The core of my last post was an asymmetry. An attack can unfold in two steps or 20, but the vocabulary it draws from never grows. The same small set of primitives (executable memory, control flow, process manipulation, credential access, encryption) is all any attack has ever had to work with. Guard that set, and the form of the attack stops mattering.
Two developments since then sharpen the picture. One put a number on how fast the attacker's side is moving. The other showed the whole industry, including the AI labs themselves, converging on the answer Sophos has been building for years.
Together, they expose an uncomfortable gap: the answer everyone now agrees on is not the one most products actually ship.
The new number: N-day became N-hour
In June, Anthropic's red team published a study on N-day vulnerabilities, the flaws that are already patched but still exploitable on machines that have not applied the fix. Handed only the public patches, the Mythos model turned them into working exploits: eight code-execution exploits from 18 Firefox patches, and eight full privilege-escalation chains from 21 Windows kernel patches.
On one Firefox bug, it produced a working exploit in under an hour. The fixed browser took 18 days to reach users. Anthropic's conclusion: "N-day" has become dangerously misleading. "N-hour" is closer to reality.
The window between a patch existing and that patch protecting you is now measured in hours. Notably, the lab evaluated against jsshell, the standalone engine that runs outside the browser's sandbox and process mitigations, chosen to keep exploit verification simple and reliable. That choice quietly confirms the point: mitigations are precisely what turn reliable exploitation into unreliable exploitation. Making it unreliable is the entire job of this layer.
The convergence: the labs now recommend what we build
On June 22, OpenAI expanded Daybreak, its cyber-defense program, on the explicit premise that finding vulnerabilities is no longer the bottleneck; shipping the fix is. Sophos is among its named partners.
Both Anthropic and OpenAI name the same durable fix: move critical code to memory-safe programming languages and apply mitigations that retire whole classes of exploitation at once. Microsoft made the same argument more than a decade ago and shipped it as EMET. Defenders are now warned to prepare for these AI capabilities to be broadly available within six to 24 months, a trend of the technology rather than any single model.
The field has converged. Retire the exploit class instead of chasing the sample. Which raises the obvious question: if everyone agrees, why are most endpoints still not protected this way?
Microsoft moved. Just not in user mode.
Over the last decade, Microsoft has made real structural progress in the kernel. Virtualization-Based Security and Hypervisor-Protected Code Integrity on Secured-core PCs have genuinely raised the bar against kernel exploitation. Microsoft can do that because the kernel is a controlled environment: trusted, digitally signed code that has passed Windows Hardware Quality Labs certification.
User mode is the opposite. Browsers, office suites, and unknown downloaded executables form an open environment that must run whatever a user installs. That is the layer stuck on a 2008 playbook, and it is the layer Sophos operates in.
The uncomfortable gap: what "exploit mitigation" usually means
Most endpoint products do not ship much proactive mitigation in user mode at all. Their prevention is mostly behavioral detection, flagging an attack after it has already begun to execute. Where a product does offer something labeled "exploit mitigation," it is usually the same short list: force DEP, force ASLR, SEH overwrite protection, null-page allocation, and heap-spray pre-allocation.
Look at the dates. DEP arrived in 2004, ASLR in 2007, SEHOP in 2008, and null-page protection in Windows 8 in 2012. On a modern 64-bit machine, the protection they describe is effectively already there by default. Re-flipping these switches changes very little. It does nothing about the tradecraft, the injection, token theft, defense evasion, and encryption, where modern attacks actually live.
The powerful modern mitigations exist. They are just turned off. Here is the same thing measured, straight from live Windows policy via Get-ProcessMitigation.

Grey is the Windows default (four mitigations). Purple is the developer opt-in (little to none). The two blue bands are Sophos: an every-process layer that covers everything (41 mitigations) plus app-scoped enforcements on known software, 60 in total. In the last bar, malware opts into nothing from Windows or any developer, yet still meets the 41 every-process Sophos mitigations. These counts reflect the product at the time of writing; they change as we develop new mitigations and retire ones the threat landscape no longer demands.
Why do the powerful mitigations stay off? Three structural reasons.
- The opt-in flaw. Control Flow Guard and hardware shadow stacks must be compiled in by the application's developer. Malware authors do not opt their code into Microsoft's protections. Most application developers do not either.
- The management burden. Microsoft's user-mode Exploit Protection is configured by mapping mitigations to individual executables through complex XML files and testing one application at a time. That overhead is so high that Microsoft removed Exploit Protection from its own MDM security baseline in December 2020, on the grounds that forcing it broadly could do more harm than good.
- Zero visibility. Even when an administrator switches a mitigation on, Windows tells them very little: a toast notification and a buried event log entry when it fires, and a generic application crash when it breaks something. Actionable reporting requires a separate Defender for Endpoint license. Most administrators will not accept that risk, so the capability stays in the box.
When the platform vendor cannot practically keep its own advanced mitigations on at scale, a security product that merely re-exposes the same switches has not moved the problem forward.
What moving the layer forward looks like
Sophos took the other path. Rather than re-exposing the operating system's switches, we built new mitigations at the level the platform itself operates, the kind the OS would enforce everywhere if it could do so without breaking the software ecosystem. These are security controls purpose-built for the AI era, for a threat that now writes its own exploits in hours. Four things set that layer apart, and to our knowledge, no other vendor brings all four together.
1. Proprietary, at the operating system's own depth. Sixty mitigations, several patented, enforce the memory, control-flow, and process integrity that is normally the platform's job. When Anthropic names the durable fix, its examples are Control Flow Guard and hardware shadow stacks. Both depend on the application developer to compile them in, and shadow stacks also require Control-flow Enforcement Technology (CET) capable hardware. As the chart shows, in practice, they are mostly off. We do our own enforcement, and it needs neither a recompile nor specific silicon.
2. On by default, visible, and curated by a managed loop. When a mitigation fires on legitimate code, it emits a granular thumbprint. Sophos sanctions the known-good exception and pushes the clean state globally, often before a customer has filed a case. That vendor-side curation lets aggressive mitigations ship on by default without breaking applications. It also means the customer sees what Windows hides: every mitigation event returns as a detailed, attributed report showing what fired, in which process, and where the executing code came from, instead of reverse-engineering a crash from an event log. Enforcement you can see, with a managed exception process behind it, is exactly what an OS mitigation cannot offer.
3. On every process, known or unknown. Traditional exploit mitigation hardens the known applications an administrator has configured. Sophos applies to those and to unknown executables alike. The layer covers every process with nothing to opt into. On your applications, it is a guard. On malware, it is a trap.
4. Primitive-level, not technique-level, across the whole chain. Offensive AI does not just compress the time to write an exploit. Frontier models show strong skills in agentic hacking, automating multiple parts of a cyberattack beyond initial access. Human threat actors and AI-assisted tools will keep generating heavily obfuscated or novel code designed to slip past static scanners. So, we do not try to recognize the attack. We deny the small set of primitives any attack must use, from initial access to impact.
At the execution end, dynamic shellcode protection constrains how much executable memory a process can carve out beyond its own image and loaded DLLs. At the impact end, CryptoGuard inspects your files for the mathematical fingerprint of encryption: the collapse of a structured document into uniform, maximum-entropy noise. It rolls the damage back, whether the ransomware used a Windows crypto API or its own, and even when the ransomware runs from another machine entirely. Between those ends sit kernel-level privilege-escalation prevention, credential and session protection, and the rest.
Behavioral detection is probabilistic: it observes a sequence of events and judges whether it looks suspicious. Obfuscation by human adversaries or AI-assisted tools is designed to evade exactly that judgment. Primitive mitigation is deterministic. It enforces a hard structural or mathematical constraint at the point of execution.
Where this layer ends
This layer is not a magic shield. Anthropic notes that defenses relying on added friction can weaken against AI models working at scale and low cost. That is why the core of this layer is not just friction but hard constraints on memory, control flow, and data integrity. Friction raises the bar. Hard constraints remove the tools.
This layer is also one layer. Threat mitigations sit inside a defense-in-depth solution, and the rest of that stack earns its place. Detection and machine learning catch what slips through. Behavioral detection handles an intrusion already in motion. Identity controls guard the roads that bypass the endpoint altogether. More attackers than ever take those roads, skipping exploitation entirely to simply log in, using infostealers to harvest credentials where MFA is absent, or to lift session cookies that ride straight past it.
But the attacks that do reach the machine are, overwhelmingly, code that reuses the same small set of primitives, whether it arrives as a mass-market payload, through a compromised supplier, or encrypting files from a machine you do not manage. That is exactly what a default-on primitive layer is built to deny.
Where this layer fits
Offensive AI is going to keep changing how attackers find vulnerabilities and how fast they weaponize them. It changes very little about the small set of primitives every attack must touch. The patch gap is collapsing to hours. The primitives are not moving. A disabled mitigation is no mitigation, and the unglamorous discipline that decides the outcome is shipping protection on by default and keeping it on. The mitigation layer built for that era did not stop evolving in 2008. It is already here.
See how Sophos Endpoint ships 60 exploit mitigations on by default, on every process. Learn more at sophos.com/endpoint.
This is a follow-up to "AI finds the vulnerabilities, but exploiting them is a different problem".

