre-LLM baseline (100 = back
to 48k/year). The LLM-credit share is tracked separately below
as an adjacent signal — not part of this score.
So far this year, increased use of LLMs to
find vulnerabilities has not resulted in the predicted explosive
growth in CVEs.
LLM-credit share — separate signal
Tracked independently of the Hype Index above.
This is an adjacent indicator of LLM activity in the disclosure
pipeline, not part of the headline score.
Caveat: we are likely underestimating vulnerabilities
found with LLMs.
The chart counts only CVEs whose public credit names
an LLM. Two structural reasons make the real LLM-discovery
rate much higher.
First, vendors don’t have to name how a vulnerability
was found, and most don’t.
Second, the biggest pool of LLM-discovered vulnerabilities is
what vendors find in their own pre-release code and quietly
fix; those never get a CVE at all. The Mythos paper puts this
silent-fix pool at about 32,000 a year today, dwarfing the
public-credit set. Treat the line as the visible tip of the
iceberg, not the iceberg.
Since the Mythos paper was published on 2026-04-01,
21,514 CVEs have been published across
94 publishing days
(out of 95 elapsed calendar days)
— an expected annualised rate of 83,538 CVEs/year
(★ our best estimate). The chart below highlights this
“Expected” bar in sky blue with a bolded label, since
it is the only point grounded in observed post-paper data.
For context, 2025 saw 49,972 CVEs in total.
The 2026 Prediction (no LLM) bar of
65,887/year is computed by annualising the
16,246 CVEs published in the first 90 days of 2026
(the run-rate before the Mythos paper landed).
Our four projections assuming LLM-based discovery of new vulnerabilities
ranged from 268,800/year (S2 · floor (20% disc., 80% LLM)) to
588,800/year (S1 · worst case (10% disc., 80% LLM)). The most
aggressive Year-1 projection (Scenario S1) was
588,800/year.