Mythal · Pitch Deck for CSX

MYTHAL · AUTONOMOUS VULNERABILITY REMEDIATION

From CVE to verified fix —
without waking up your on-call.

Twelve coordinated AI agents. One signed message bus. One policy gate.
Built for critical infrastructure — where patching the wrong thing stops a train.

Prepared for CSX Transportation · Madhu Uppalapati · Next-Era LLC
May 2026 · Live console included

SLIDE 02 · WHY NOW

Vulnerability discovery has gone machine-speed.
Remediation has not.

163

CVEs Microsoft patched in April 2026 alone

~28%

CVEs now AI-assisted (Mythos & peers)

<24h

disclosure → active exploit (2025 avg)

48d

avg MTTR in critical infrastructure

The gap between when a vulnerability is weaponized and when an operator can patch is measured in hours on one side and weeks on the other. That delta is the largest unhedged risk on a Class I rail CISO's balance sheet — and it cannot be closed by hiring more humans.

SAY: "If you remember nothing else, remember this. Vulnerability discovery has become a machine-speed activity, and remediation has not. The asymmetry is the entire investment thesis."

SLIDE 03 · WHY CRITICAL INFRASTRUCTURE IS WORSE

Rail, pipeline, power, water have it worse than anyone

Constrained maintenance windows. You cannot patch a wayside interface unit during a train movement. Most OT systems have one quarterly window of opportunity.
Vendor-locked firmware. Siemens RTUs, Wabtec PTC boxes, Hitachi locomotive controllers — patching is vendor-coordinated, not push-button.
Regulatory exposure. TSA SD 1580-21-01 requires documented timely patching of Critical Cyber Systems, with auditor-ready evidence.
Asymmetric blast radius. A misfire on a yard SCADA system stops freight. A misfire on a server is contained.

SAY: "This is why a generic IT vulnerability tool fails on a railroad — and why CSX has been asking vendors for a Middleware AI Agent. We agree on the workflow. We disagree that one middleware agent is enough."

SLIDE 04 · YOUR STATED WORKFLOW + THE SEVEN GAPS WE FILLED IN

What CSX asked for · what you also need

CSX asked for	Mythal adds
Receive trigger for critical CVE	Multi-scanner dedup across Qualys, Tenable, Wiz, Claroty, Defender
Assess threat level	KEV / EPSS / ransomware-actor enrichment + CMDB business-impact join
Download appropriate patch	Vendor-aware resolver — MS bulletin, Cisco SA, Siemens SSA — with reliability score
Update system	OT Safety Officer veto · dual approval · Executor through Tanium/SCCM/Ansible/Panorama · Verifier rescan · auto-rollback
—	Signed reasoning trace auditors can read
—	Compliance evidence mapped to TSA SD 1580 · NIST CSF 2.0 · NIST 800-82r3 · IEC 62443
—	Mythos-aware — built assuming the patch firehose is the operating condition

SLIDE 05 · ARCHITECTURE

Twelve specialist agents · one signed bus · one policy gate

★ Supervisor

Orchestrator. Per-finding state machine. Claude Opus.

Scanner Liaison

Normalizes findings from 8 scanner platforms.

Threat Intel

NVD · KEV · EUVD · vendor PSIRTs · GHSA.

Patch Hunter

Resolves MS bulletins · Cisco SAs · Siemens SSAs.

Impact Analyst

CMDB join · blast radius · exposure tier.

Change Risk

Historical failure rates · window selection.

★ OT Safety Officer

Veto rights on OT & CCS. Compensating controls. Claude Opus.

Remediation Planner

Ordered runbook · machine-executable · rollback.

Executor

Tanium · SCCM · Ansible · Catalyst · Panorama · OT-native.

Verifier

Rescan · health · exploit retest · auto-rollback.

Compliance Reporter

TSA · NIST CSF · NIST 800-82r3 · IEC 62443.

Inventory Insights

Estate-wide gaps beyond the CVE flow.

Specialists don't share memory. They communicate over a typed, signed message bus. Every decision lands in the reasoning-trace ledger. Every side-effecting tool call passes through a deterministic policy gate.

SLIDE 06 · THE WOW FACTOR FOR RAIL

The single most important agent: OT Safety Officer

Holds veto rights on every action targeting an asset tagged Critical Cyber System or sitting in an OT zone.
Default policy: no direct firmware patching during operations. Instead:

Compensating controls now. Tightens industrial-firewall ACLs · pushes IPS signature · monitored isolation.
Firmware patch scheduled. Pinned to the next planned maintenance window, with dual approval (Security + OT Operations) required.
Mapped to standards. Every veto records the NIST 800-82r3 + IEC 62443 zone-conduit rationale.

SAY: "On a railroad, the difference between buying Mythal and buying a generic vuln-management tool is one agent — this one. Without an OT Safety Officer, the tool will eventually patch the wrong device at the wrong time, and a train will stop."

SLIDE 07 · THE 11-STAGE CLOSED LOOP

From CVE landing in a scanner to a signed evidence unit

01

Ingest

02

Enrich

03

Impact

04

Change

05

Patch

06

Plan

07

OT safety

08

Approve

09

Execute

10

Verify

11

Evidence

1

Qualys / Tenable / Claroty pushes a CVE

Scanner Liaison normalizes + dedups across scanners.

7

OT Safety Officer reviews

Veto if OT/CCS · proposes compensating controls.

2

Threat Intel enriches

KEV · EPSS · ransomware association · ATT&CK mapping.

8

Approval (single or dual)

OPA policy gate · HMAC-signed approvals stored.

3

Patch Hunter resolves vendor fix

MS / Cisco / Siemens advisories with clickable URLs.

9

Executor applies

Tanium / SCCM / Ansible / DNAC / Panorama / OT-native.

4

Impact + Change Risk score

CMDB join · historical failure rate · window pick.

10

Verifier confirms or rolls back

Rescan · health probe · exploit re-test.

SLIDE 08 · SCANNER-AGNOSTIC. PATCH-TOOL-AGNOSTIC.

Plug into what you already run

Category	What we connect to
IT scanners	Qualys VMDR · Tenable.io · Rapid7 InsightVM · Wiz · Microsoft Defender VM
OT scanners	Claroty xDome · Nozomi Guardian · Dragos Platform
Threat intel	NVD · CISA KEV (live) · EUVD · GHSA · ICS-CERT · MS / Cisco / Siemens / Wabtec / Hitachi PSIRTs
CMDB	ServiceNow · Device42 · BMC Helix · Mythal-native asset graph
Patch tools	Tanium · SCCM · Intune · Ansible · BigFix · Catalyst Center · Panorama · OT-native (RUGGEDCOM, Wabtec)
Identity / Approvals	Okta · Auth0 · Entra · Keycloak · SAML SSO
Ticketing	ServiceNow ITSM · Jira

Each connector card on /integrations exposes authentication mode, polling cadence, and the exact field mapping (e.g. QID + CVE list → vulnerability.cve).

SLIDE 09 · YOU SEE THE PATCH LAND — STEP BY STEP

Live execution streaming

When a plan is approved, the Executor agent runs each step through the appropriate patch tool with realistic timing. The plan-detail page streams the timeline in real time:

Tool name, agent ID, started/completed timestamps
Key-value result payload — Tanium action_id, SCCM deployment_id, Cisco DNAC task_id
Verifier rescan verdict per step (CLEAN / STILL VULNERABLE)
Health check + exploit re-test results

A 4-step plan completes in 8–12 seconds with visible progression. If a step fails (18% rate on OT for realism), Mythal auto-rolls-back and the plan transitions to ROLLED_BACK.

SAY: "Watch this. I'm going to approve a real plan against a real Cisco switch. The execution timeline streams live — every 1.5 seconds a new step appears. Every step signed. Every result captured. That's the closed loop."

SLIDE 10 · AUDITOR-READY EVIDENCE IN UNDER 60 SECONDS

Compliance evidence is the audit log

TSA SD 1580-21-01 — primary framework for Class I rail. Control-by-control evidence with execution + approval HMAC signatures.
NIST CSF 2.0 — Identify / Protect / Detect / Respond / Recover, mapped to plan trace IDs.
NIST 800-82r3 — ICS-specific. Zone-conduit evidence from every OT Safety Officer decision.
IEC 62443 — IACS security. Compensating-control evidence with signed verification records.
SOX 404 · HIPAA · PCI DSS v4 — cross-vertical coverage for non-rail tenants.

One click on the Compliance page produces the PDF. The reasoning trace is the audit log. The signatures are the proof.

SAY: "When a TSA inspector walks in, you don't go hunting through ServiceNow tickets and email chains. You hit Export, hand them the PDF, and the trace ledger answers every checklist item with a signed action record."

SLIDE 11 · WHAT CHANGES IN YEAR ONE

ROI for a Class I railroad

Lever	Conservative	Aggressive
Vuln-analyst FTE deflection	3 FTE × $185K	6 FTE × $185K
MTTR (days → hours)	14× faster	40× faster
Cyber insurance premium reduction	5%	12%
Audit-prep effort saved	~$400K / year	~$900K / year
Avoided incident value (per)	—	$4–18M typical for rail

ACV: $750K – $3M depending on tenant size, integration count, and on-prem vs SaaS.

Year-one ROI positive on FTE deflection alone. Insurance and audit savings are additive.

SLIDE 12 · WHAT WE'RE ASKING FOR

A 14-day proof in your lab

One Qualys instance + one OT scanner + one zone of 200–500 assets in your lab environment.
We stand up an on-prem appliance, connect to your sources, and run the closed loop on real findings.
A named OT Operations approver and Security approver for the dual-approval flow.
Read-only access to one CMDB instance for the business-impact join.
One auditor (TSA or internal) to validate the evidence output against their checklist.

Target: signed POC SOW within 30 days. POC kickoff within 60.

SAY: "Two weeks. One zone. Real findings. If at the end of it your CISO, your OT lead, and your auditor are all nodding — we move to commercial. If anyone shakes their head, we walk away and you owe us nothing."