Whalesbook
The emergence of Mythos, an AI capable of autonomously exploiting decades-old software vulnerabilities, is forcing a rethink of digital defenses. This development creates a significant 'valuation cliff' for IT services firms reliant on manual security audits, as the industry shifts from time-based service models to AI-driven, self-healing resilience systems.
What Happened
In a landmark development for cybersecurity, an AI agent named Mythos has successfully demonstrated the ability to autonomously identify and exploit a vulnerability in OpenBSD, an operating system widely regarded as a benchmark for security. This exploit, which targeted a flaw that had remained dormant for 27 years, was executed in seconds with a high success rate. This event marks a departure from traditional cybersecurity, where human experts spend weeks identifying and patching such flaws. The demonstration has been described as an 'End of Surprise' moment, signaling that AI-driven offensive capabilities are now moving faster than traditional, manual defense and auditing methods.
The Disruption of Traditional IT Services
For decades, the Indian IT services sector has built a significant part of its business model on the 'billable hour'—charging clients for manual labor, security audits, and bug-fixing. The Mythos demonstration suggests that AI can now perform these complex auditing tasks in seconds rather than months. This creates a risk for the traditional service model. If security testing, vulnerability patching, and compliance auditing become automated and instantaneous, the revenue model that relies on extensive human man-hours for these services faces a potential 'valuation cliff.' Investors may need to re-evaluate whether companies heavily dependent on legacy manual auditing processes can maintain their profit margins or if they need to aggressively pivot toward high-value, AI-first security architecture.
The Shift to 'Sovereign Resilience'
Globally, the perception of AI is shifting from a standard software tool to a dual-use strategic asset. The US government is reportedly moving toward tighter control over frontier AI models, effectively treating them as national security infrastructure. For India, the path forward appears tied to its existing strength: the Digital Public Infrastructure (DPI) ecosystem, such as the India Stack. The focus for Indian tech firms and policymakers is expected to shift toward 'sovereign resilience.' This means moving away from a 'locked door' security strategy toward a self-healing system that can detect anomalies and reconfigure itself in real-time, regardless of the attack's sophistication.
Risks and Business Model Pressure
While the automation of security brings efficiency, it also introduces systemic risks. As AI agents become better at hacking, the pressure on organizations to maintain 'time-to-resilience'—the speed at which a system can detect and recover from a breach—will increase. For the IT services sector, the risk lies in the transition. Companies that are slow to replace manual audit revenue with value-based 'resilience architecture' fees may see margin erosion. Additionally, as countries move toward nationalizing AI intelligence, companies with heavy exposure to global, non-sovereign AI models may face regulatory friction or geopolitical compliance challenges that could impact revenue stability.
What Investors Should Track Next
Investors may want to monitor how major IT service providers adjust their service portfolios. Key monitorables include whether companies are actively transitioning their security business from manual penetration testing to autonomous, AI-driven 'self-healing' service offerings. It will also be important to observe how management teams talk about 'value-based' vs. 'time-based' billing in their quarterly commentary. Additionally, tracking government policy on AI governance and national security standards for digital infrastructure will provide clarity on the regulatory environment these companies operate within.