The conversation around Anthropic's Claude Mythos Preview has understandably centered on zero-days. If AI systems can identify and exploit vulnerabilities across every operating system and browser at scale, defenders have to assume that exploit timelines will keep compressing.
But for CISOs, the harder question is how long exposed access credentials remain valid after defenders discover the exposure.
Credentials determine how far an attacker can move, how long they can persist, and how difficult containment becomes. A vulnerability just gets them in the door. That gap between time-to-exploit and time-to-revoke is where many organizations are most exposed. GitGuardian's State of Secret Sprawl report shows 64% of valid secrets detected in 2022 were still active and exploitable four years later in an environment where exploitation now collapses to hours. Vulnerabilities get attackers in the door, but credentials decide how far they go.
The Mythos-ready briefing, developed by more than 60 contributors and reviewed by over 250 CISOs, points in this direction across its priority actions. Secrets rotation, non-human identity governance, phishing-resistant MFA, and honeytoken deployment all appear on the priority-action list. But it does not name the metric that ties them together. Time-to-revoke should be that metric.
Exploit speed is collapsing, but access still governs impact
Mythos represents a step change in offensive capability. The paper's timeline shows the mean time from vulnerability disclosure to confirmed exploitation falling from 2.3 years in 2019 to less than one day in 2026. The window between discovery and weaponization can now collapse to hours or even minutes.
AI-driven vulnerability discovery is no longer experimental. It is operational, and defenders should assume the capability will continue to spread and accelerate.
Faster exploitation has not automatically translated into proportional breach impact, though. Many of the most consequential recent breaches involved credential abuse, social engineering, or supply chain compromise rather than novel exploits. The 2026 CrowdStrike Global Threat Report puts a number on how fast the window is closing. The average eCrime breakout time fell to 29 minutes, a 65% increase in speed from the prior year, with the fastest breakout recorded at 27 seconds. In one intrusion, data exfiltration began within four minutes of initial access. And 82% of detections were malware-free; adversaries moved through valid credentials, trusted identity flows, approved SaaS integrations, and inherited supply chains, blending into normal activity rather than deploying novel exploits.
Zero-days compress the attacker's timeline. Valid credentials turn that speed into reach, persistence, and impact.
When exploit speed outruns revocation speed
Security teams have spent years improving time-to-detect and time-to-respond. In the AI exploit era, they need to add another metric: how fast they can revoke.
If a credential is exposed today, how long does it remain valid? Who owns it? What services depend on it? Can it be rotated safely? Is there a runbook, or does the incident bounce between teams while the key stays live?
Those questions define the blast radius.
The 2024 Snowflake customer campaign showed what this looks like in practice. Mandiant and Snowflake notified approximately 165 potentially exposed organizations. Attackers had used exposed customer credentials, affected instances often lacked MFA, and in many cases, credentials had not been rotated for up to four years.
Nearly 29 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, and 28% of secrets-related incidents in our data originated entirely outside source code, in Slack, Jira, Confluence, and CI/CD systems. The attack surface for credential exposure keeps growing. But exposure is only the first failure. The bigger operational question is what happens after.
Why revocation breaks in enterprise environments
Revocation is structurally harder than detection. That's the core problem, and it's not due to a lack of awareness.
The person who committed or leaked the secret often doesn't own the service account it belongs to. The incident lands in a queue that has to be routed before anyone can act. Security teams cannot rotate what they cannot map to a non-human identity (NHI), workload, or business service. NHIs vastly outnumber human users, and few organizations have a complete inventory.
Teams fear breaking production because they don't know what depends on the credential, so the rotation gets deferred, and the key stays live. Finding a leaked secret can now take minutes, but safely revoking it often still takes days because the rotation process is manual, undocumented, or both. And without monitoring for credential use after exposure, teams don't know whether the key was exploited while it remained active. The breach may have already happened.
Each of these failures extends the period of risk. Stacked together, they explain why long-lived exposed credentials are not an edge case.
Four tests for revocation readiness
If you're building a Mythos-ready security program, the most useful exercise is to pressure-test whether you can revoke secrets fast enough to matter, not just find them.
First, find exposed credentials outside the code. Most programs still scan repositories and call it complete, but again, nearly a third of secrets-related incidents in our data originated entirely outside source code, in Slack, Jira, Confluence, CI/CD logs, container configs, and the systems AI agents can now access. If your scanning stops at the repo, that's where attackers start.
Second, map every credential to an owner and NHI. Every exposed secret should resolve to a service account, a workload, an application, a team, and a business owner. Without that mapping, the incident sits in triage.
Third, rotate without breaking production. Rotation needs tested runbooks, dependency context, and automation where possible. If the first question after finding a leaked key is "what will break?", then the revocation timeline has just been extended by days.
Fourth, detect use after exposure. Honeytokens, behavioral monitoring, and access logs should tell you whether a credential was used during its live-access window. Without that, you're measuring how fast you revoked, but not the damage that occurred before revocation.
The board metric that's missing
Boards need to know how long exposed credentials remain valid, how many have no owner, and how quickly the organization can revoke access without disrupting operations.
In a Mythos-ready security program, time-to-revoke belongs next to time-to-detect and time-to-respond. When exploitation moves at machine speed, stale keys are what turn attacker speed into business impact.
About the Author: Eric Fourrier is the CEO of GitGuardian, an end-to-end NHI security platform for enterprises. GitGuardian helps you take control of your NHI security by discovering all your secrets, prioritizing and remediating leaks at scale, ultimately protecting your non-human identities, and reducing breach exposure. Widely adopted by developer communities, GitGuardian is used by over 600 thousand developers and leading companies, including Snowflake, Orange, Iress, Mirantis, Maven Wave, ING, BASF, and Bouygues Telecom.
Eric Fourrier — CEO at GitGuardian https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE2ymXrOVYRjypLH3WgMPaCZ2MaHIv0BqNNKLLaFZUuvZfV06FByqx6ZShBinGHf4pofgkhgw0C409bPiKoonIXzPmxEhDorLiaSzixSr98NJ4zGsPofA_1I1ml1-IwzOUj-5sCyU2Y8dFrEQ5a1zJH0w_ENxbe3javD3SYBObqErUuQj28_Z3EeVwnKg/s1600/eric.png
