Mythos & GPT-5.4-Cyber: The Upcoming AI-Driven “Vulnerability Surge” in SAP

Frontier AI models like Claude Mythos demonstrate an unprecedented capability to autonomously discover zero-day vulnerabilities in critical infrastructure, including flaws that have sat dormant for decades. As former CISA Director Jen Easterly recently emphasized, the response to this shift requires an industry-wide mindset of “preparation, not panic.” This preparation involves confronting foundational security flaws, as Easterly recently highlighted that AI forces the cybersecurity industry to confront its chronic software quality crisis. For the modern enterprise, preparation requires defenses deeply integrated into the business core. 

While Claude Mythos is not publicly available and only being shared with key software vendors as part of project Glasswing, threat actors are using LLMs to carry out attacks using ‘off the shelf’ exploits. 

OpenAI also recently announced GPT-5.4-Cyber, which is a tool specifically tailored to vulnerability research and defensive security. OpenAI has followed suit with Claude and not made this version available to the general public, but only select vendors enabling them to find potential security vulnerabilities without necessarily having the source code.

As one of the most widely used applications in the world for powering the global economy, combined with all of these new technologies, SAP security has been elevated from a technical task to a frontline business-continuity priority.

Managing the Exponential Vulnerability Surge

Enterprise organizations are operating in a period of unprecedented pressure. 2025 established not only the single biggest SAP zero-day exploitation campaign in history, CVE-2025-31324, but also a record-breaking volume for critical and high-severity SAP Security Notes. LLMs and Frontier AI models act as a force multiplier for vulnerability discovery, but they also create a potential increase in the number of exploits threat actors can leverage. Attempting to manage a vulnerability surge through manual processes creates a systemic risk to global operations.

Cloud Security Alliance and Anthropic’s recommendation for this shift is to close the time gap between a patch being released and an organization implementing the patch. We know all too well that that gap can be days or weeks. In the case of mission-critical SAP applications, even months. Complicating matters more is cloud migrations and the lack of understanding of who owns what piece of the puzzle, i.e. The SAP RISE Shared Responsibility Model. It’s vital for organizations to understand that they still own this process as well as validating that a given patch is applied correctly.

What Organizations Can do Today:

While patching is the bare minimum that organizations need to protect themselves, it’s implausible to think that your SAP operations teams can patch their way out of an exponential threat. To survive the surge, enterprise security teams require solutions that are purpose-built for the applications they protect. Organizations should also consider these recommendations:

Establish a “VulnOps” Function

Instead of a traditional quarterly scan, a “VulnOps” engine, like Onapsis Assess, delivers continuous discovery of zero-days and automated remediation pipelines across your landscape. This directly addresses the 10X increase in security notes by moving to a proactive, continuous model. For SAP applications in particular, Onapsis pulls in deep research from our global SAP threat intelligence network and Onapsis Research Labs. Security leaders must know what to fix first based on actual SAP threat intelligence prioritization, rather than relying solely on static CVSS scores. 

Shift Metrics from “Time-to-Patch” to “Machine-Speed Containment”

Because you can no longer assume a patch will be ready in time, metrics must shift toward pre-patch protection, containment, and machine-speed response. Especially for mission-critical SAP systems which are the lifeblood of operations. Onapsis Defend provides real-time SAP threat monitoring that detects (both AI-driven and human) exploit attempts before threat actors can disrupt the supply chain or compromise financial data. As an added layer of assurance, Onapsis Defend also offers zero-day protection, giving organizations a unique advantage over attackers and the peace of mind to know they are protected from zero-day exploitation even before a patch is released by SAP.

Securing the “AI-Augmented” Clean Core

Organizations are rightfully rushing to use AI to accelerate software development. However, AI-driven coding often introduces shadow dependencies and logic hallucinations into the SAP landscape. AI models frequently generate custom ABAP code that functions perfectly for the business process, while simultaneously introducing classic SQL injections or bypassing critical AUTHORITY-CHECK objects due to a lack of specific business context.

Recommendation for Securing the AI-Augmented Clean Core

If an AI model is writing custom code, an automated gatekeeper must check that code. Shifting left will help manage the exponential growth of vulnerabilities that might otherwise have to be fixed in production, by ensuring that those vulnerabilities are fixed while still in development. This ultimately helps reduce the burden on information security teams later on.

Set up a ‘Security Gate’ Between Code Change and Production

 Onapsis provides organizations with the ability to adhere to a Secure-by-Design framework. By integrating Onapsis Control directly into the CI/CD pipeline, organizations ensure that every line of custom code–whether ABAP, UI5, whether produced in-house or by a third-party, whether produced using LLMs or by a human–is scanned for vulnerabilities before it hits the production environment. This automated gatekeeping maintains a Clean Core while securely enabling the speed of AI-driven innovation.

Moving to Agentic Defense

Modern enterprise security must harness artificial intelligence rather than simply reacting to it. Onapsis recently announced the industry’s first Agentic Gateway for SAP Cybersecurity capabilities. By utilizing the Model Context Protocol (MCP), the platform allows corporate-sanctioned AI agents to securely invoke proprietary Onapsis threat intelligence.

The power of agentic workflows can be found in what we call rapid “shields-up” SAP visibility. Simply ask Onapsis and instantly identify exposure to emerging zero-day SAP threats by cross-referencing exclusive global threat intelligence from Onapsis Research Labs with your specific SAP landscape.

This integration also empowers the Security Operations Center (SOC) to utilize agentic workflows with SAP technology frequently seen as a “black box”.  This enables and empowers  a security analyst to pivot from simply asking “what’s my risk?” to more action-oriented workflows. 

For example, an analyst could ask: “list all the critical open vulnerabilities affecting our core S/4HANA system and draft the remediation plan for our SAP Basis team.”

The Bottom Line for the Board

LLMs that are widely used now and the rise of frontier models like Mythos and GPT-5.4-Cyber mean that the cost of entry for a sophisticated cyberattack has plummeted.

Exploit development that once required a nation-state team months to execute can now be completed by an AI model in minutes. The skills needed to cause significant damage and demand ransom from large organizations have been reduced. All of this culminates into a landscape that will continue to evolve quickly, elevating SAP security to a business problem, not a technology problem. 

Managing this accelerated threat landscape that is emerging due to LLMs and models like Anthropic Mythos is no longer a standard IT project. It is a core business risk management requirement. By leveraging the expertise and solutions developed from over 16 years of deep knowledge and research,Onapsis can help organizations deploy the right security automation tools, augmented by AI, to better prepare their mission-critical SAP landscapes for a more resilient, autonomous, and secure future.

The SAP threat landscape is changing faster than ever. Let’s ensure your SAP security controls are ready for what’s next. Let’s talk.