JPMorgan's Mythos Memo Is the One You Should Actually Read

The bank's letter is the most specific post-Mythos guidance yet, and a clear mandate to accelerate to CTEM before the patch-to-exploit window closes on you.

On April 17, 2026, JPMorgan Chase's Global Technology Leadership Team published Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience. The timing is not a coincidence. Nine days earlier, Anthropic unveiled Claude Mythos Preview and Project Glasswing, the coalition assembling to point frontier AI at the world's critical software. JPMorgan is a Glasswing participant. This letter is how one of the most sophisticated security organizations on the planet is telling the rest of the industry to prepare.

The opening line sets the stakes plainly:

"AI is already changing the economics of cyber risk: adversaries are scaling attacks, compressing the time from vulnerability discovery to exploitation and increasing the volume of threats that enterprises face each day. Patch and remediation cycles are accelerating, often exceeding an organization's capacity for change, leaving them exposed to automated discovery and exploitation by cyber attackers."

Read that again. A tier-one financial institution is publicly warning that the pace of disclosure will outrun the industry's ability to patch. That is the Mythos thesis, stated by a customer rather than a vendor. And the ten recommendations that follow are a blueprint for what to do about it.

For vulnerability management teams specifically, the message is direct. The program you ran in 2024 will not survive 2026. JPMorgan is effectively telling VM leaders to accelerate the shift to Continuous Threat Exposure Management (CTEM), and to do it now, before the flood of AI-discovered vulnerabilities arrives in full force.

Here is what that looks like across the four functions every VM team owns: detection, prioritization, remediation, and mitigation.
‍

Detection: Know What You Have, Continuously

JPMorgan opens the asset conversation with a line every VM leader has said out loud: "You cannot fix what you don't know about. Incomplete or inaccurate asset inventories leave blind spots that attackers will find before you do."

The letter calls for a continuously updated inventory of hardware, software, and cloud assets. It calls for SBOMs across the application portfolio.

On scanning, the guidance is equally sharp:

"Scan continuously, not periodically, integrate vulnerability scanning into software development pipelines, cloud workload deployments, and change management processes so that new exposures are identified at the speed of change."

Periodic scans produce periodic answers. Mythos-accelerated disclosure demands continuous ones.
‍

Prioritization: Focus on What Is Actually Exploitable

JPMorgan is explicit that volume-based triage is dead: "Correlate vulnerability data with asset criticality, application context and reachability, threat intelligence, and exploit availability to focus effort where risk is highest rather than chasing volume indiscriminately."

The letter calls for enrichment with ownership, criticality, internet exposure, and data classification. And it sets the bar on response time: when a new threat emerges, teams should be able to answer "where are we exposed?" in minutes, not days. It specifically calls out the CISA Known Exploited Vulnerabilities list as a baseline for what should jump the queue.

This is the core CTEM pivot. Traditional VM programs rank by CVSS and chase the red numbers. CTEM ranks by exploitability in your environment, informed by reachability, runtime presence, threat intelligence, and the compensating controls already in place. When disclosure volumes jump by an order of magnitude, the only way to stay sane is to triage by actual risk.
‍

Remediation: Engineer for Speed, Measure Relentlessly

JPMorgan reserves some of its sharpest language for change management: "The patching and deployment processes that were designed for quarterly release cycles are now a liability. Every day of delay between a fix being available and a fix being deployed is a day of unnecessary exposure."

The recommendations are operational and specific. Map the end-to-end patch lifecycle and find every handoff that adds latency. Invest in automated testing, staged rollout, and rollback. Measure mean-time-to-patch as a core operational metric and hold delivery teams accountable. And report vulnerability aging, remediation velocity, and exception volumes to senior leadership regularly, treating persistent exceptions as risk acceptances requiring executive sign-off.

The letter also ties remediation to SLA discipline, reserving the most aggressive targets for critical and internet-facing assets:

"Establish SLA-driven remediation vulnerability fix and patching timelines tiered by severity and exposure, with the most aggressive targets for critical and internet facing assets. Fix critical internet facing vulnerabilities at the fastest pace you can. When you set a new record, beat it."

The subtext is important. JPMorgan is acknowledging that remediation cannot stay a security-owned ticket queue. It has to become an engineered, measured, cross-functional pipeline held to SLAs that keep getting tighter. That is CTEM in practice.
‍

Mitigation: Preemptively Fortify Before the Flood

This is the recommendation that most directly echoes the Mythos analysis. JPMorgan writes:

"Where possible, use perimeter controls (i.e. web application firewalls) to mitigate exposure and block attempted attacks while you fix vulnerable software."

That single sentence captures the defensive center of gravity for the next two years. Patching is necessary and insufficient. When thousands of critical vulnerabilities land in compressed windows, the only protection during the patch-to-deploy gap is compensating controls: WAF rules, EDR policies, network segmentation, IPS signatures. These tools already exist in every enterprise. The question is whether VM teams know how to mobilize them as a first line of defense.

The Mythos era demands a further shift. Waiting for a disclosure to trigger a mitigation response is already too slow. VM teams need to preemptively fortify their compensating controls now, tuning WAF policies, tightening EDR configurations, and closing segmentation gaps ahead of the disclosure wave, so that when thousands of new CVEs land in compressed windows, large swaths of the environment are already protected. Preemptive mitigation is how you shrink the blast radius before the blast.
‍

How Zafran Helps VM Teams Make the Shift

The Zafran platform was built for exactly the operating model JPMorgan is describing. Each of the four VM functions above maps directly to how Zafran operates.

Zafran unifies findings across your existing security stack, pulling vulnerability and configuration data from cloud scanners, AppSec tools, endpoint agents, and on-prem assessments into a single normalized view. It de-duplicates and correlates findings to establish a single source of truth, and can replace legacy scanners with continuous, agentless detection. The "where are we exposed?" question JPMorgan wants answered in minutes becomes a single query.

Zafran then assesses true exposure by applying the risk context JPMorgan's letter calls for. Every finding is correlated with runtime presence, internet reachability, active threats in the wild, asset criticality, and, uniquely, the state of your existing security defenses. That control-aware context is what separates the vulnerabilities that demand immediate action from the ones already neutralized by controls you have already deployed. (Gartner recently identified Zafran as the only vendor among ~150 startups in the exposure management space that delivers this full lifecycle natively in a single platform. Read more here.)

Zafran mitigates preemptively by mapping every exposure to the compensating controls already in your environment and delivering step-by-step guidance to tune those controls for maximum risk reduction. When Mythos-class disclosures land, Zafran can immediately identify which assets are already protected and where gaps remain, pushing mitigation policies to your existing cloud, endpoint, and network defenses ahead of patch cycles. This is the preemptive fortification JPMorgan's letter implies and the Mythos era demands.

Zafran mobilizes remediation by consolidating overlapping CVEs into focused actions, auto-assigning work to the right owners, and routing tasks through Jira, Slack, and ServiceNow. This is the engineered, measurable remediation pipeline JPMorgan is asking VM teams to build, delivered as a capability rather than a multi-year internal project.

The architecture below shows how these capabilities connect end to end, from discovery through autonomous response.

‍

The Window Is Now

JPMorgan's letter is measured in tone and urgent in substance. Every recommendation assumes that the threat environment will get harder, faster, and more automated. Every recommendation assumes that organizations still running 2024-era vulnerability management programs will struggle to keep up.

The VM teams that thrive through the Mythos transition will be the ones that treat this letter as a project plan. Unify your findings. Prioritize by actual exploitability. Engineer remediation for speed. And preemptively fortify your compensating controls before the disclosure flood arrives.

Zafran exists to compress that transition from years into months. When the flood arrives, the teams that made the shift early will be the ones still standing.

‍