How AI-driven vulnerability discovery is about to flood OT teams with zero-days, and why digital twin simulation is the only way to keep up.
The cybersecurity world just shifted under our feet. Anthropic's Project Glasswing and its Claude Mythos Preview have demonstrated something that most OT security professionals suspected was coming but hoped was still years away: AI agents that can autonomously discover zero-day vulnerabilities in critical software. Not theoretical. Not in a lab. Real CVEs, found in real codebases, with a 90-day coordinated disclosure clock already ticking.
For IT security teams, this is significant. Patch the software, update the signatures, move on. For OT environments running industrial control systems, SCADA networks, and safety-critical infrastructure, it's a fundamentally different problem. Because in OT, knowing a vulnerability exists is only half the equation. The question that actually matters is: what happens to my plant when someone exploits it?
That's the gap Frenos was built to close.
The Flood Is Coming
Mythos doesn't discover vulnerabilities the way a human researcher does, spending weeks or months fuzzing a single target. It reasons about code. It reads source, identifies patterns, traces execution paths, and surfaces exploitable flaws at a pace that makes traditional vulnerability research look artisanal by comparison. And Mythos is just the beginning. Every major AI lab is racing toward the same capability. The volume of disclosed vulnerabilities affecting OT-adjacent software (Linux kernels, embedded firmware, protocol stacks, HMI platforms) is about to increase dramatically.
Project Glasswing's 90-day disclosure cycle means that once a vulnerability is found, the clock starts. Ninety days to assess, prioritize, and remediate before public disclosure. For IT systems with automated patch pipelines, that's tight but doable. For OT environments where patching requires maintenance windows, vendor coordination, safety validation, and sometimes physical access to air-gapped systems, ninety days can feel like ninety minutes.
The traditional OT vulnerability management workflow was designed for a world where new CVEs trickled in at a pace humans could process. That world is ending.
Why CVSS Scores Don't Cut It in OT
Here's the uncomfortable truth about how most organizations prioritize OT vulnerabilities today: they look at the CVSS score, check whether the affected software exists in their environment, and slot it into a remediation queue. A 9.8 gets attention. A 6.5 goes to the backlog. Everything else gets triaged by gut feel and available resources.
This approach has always been flawed for OT, but the stakes were low enough that the gaps rarely surfaced. When you're processing a dozen new relevant CVEs per quarter, you can afford to be imprecise. When AI-driven discovery pushes that number to dozens per month, imprecision becomes a liability.
The problem is context. A buffer overflow in a Linux kernel module might score a 9.8 on CVSS, but if the affected system sits behind three layers of network segmentation with no path to a safety-critical controller, the actual operational risk to your plant might be minimal. Conversely, a seemingly moderate vulnerability in an HMI application could, if exploited, send malformed commands to a PLC that controls a physical process with real safety implications. CVSS doesn't know your plant. It doesn't know your network topology, your controller configurations, or what happens downstream when a specific device behaves unexpectedly.
What you need isn't a better scoring system. You need a way to simulate the actual impact.
Digital Twins: From Theoretical to Essential
The concept of digital twins in industrial environments isn't new. Process engineers have used simulation models for decades to optimize operations, train operators, and validate control logic before deployment. What's new is applying that same simulation capability to cybersecurity, and what's urgent is that the AI vulnerability discovery wave makes it no longer optional.
This is especially true for cyber-physical systems where the consequences of exploitation extend beyond data loss into the physical world. A compromised PLC in a water treatment facility doesn't just expose information; it can alter chemical dosing. A manipulated safety controller in a power plant doesn't just create a log entry; it can cause equipment damage or endanger human lives. The stakes in ICS security have always been higher than in traditional IT, but the tooling for vulnerability prioritization has never reflected that reality.
Frenos builds isolated digital twins of OT environments by ingesting data from the security tools organizations already have deployed, including platforms like RunZero, Claroty, Nozomi Networks, Dragos, ForeScout, and Tenable. No scanning, no agents, no hardware to install. The twin mirrors your actual network topology, controller configurations, and security controls in a completely isolated sandbox. Then SAIRA, Frenos's Simulated Adversary Intelligence Reasoning Agent, runs attack path simulations against that twin the way a real adversary would probe your environment, processing hundreds of millions of adversarial decisions per second, with zero operational impact.
When a new vulnerability drops, instead of guessing at its impact based on a generic severity score, SAIRA maps the affected systems within your modeled environment, chains the vulnerability with other exploitable paths, and determines whether an attacker could actually reach a safety-critical controller. The output isn't another risk score. It's prioritized remediation steps ranked by real business and operational impact.
Mythos finds the what. SAIRA shows the how.
Closing the Bug-to-Physical-Risk Gap
Consider a concrete scenario. Mythos identifies a previously unknown buffer overflow in a widely deployed Linux kernel module. The CVE gets published with a 90-day disclosure window. Your vulnerability scanner confirms the affected kernel version runs on several systems in your OT network.
Without a digital twin, your options are limited. You can check network diagrams (which may be outdated) to estimate exposure. You can convene a meeting with your control engineers to discuss potential impact (which takes time you might not have). You can push for an emergency patch window (which carries its own operational risk). Or you can add it to the queue and hope for the best.
With Frenos, the workflow changes completely. Because the platform continuously ingests data from your existing security stack, the digital twin is already current. SAIRA runs the new vulnerability against your environment automatically, chaining it with known attack paths and evaluating it against your actual segmentation, access controls, and monitoring capabilities. Within minutes, not weeks, you know whether this particular CVE could actually reach a safety controller, manipulate a physical process, or disrupt operations in your specific plant.
That's not a theoretical distinction. It's the difference between spending your limited maintenance window patching a vulnerability that poses real physical risk versus one that CVSS flagged as critical but your environment renders inert.
Automating the Response Before the Disclosure Hits
The real power of combining AI-driven vulnerability discovery with digital twin simulation isn't just faster triage. It's pre-emptive defense. When the vulnerability pipeline accelerates (and it will), organizations that have already modeled their OT environments can assess new disclosures automatically, the moment they drop. No waiting for a vendor advisory. No manual topology review. No guesswork about downstream physical impact.
This is what continuous OT security posture management actually looks like. Not a dashboard that reorders CVEs by CVSS score, but an AI reasoning agent running adversary simulations against your digital twin on a continuous schedule, weekly, monthly, or on-demand, telling you which vulnerabilities can actually hurt your operations and ranking remediation by business impact rather than theoretical severity. Frenos customers are already replacing annual point-in-time penetration tests with this continuous model, cutting assessment costs dramatically while gaining a real-time understanding of how their security posture evolves as environments change.
The implications extend to legacy code hardening as well. Many OT environments run software that predates modern secure development practices, and the affected codebases are exactly the kind of targets AI vulnerability discovery excels at analyzing. Organizations that have deferred patching or hardening because the risk seemed theoretical will find that calculus changing rapidly as automated red teaming tools surface exploitable flaws in software they assumed was too obscure to attract attention.
For CISOs building their budgets around the post-Glasswing reality, the question isn't whether AI-driven vulnerability discovery will change the threat landscape for critical infrastructure. That's already happening. The question is whether your organization can absorb the volume, contextualize the risk, and respond at the speed the new disclosure timelines demand.
The 90-day clock is ticking. Digital twin simulation is how you stay ahead of it.
Frenos is the industry's first simulated OT penetration testing platform, combining digital twin technology with SAIRA, an AI reasoning agent that thinks like an adversary to reveal every attack path in your OT environment, risk-free.
Learn more at frenos.io.
.jpg)
.jpg)
