On April 7, 2026, a security announcement landed with unusual force: an AI system had autonomously discovered thousands of vulnerabilities in real-world software. Within hours, a conclusion spread across the industry: AI had crossed a threshold. Autonomous zero-day research. Autonomous attacks. Software security at an inflection point.
This book asks the question that matters most: what was actually demonstrated, and what was merely assumed?
The answer is grounded in a practitioner perspective shaped by more than 15 years of work with Security Development Lifecycle and threat modeling: how security defects enter systems, how they become visible in design, how they should be prioritized, and why scanners, CVSS scores, or incident response alone are not enough.
Myths Around the Mythos is a technical assessment of the moment where AI, vulnerability research, and public risk perception collided. It separates two concepts that are too often treated as the same thing: a vulnerability is a flaw in code; exploitability is the ability to trigger that flaw, under real-world conditions, to produce a security outcome an attacker controls. Between the two lie architecture, platform mitigations, reachability, exploit engineering, operational context, and response.
Oliver Niehus examines that gap with technical precision: why CVSS is not enough for prioritization; why EPSS and CISA KEV answer different questions; how Windows mitigations such as ASLR, DEP, CFG, CET, HVCI, and VBS change exploitation; why glibc, Annex K, and safe C APIs matter; why the XZ Utils backdoor was not a normal vulnerability story but a supply-chain operation; and why SDL, threat modeling, bug bounty programs, and proactive response are not bureaucracy but economic necessity.
The book also turns the lens back onto AI itself. AI is not only a tool for attackers or defenders. AI systems become attack surfaces of their own: prompt injection, RAG retrieval, model supply chain, coding assistants, data protection, DLP, and agentic systems introduce new technical and organizational risks.
This book is written for security architects, senior developers, CISOs, risk officers, and everyone who needs to understand why finding a vulnerability is not the same as having an exploit, and why AI-assisted security research still changes how organizations must build, prioritize, and defend software.
The capability is real. The myth is larger than the technology. This book separates the two.
Oliver Niehus
Oliver Niehus has worked in IT and technology since the early 1990s and has spent more than twenty years in a technical role at a leading global technology company.
For more than 15 years, his work has included Security Development Lifecycle, Threat Modeling, Operating Systems, Cloud Computing, Cybersecurity, Artificial Intelligence, and AI Development.
The views expressed in his books are his own.
Secure Software Development AI Security Threat Modeling Cybersecurity Risk Exploitability Vulnerability Management Software Supply Chain Security