MYTHAL
An AI fabric that goes from
vulnerability to applied fix.
Tailored to your environment. Every agent configurable.
Twelve AI agents work together so your team only steps in when judgment is needed.
Prepared for CSX Transportation
SLIDE 02 · THE MYTHOS THESIS · WHY THIS MATTERS NOW
After Mythos, vulnerability discovery is machine speed.
Applying the fix is not.
Anthropic's Claude Mythos and the models that followed collapsed the cost of finding vulnerabilities.
What used to take a security researcher weeks now takes an AI minutes. The volume of disclosures has
exploded — Microsoft alone patched 163 CVEs in April 2026.
Vendors are shipping patches faster than ever. Attackers are running parallel AI-assisted patch diffing.
hours
From disclosure to working exploit
vs
weeks
Industry average to apply the patch
The moment a vendor releases a patch, attackers reverse-engineer it. They diff the binary before-and-after, see exactly what changed, build a proof-of-concept exploit against the unpatched version, and start scanning the internet for systems that haven't applied it yet. Every hour you delay is an hour the attacker has the advantage.
This is the Mythos thesis — the asymmetry between AI-speed discovery and human-speed remediation is the largest unhedged risk on a CISO's balance sheet. You cannot hire your way out of it. The work has to be automated, with humans in the loop only where judgment is needed.
SAY: "Remember one thing — after Mythos, vulnerability discovery became a machine-speed activity, and the fix-application side did not. The moment a vendor releases a patch, attackers reverse-engineer it within hours and build a proof of concept. Every hour you delay, you're vulnerable. This is the Mythos thesis — the whole reason Mythal exists."
SLIDE 03 · CONTEXT — WHAT'S A VULNERABILITY AND WHERE IT LIVES
A vulnerability is a known flaw.
It lives everywhere your business runs.
🔍
Discovered
Researcher or vendor finds a flaw in software or firmware.
→
📋
Catalogued
Assigned a CVE number, public on NVD & CISA. Everyone sees it.
→
🛠
Patched
Vendor issues a fix. Until you apply it, you're exposed.
In a railroad environment, vulnerabilities show up everywhere — not just on corporate servers:
Corporate IT
Windows servers, Active Directory, Exchange, SharePoint, financial apps
Office productivity, finance, HR. Standard scanners cover these well.
Network & cloud
Cisco IOS-XE switches, Palo Alto firewalls, AWS / Azure workloads
The plumbing between corporate and rail operations.
Train & rail systems
Dispatch platforms, telematics gateways, scheduling, EDI for shipping
Where rail operations meet IT. Vulnerabilities here affect freight flow.
SAY: "Vulnerabilities aren't just an IT problem. They show up in corporate systems, in the network, and in the systems that touch train operations. A CVE on a dispatch server can affect freight movements as much as a CVE on a finance server can affect quarterly close."
SLIDE 04 · IN ONE SENTENCE
Mythal is a team of twelve AI agents
that watch every scanner, find every fix,
and apply it — with your humans only in the loop where it matters.
When a vulnerability appears anywhere in your environment, Mythal takes it through every step:
- Find the right fix from the vendor's official source.
- Decide what's safe to apply directly — and what to flag for the team instead.
- Build a plan with exact steps and exact rollback.
- Route to your team for approval when policy requires it.
- Apply the fix through whatever patch tool you already use.
- Verify it worked — rescan, check health, roll back if anything's off.
- Produce audit evidence — every action signed, every decision recorded.
For sensitive operational systems, Mythal never applies directly. It always builds the plan and proposes it — your team applies, on your schedule.
SLIDE 05 · HOW THE LOOP CLOSES
Six steps · agents do five · your team handles one
1
Discover
Scanner reports a new finding. Mythal pulls it in, deduplicates across scanners.
2
Investigate
Look up exploits, find vendor fix, score business impact from your CMDB.
3
Plan
Build ordered steps with tool selection and rollback for each step.
4
Approve
Human step. Plan routed to the right team for sign-off when policy requires it.
5
Apply
Push the fix through your patch tool. For sensitive systems, hand off to your team.
6
Verify
Rescan confirms clean. Health check passes. Audit evidence emitted.
You control where the line falls between steps 4, 5, and 6. Low-risk fixes on standard IT can flow through Mythal end-to-end. Anything touching sensitive operational systems gets built as a plan by Mythal and handed to your team to apply on their own schedule. Mythal never acts outside the rules you set.
SAY: "Six steps. Five are done by AI agents in the background. One step — approval — is where your team signs off. And for any system where you don't want Mythal to take action directly, we never do. We build the plan and propose it. Your team applies it, on your schedule."
SLIDE 06 · WHAT EACH AGENT DOES
Twelve specialists · one signed message bus
Each agent has one narrow job. They don't share memory — they communicate through a signed message bus. Every decision is recorded in a reasoning trace your auditor can read top to bottom.
★ Supervisor
Orchestrates the whole workflow. Holds the state of each finding.
Scanner Liaison
Pulls and normalizes findings from every scanner you operate.
Threat Intel
Checks public threat feeds — is this in active exploitation?
Patch Hunter
Finds the vendor's official fix and scores its reliability.
Impact Analyst
Joins the finding to your CMDB. How important is the affected system?
Change Risk
Scores deployment risk against historical change-failure rates.
★ Safety Officer
For sensitive systems: builds a plan but never applies directly.
Remediation Planner
Produces an ordered runbook with rollback for every step.
Executor
Drives the patch through whatever tool you already operate.
Verifier
Rescans, runs health checks, triggers rollback on failure.
Compliance Reporter
Captures evidence and produces auditor-ready PDFs.
Inventory Insights
Optional: surfaces gaps in your estate beyond the CVE flow.
SAY: "Twelve agents. Each one with one specific job. They don't share memory — they talk to each other through a signed message bus. Every decision is written into the reasoning trace, which is also the audit log. You'll see it live in the demo."
SLIDE 07 · THE EXECUTOR · HOW MYTHAL APPLIES THE FIX
Mythal orchestrates the tools you already run.
The Executor agent doesn't replace your patch tools. It calls their APIs — the same APIs your own
team uses — to dispatch a fix, monitor it, and capture the result. Your tools do the actual push using
their existing endpoint agents.
WINDOWS / ENDPOINT
Tanium
Real-time endpoint patching · REST API · used for fast Windows + Linux estate.
WINDOWS
Microsoft SCCM / Intune
Primary Windows patching · pushes KBs via software updates · OData / Graph API.
LINUX + NETWORK
Ansible Tower / AAP
Playbook-based patching · REST job templates · the standard for Linux at scale.
WINDOWS / CROSS-PLATFORM
IBM BigFix
Where BigFix is already deployed · Fixlet relevance language · REST API.
NETWORK · CISCO
Cisco Catalyst Center
IOS-XE firmware + config push · DNA Center API · network device automation.
NETWORK · FIREWALL
Palo Alto Panorama
ACL tightening · IPS signature push · commit-and-distribute · XML API.
CLOUD · AZURE
Azure Arc
Hybrid Windows / Linux patching across Azure + on-prem · ARM API.
CLOUD · AWS
AWS Systems Manager
EC2 / Linux patching · SSM RunPatchBaseline · the AWS-native path.
How it works: Executor calls driver.apply_patch(asset, patch) →
driver authenticates to your tool via Vault-stored credentials → submits action → polls for completion →
Verifier rescans through your scanner API. Every action carries a tool-specific reference ID
(Tanium action_id, SCCM deployment_id, Ansible job_id) for audit.
SLIDE 08 · WHO TOUCHES MYTHAL
Built for the teams who already own this work
LEADERSHIP
Strategic posture
Watch the Command Center for KPIs. Review the auto-generated leadership PDF. See the trend lines without diving into individual findings.
SECURITY TEAM
Day-to-day operator
Open Mythal first thing. Review plans needing attention. Sign approvals. Investigate the reasoning trace when something doesn't look right.
OPERATIONS TEAM
Plan recipient
For sensitive systems, Mythal builds the plan and sends it over. Your team reviews it, applies it on your schedule, and Mythal closes the loop.
ENGINEERS
Configurator
Connect Mythal to your scanners, CMDB, and patch tools. Configure which agents are active. Tune the policy rules.
AUDIT / GOVERNANCE
Evidence consumer
One-click export of the audit packet mapped to whichever framework the auditor is asking about. The reasoning trace is the audit log.
EXTERNAL AUDITORS
Reviews evidence
Receives a signed PDF with control-by-control mapping. Every action backed by a timestamped, signed record. Nothing to assemble by hand.
SAY: "Mythal isn't one role's tool. Different teams touch it for different reasons — and importantly, for the systems your operations team owns, Mythal hands over the plan and steps back. Your team stays in control."
SLIDE 09 · TAILORED TO CSX, NOT GENERIC
Every agent is configurable
Mythal ships with twelve agents. You decide which ones are active, what rules each one follows, and where in your environment they operate. If a capability isn't a fit, we turn it off. If you need behavior tuned to your operational reality, we configure it.
| Configuration knob | What you control |
|---|
| Scanner sources | Which scanners Mythal reads — only the ones you operate, nothing else |
| Approval policy | Which kinds of fixes auto-apply, which need single approval, which need dual approval |
| Patch tool routing | Which patch tool runs which kind of fix — your existing tools, no new ones imposed |
| Hands-off zones | Define which parts of your environment Mythal will never touch directly — plan only |
| Maintenance windows | When fixes can be applied, when they can't, and what to do if the window is closed |
| Audit framework set | Only the compliance frameworks you're audited against — others off by default |
| Agent backends | Run agents deterministically with no LLM, or opt-in LLM per agent |
SAY: "Mythal is not a one-size-fits-all SaaS. Every one of these knobs is yours to set. If your team doesn't want certain capabilities, we turn them off. If you need certain behavior tuned to your operational reality, we configure it. The platform adapts to you, not the other way around."
SLIDE 10 · AUDIT IS A SIDE-EFFECT, NOT A PROJECT
Auditor-ready evidence with one click
How the audit trail builds itself
- Every agent decision is written to the reasoning trace as it happens.
- Every approval is HMAC-signed with the approver's identity and timestamp.
- Every applied fix records the tool, the target, the result, and the rollback path used.
- Every verification result (rescan clean? health pass?) is preserved.
- The Compliance Reporter agent maps each finding to the relevant audit-framework controls automatically.
What you get
- Live posture dashboard at any time on the Compliance page.
- One-click PDF export per framework — auditor-ready, signed, dated.
- Machine-readable bundle for ingestion into your GRC tool.
- Coverage for the major regulatory frameworks (rail, ICS, federal, financial, healthcare).
The PDF an auditor receives
Mythal Evidence Package
Generated · Compliance Reporter agent
| Control | Plan | Summary | Captured |
|---|
| 3.A.1 | …RZN2JR | Vendor patch applied · KB resolved · verified clean | 2026-05-25 |
| 3.A.1 | …F1152J | Compensating control: ACL tighten · IPS sig push | 2026-05-25 |
| 3.B.2 | …NR55QR | Approval signed by Security · Plan executed | 2026-05-25 |
| 3.D.1 | …BBHQCH | Verifier rescan clean · health check pass | 2026-05-25 |
🔒 SIGNED · Mythal Compliance Reporter · v1
SAY: "When an auditor walks in, you don't go hunting through ticket systems and email chains. You hit Export, hand them the PDF, and the reasoning trace answers every checklist item with a signed action record. The audit log is a side-effect of doing the work, not a separate project."
SLIDE 11 · WHAT WE'D PROPOSE TO CSX
A proof in your own environment
- One zone, one scanner pair. Pick one segment of your environment and one scanner you already operate. We connect Mythal to it.
- Mythal runs inside your network. Single-VM appliance. No cloud dependency. No data leaves your environment.
- Real findings, real plans. The platform runs the closed loop on your actual environment with your team in the approval workflow.
- You evaluate against your own criteria. Leadership, security team, operations team, and your auditor all review the output. They decide.
- No commitment until the proof is green. If anyone has reservations, we step back. The risk to CSX is zero.
The ask: connect us with the right people at CSX. We handle the rest.
SAY: "We're not asking for a commercial commitment today. We're asking for a proof — in your lab, with your data, your scanners, your approvers. If at the end you're nodding, we move forward. If anyone has reservations, we step back."