M
Mythalby Next-Era
Request a demo
White Paper · June 2026

Autonomous vulnerability remediation for critical infrastructure.

Mythal closes the loop from CVE discovery to verified fix at machine speed — orchestrating twelve specialized AI agents while an OT Safety Officer holds veto rights over any change that touches Operational Technology. Every action emits auditor-ready evidence.

"From CVE to verified fix — at machine speed, under human and OT control."
AuthorNext-Era
SectorsRail · Power · Water · Pipeline · Healthcare
Enginesentinelgrid-api
VersionJune 2026
01

Executive summary

Vulnerability discovery has outrun human remediation. A single Patch Tuesday can ship 163 CVEs, and AI-assisted patch-diffing collapses the window between disclosure and working exploit to hours. Yet the median enterprise still measures remediation in weeks. For critical-infrastructure operators — rail, power, water, pipeline, healthcare — the gap is not merely operational risk; it is a safety and regulatory exposure that conventional IT tooling is structurally unable to close.

Mythal is an autonomous vulnerability-remediation platform — a fix-control plane — purpose-built for these environments. It orchestrates twelve specialized AI agents to drive each finding through a deterministic state machine, from discovery to verified, evidence-backed closure. Where automation meets Operational Technology (OT) or Critical Cyber Systems (CCS), a dedicated OT Safety Officer agent holds explicit veto authority, and a deterministic Policy Guard enforces dual approval, maintenance windows, and tested rollback before any change is permitted to execute.

Mythal does not replace the human decision. It removes the toil around it — so the engineer's judgment is applied to the one change that matters, not the thousand that don't.

The result is a platform that compresses mean-time-to-remediate from weeks toward minutes for eligible findings, holds the line on safety for everything else, and produces compliance evidence mapped to TSA, NIST and IEC 62443 controls as a byproduct of normal operation rather than a quarterly fire drill.

02

The problem

Three forces have converged to make manual vulnerability remediation indefensible for critical-infrastructure operators.

163
CVEs in a single Patch Tuesday — discovery velocity now exceeds human triage capacity.
22+ days
Typical remediation MTTR, while AI-assisted patch-diffing yields working exploits within hours.
100%
OT operators veto any tool lacking an explicit safety model — IT-only automation cannot touch the plant.

Discovery has outrun remediation

The volume of disclosed vulnerabilities grows every quarter, and exploit development has been industrialized. Defenders no longer have the luxury of monthly patch cycles; they face an adversary who can weaponize a disclosure before the change ticket is even drafted.

Prioritization and change friction at scale

Knowing which of ten thousand open findings actually matters — and which can be safely automated — is a problem of evidence, not effort. Compounding it: change-control friction, rollback risk, fragmented compliance evidence scattered across spreadsheets and ticketing systems, and an inventory that drifts faster than anyone can map it.

OT changes the rules

In Operational Technology environments, a botched patch is not a help-desk ticket — it can stop a train, trip a substation, or halt a water-treatment process. Operators are right to veto any tool without an explicit, demonstrable safety model. This is precisely the gap IT-only remediation tools cannot cross.

03

What Mythal is

Mythal is a closed-loop, autonomous remediation platform — a fix-control plane that sits above an operator's existing scanners, configuration-management tooling, and OT systems. Rather than producing another queue of findings for humans to triage, Mythal takes ownership of each finding and drives it to resolution.

The control plane is built on three commitments. First, autonomy with brakes: agents reason, plan and execute, but a deterministic policy layer and the OT Safety Officer can stop or gate any action. Second, verification, not assumption: a fix is not "done" until Mythal has re-scanned, confirmed exploit-safety, and validated asset health — or rolled the change back. Third, evidence by default: every decision, message and step is recorded in a tamper-evident ledger and tagged to compliance controls as it happens.

A vulnerability scanner tells you what is wrong. A fix-control plane closes it — verifiably, safely, and with the paperwork already done. — Mythal design principle
04

How it works — the closed loop

Every finding in Mythal advances through an explicit state machine. The progression is deterministic and auditable; agents propose and act, but state only advances when entry conditions and policy gates are satisfied.

DISCOVERED ENRICHED PRIORITIZED PLANNED AWAITING_APPROVAL EXECUTING VERIFIED CLOSED
Branches: ROLLED_BACK when verification or health checks fail · ESCALATED when policy denies or human judgment is required.

A finding is discovered from one of eight-plus scanners and normalized. It is enriched with threat intelligence, then prioritized by a composite risk score. The Remediation Planner produces a concrete plan, which enters awaiting-approval where the Policy Guard and — for OT/CCS — the OT Safety Officer decide whether it auto-applies, needs one approval, needs dual approval, or is denied. Approved plans move to executing via vetted integration drivers, then to verified by re-scan and health check, and finally to closed with full evidence attached.

05

The twelve agents

Mythal's intelligence is decomposed into twelve specialized agents coordinated by a Supervisor that owns the finite-state machine. Specialization keeps each agent's reasoning narrow, testable, and individually governable.

AgentRole
SupervisorOrchestrator FSM; routes every finding through the state machine. Runs on claude-opus-4-7.
Scanner LiaisonNormalizes findings from 8+ scanners; deduplicates on asset_id + CVE.
Threat IntelCorrelates NVD, CISA KEV, EPSS, vendor PSIRTs, ICS-CERT, and MITRE ATT&CK for ICS.
Patch HunterFinds fixes and workarounds; assigns a reliability score from 0 to 1.
Impact AnalystJoins CMDB + dependency graph into a business-impact profile.
Change RiskModels failure rates, maintenance windows, canary, blast radius, and rollback.
OT Safety Officer VETOVeto over OT/CCS changes; proposes compensating controls; enforces dual approval, window & tested rollback per NIST 800-82r3 & IEC 62443. Runs on claude-opus-4-7.
Remediation PlannerBuilds the concrete plan: steps, order, approvals, rollback, verification.
ExecutorApplies changes only via approved integration drivers; records per-step result and rollback.
VerifierRe-scans, runs exploit-safety and health checks; closes the finding or rolls it back.
Compliance ReporterTags evidence to frameworks; exports PDF + JSON.
Inventory InsightsProactive, CVE-independent: detects EOL, version sprawl, shadow IT, CCS-without-owner, identity hygiene.
06

Integrations & drivers

Mythal acts on the estate exclusively through vetted integration drivers — each implementing a uniform apply_patch() / rollback() contract — so that execution is consistent, reversible, and confined to systems the operator has explicitly enabled. Findings are normalized from a broad set of IT and OT scanners.

Scanners (normalized)
Qualys VMDRTenable.ioRapid7 InsightVMWizDefender VMClaroty xDomeNozomiDragos
Patch / Execution
AnsibleMicrosoft SCCMTaniumBigFixPuppetChef
Network / Security
Cisco Catalyst CenterPalo Alto PanoramaCisco Firepower
Identity & Cloud
Microsoft EntraAWS Systems ManagerAzure Arc
Operational Technology
Tenable OTClaroty SRA
07

Threat intelligence & feeds

Prioritization is only as good as the intelligence behind it. The Threat Intel agent continuously ingests authoritative feeds and grounds every enrichment in live data, with deterministic fallbacks so the platform remains operational even when an upstream source is unreachable.

  • CISA KEV — live Known Exploited Vulnerabilities catalog, with an offline snapshot fallback and a one-hour cache to guarantee continuity.
  • FIRST.org EPSS — exploit-prediction scoring to estimate the probability that a vulnerability will be exploited in the wild.
  • Master CVE catalog sync — continuous reconciliation against the authoritative vulnerability record.
  • ICS-specific sources — ICS-CERT advisories, vendor PSIRTs, and MITRE ATT&CK for ICS for OT-aware context.
08

Risk scoring & prioritization

Mythal computes a composite risk score per finding rather than relying on CVSS alone. The score blends severity, real-world exploitation signal, the dependability of an available fix, and the operational context of the affected asset — and resolves directly into a policy-gate decision.

  • CVSS base severity, combined with EPSS exploit-prediction and KEV status for known active exploitation.
  • Ransomware association uplift for vulnerabilities tied to known campaigns.
  • Patch-reliability band from the Patch Hunter, so a fragile fix is never auto-applied.
  • Business-impact and change-risk profiles from the Impact Analyst and Change Risk agents.

The composite resolves to one of four decisions — auto_apply, single_approval, dual_approval, or deny — subject always to OT override.

09

OT safety & the Policy Guard

This is where Mythal departs from every IT-centric remediation tool. Operational Technology is read-only by default. No change reaches an OT or CCS asset without clearing both a deterministic policy layer and the OT Safety Officer agent, which holds explicit veto authority and can substitute compensating controls when a direct patch is unsafe.

The Policy Guard is a deterministic rule engine — extensible via OPA — so its decisions are predictable, testable, and never delegated to a probabilistic model:

SG-POL-001

CCS changes require dual approval, a maintenance window, and a valid rollback plan.

SG-POL-002

OT-zone changes require dual approval — security and OT operations.

SG-POL-003

IT changes auto-apply when criticality ≤ Medium, patch reliability ≥ 0.85, a canary peer is present, the window is open, and rollback is valid.

SG-POL-004

Default to single IT approval where no stronger rule applies.

SG-POL-006

A CCS change without a rollback plan is denied.

SG-POL-007

Any change during a blackout window is denied.

OT zones are modeled and segmented in line with IEC 62443 and NIST 800-82r3. The OT Safety Officer enforces dual approval, maintenance-window adherence, and a tested rollback for every change touching the plant.

10

Compliance & evidence

Because every agent message, decision, approval, and execution step is recorded as it happens, compliance evidence is a byproduct of normal operation rather than a separate effort. The Compliance Reporter tags evidence to control frameworks and exports auditor-ready PDF and JSON in seconds.

TSA SD 1580-21-01 (Rail) NIST CSF 2.0 NIST 800-82r3 (ICS) IEC 62443 SOX HIPAA PCI

An auditor asks "show me how this CCS vulnerability was remediated," and Mythal returns the full reasoning trace, the approvals, the policy decision, the execution log, and the verification result — already mapped to the relevant control.

11

Architecture & technology

Mythal is engineered for production critical-infrastructure environments, with a deterministic rule-engine fallback that lets the platform run with no external model dependency for CI and demo safety.

  • Backend — FastAPI on Python 3.11.
  • State & bus — PostgreSQL 16 for durable state; Redis 7 as the agent message bus.
  • Reasoning — Anthropic (claude-opus-4-7 / claude-sonnet-4-6) or OpenAI, with a deterministic rule-engine fallback that has no external dependencies.
  • Console — Next.js 15 / React / TypeScript, with Recharts, Reactflow, and SWR.
  • Deployment — Docker Compose; engine packaged as sentinelgrid-api.
12

The console

The Mythal console gives security and OT teams a single command center over the entire remediation lifecycle. Its pages are designed for the realities of a critical-infrastructure operation — including a dedicated OT Operations view and a drag-to-approve plan board.

Operate
Command CenterFindingsPlans KanbanAgent Activity
Estate & OT
Asset EstateOT OperationsInventory InsightsLive Feeds
Govern
CompliancePolicy StudioAdmin
Connect
Integrations
13

Outcomes & evaluation

Mythal is evaluated against operational KPIs that map directly to executive and regulatory concerns. The targets below frame the value the platform is built to deliver.

MTTR collapseRemediation time for eligible findings compressed from 22+ days toward minutes.
Safe auto-remediation rateShare of findings closed automatically without incident, gated by reliability and policy.
Evidence-export timeAuditor-ready package generated in under 60 seconds.
Audit-prep reductionQuarterly evidence assembly shifts from weeks to on-demand.
14

Security & governance

Mythal is built to be trusted with production change in safety-critical environments, which demands a higher bar than typical SaaS automation.

  • Tamper-evident ledger — every inter-agent message is signed with HMAC-SHA256 and written to an append-only log.
  • Prompt-injection defense — external content is wrapped in untrusted tags and screened by a pre-flight classifier before any agent reasons over it.
  • Write-ahead message log — actions are durably recorded before execution, ensuring recoverability and a complete audit trail.
  • Full reasoning trace — every finding carries an end-to-end record of how each decision was reached.
  • Deterministic fallback — a rule engine with no external dependencies keeps the platform safe and operable for CI and demos.
  • OT read-only default & veto — the plant is protected by design, not by configuration.

See Mythal close the loop on a live estate.

Request a demo against the Meridian Continental Railway simulated estate — 6,500 assets, real OT zones, and end-to-end compliance evidence in under a minute.

Request a demo Open the Command Center View the deck