OpenAI, Microsoft MDASH, and Claude Mythos have unwittingly supercharged the attackers’ kill chain, from vulnerability to exploitation to weaponization. AI has revolutionized the threat landscape in two ways: it can quickly reverse-engineer services and applications to discover multiple vulnerabilities in ways human attackers never could, and then its automation capabilities can chain those vulnerabilities together—30, 40, or more at a time. The breadth and speed of these AI-driven attacks mean that a breach is virtually assured. Like Dorothy in The Wizard of Oz, we’re coming to realize that the environment we find ourselves in is fraught with new and powerful dangers. We’re in a strange new threat landscape, as different as Oz is from a dusty Midwestern farm.
We’ve seen that after gaining an initial foothold, agentic attacks conduct reconnaissance and move laterally across workloads and environments within minutes—faster than human-driven detection and response can react. Then they compromise operations, steal sensitive data, or encrypt systems for ransom. These attacks are not just aimed at the traditional IT infrastructure; increasingly, attackers have found Cyber-Physical Systems, Industrial Control Systems, and Operational Technology a fertile ground.
For example, VoltRuptor is an ICS/SCADA malware developed by the Infrastructure Destruction Squad, featuring multi-protocol support, persistence, and anti-forensics capabilities. It has shown up in attacks against critical infrastructure, and it’s being sold on dark web forums. Analysts think it’s coming from state-sponsored campaigns targeting countries that are not pro-Russia or China. This is just one of many examples, and attacks like this are likely to increase, not decrease, in the near term, given the geopolitical zeitgeist.
We’re Off to See the Wizard
Wam Voster, the OT/CPS analyst at Gartner, has recently produced an interesting report entitled, “What CISOs With Cyber-Physical Systems Should Know About Mythos and Project Glasswing”.1 In it, he outlines the problem and several action items that CISOs should pursue:
“While Mythos may accelerate the discovery of vulnerabilities, CISOs should still have the same fundamental controls like asset discovery, traffic analysis and segmentation in place as needed for today’s threat landscape. Segmentation of and within the CPS environment, for example, using data diodes, is a critical control to stop vulnerabilities from being exploited…It allows organizations to isolate vulnerable systems, control access pathways, and ensure critical operations can continue, even in the presence of active compromise.”
So, while the speed and breadth of the attacks are new, Mr. Voster suggests that the defense should continue the path of solid security fundamentals—asset discovery, traffic analysis, and segmentation to control access pathways. It seems that we need to stay on the Yellow Brick Road to reach security and resilience.
We at ColorTokens® certainly agree with his recommendations, and we have solutions to help implement them. Our Xshield™ console gives you “asset discovery and traffic analysis,” as Voster suggests, as shown in Figure 1, below:
Figure 1. The Xshield console visualizes OT network assets and traffic
We then enforce lateral movement controls within and between the layers of the OT architecture, so you can implement his suggestion to “…isolate vulnerable systems, control access pathways.” Our Xshield microsegmentation platform creates granular microsegments in the operational network, just as it does for the enterprise IT environment.
To control traffic and stop AI-driven reconnaissance and lateral movement attacks on your Windows or Linux-based SCADA and Historian servers, we use our lightweight Xshield agent, or the EDR agents you may already have installed from CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint (MDE).
For your L1 devices, such as PLCs, we enforce traffic controls with our Xshield Gatekeeper appliance. It serves as a data diode, as Voster calls for, and more. Not only can it allow data to flow in only one direction between two networks, but it can also enforce traffic controls within the network, preventing malware from moving from one industrial control device to another, as shown in Figure 2:
Figure 2. ColorTokens traffic enforcement points in the OT environment.
Faster Than a Flying Monkey
Voster goes on to say that CISOs should “Accelerate and improve vulnerability detection and remediation capabilities, particularly for legacy CPSs. CISOs should revise incident response playbooks to prepare for autonomous AI-driven attacks…”
Our Xshield AI Agent formulates new traffic policies informed by up-to-date MITRE Lateral Movement Attack Tactics, Techniques, and Procedures (TTPs). The Xshield console exposes which resources in your enterprise environment are susceptible to an emergent TTP, and our AI agent automatically generates policies to block those tactics before the attacker acts.
In addition, our integration with CrowdStrike, SentinelOne, and MDE enables us to respond in real time to indications of compromise from the EDR systems, so we can quarantine affected resources and isolate critical ones within seconds. What the EDR system detects, our microsegmentation system contains. This really is your EDR and microsegmentation solutions working together to powerfully protect your enterprise from catastrophic impact. At ColorTokens, we’ve taken the next step to thwart AI-accelerated attackers by becoming part of your incident response playbook.
There’s No Place Like Home
Implementing ColorTokens Xshield protects your estate with a robust security posture that ensures critical operations can continue seamlessly, even amid active compromise, as Mr. Voster emphasizes in his report. We agree with him that “CISOs must recognize resilience—rather than prevention alone”—as a fundamental principle, since staying ahead of AI-driven vulnerability discovery may be impossible. Xshield empowers your organization to contain AI-driven attacks, preventing operational disruptions even if the network perimeter is initially breached. It provides the resilience your operational network needs. That’s why we confidently say that ColorTokens makes your operational technology network breach ready.
Schedule a discussion with one of our solution experts on how ColorTokens can help your digital operations Be Breach Ready™.
Source
1 Gartner, “What CISOs With Cyber-Physical Systems Should Know About Mythos and Project Glasswing,” Wam Voster, Gartner Report ID G00856256, May 28, 2026, www.gartner.com.
