By Max Yish, Director of Data and Tech Leadership, Finatal
Anthropic’s decision to deploy Mythos through Project Glasswing, alongside AWS, Apple, Google, Microsoft and others, marks a step change in how quickly vulnerabilities can be identified and addressed.
For private equity investors, that shift makes cyber risk more measurable – and therefore much harder to ignore.
Cybersecurity has always played a critical role in building resilient businesses. It keeps systems running, protects data, and limits operational disruption – even if it has often sat in the background of investment discussions.
What AI is changing is the speed and economics of that risk: the gap between discovering a weakness and exploiting it is closing – fast. The question is no longer whether cyber risk exists; it’s how quickly it can be identified, understood, and priced.
For private equity, this cuts across the entire lifecycle: valuation, underwriting, post-acquisition value creation, and exit.
Cybersecurity is no longer just a technical line item in diligence. It’s becoming part of how the asset itself is understood.
A signal from the frontier
Mythos is already showing that AI can identify vulnerabilities across real-world software systems at a speed and scale that manual methods simply cannot match.
At the same time, Project Glasswing has brought together AWS, Apple, Google, Microsoft, CrowdStrike, Palo Alto Networks, JPMorganChase and others in a coordinated effort to secure critical software for the AI era.
When organisations of this calibre align around AI-enabled defensive security, it signals something bigger than better tools; in this case, it signals a shift in the structure of the market.
Cybersecurity has always mattered. What’s changing now is that exposure is becoming more visible, more comparable, and more directly tied to how risk is priced in transactions.
For investors, the implication isn’t that every portfolio company needs to become a cybersecurity business, it’s that cyber posture is becoming a far more visible and material part of how software-enabled businesses are assessed by buyers.
Three structural shifts investors now need to price
From an investor’s perspective, three structural changes matter most.
1. Vulnerability discovery is scalable
AI can review large codebases quickly and consistently, surfacing weaknesses that may have gone undetected for years. Issues buried in legacy systems or complex architectures are now far more likely to be found – by defenders or attackers.
That changes the nature of diligence. Investors are no longer limited to what management teams know (or choose to disclose). The codebase itself is becoming more transparent and that will increasingly shape how risk, remediation effort and deal structure are assessed.
2. Speed is becoming a core risk factor
Cybersecurity is shifting from periodic review to continuous activity. The best-positioned organisations won’t necessarily be those with the deepest expertise – but those that can identify, prioritise and remediate risk fastest.
In this context, delay becomes risk. Operating models need to respond quickly enough to prevent exposure becoming a material event.
3. Risk is becoming measurable
AI-assisted monitoring and continuous scanning are making cyber exposure easier to quantify. This matters not just for security teams, but for CFOs, boards, insurers and investors – all of whom need to understand risk in financial terms.
Once cyber risk becomes measurable, it starts to behave like any other financial input. It can be benchmarked, priced, improved and challenged – alongside other operational and balance sheet risks.
What this means for private equity
Private equity operates within defined hold periods and finite windows for value creation. In this context, cybersecurity is starting to look less like compliance and more like an operational lever.
Due diligence is evolving
Traditional technical diligence has relied on sampling, interviews and selective code review. AI-enabled analysis allows for much broader and deeper assessment – quickly scanning large parts of a business and giving a clearer view of remediation requirements post-acquisition.
The real risk is not what’s found; it’s what’s not – and that risk is becoming more tangible.
As tools like Mythos evolve, the ability to surface hidden technical debt and latent vulnerabilities is improving rapidly, which means that businesses with legacy systems or weak security practices are increasingly exposed – not just operationally, but commercially at the point of sale.
Valuations will reflect cyber posture
As vulnerabilities become easier to detect, they become harder to ignore. Buyers will increasingly differentiate between businesses with strong, well-governed security practices and those carrying significant technical debt or weak controls.
Well-secured platforms may attract broader buyer interest and stronger multiples.
Assets with unresolved exposure may face valuation pressure or conditionality around remediation.
Security becomes part of the operating model
Cybersecurity has often been treated as a cost centre, but that framing is becoming harder to justify.
Improving cyber posture can: reduce incident risk and impact; lower insurance costs; support compliance; and increase buyer confidence at exit. So, in that sense, it starts to behave like any other value creation lever, alongside pricing, procurement or working capital discipline.
A practical framework for investors
In practice, improving cyber posture across the investment lifecycle typically follows four stages:
Identify
Focus on businesses where security has been underinvested, particularly those with legacy architecture, complex codebases or acquisition-driven growth.
Diagnose
Use advanced tooling to assess vulnerabilities in detail, both during diligence and immediately post-acquisition.
Remediate
Prioritise fixes based on business risk, engineering capacity and the value creation plan (not technical perfection).
Re-rate
As risk reduces and resilience improves, the asset becomes more attractive, supporting refinancing, widening the buyer pool and strengthening the exit narrative.
Structurally, this mirrors other forms of operational improvement. The difference is the pace of tooling, as well as the increasing visibility of inaction.
Winners, losers and the re pricing of risk
As these dynamics play out, the impact will not be uniform.
There is likely to be continued momentum behind AI-enabled security and code analysis providers, DevSecOps platforms that embed security within development workflows, and solutions focused on continuous monitoring and automated remediation.
At the same time, more traditional, point-in-time testing approaches and legacy tooling that cannot operate at scale may come under increasing pressure.
These approaches will remain part of a mature security strategy. However, their relative value is likely to diminish as faster and more scalable alternatives become standard.
Closing perspective
Cybersecurity has always been important. What’s changing now is its role in investment decision-making.
In an environment where vulnerabilities can be identified and exploited more quickly, cyber risk becomes more transparent, more measurable and more directly linked to value.
For private equity, that makes it fundamental – not only to how risk is underwritten, but to how value is created and, ultimately, how assets are perceived and transacted at exit.