Sunnyvale, CA – Azul Systems, a prominent Java runtime vendor, has introduced a complimentary Java Virtual Machine (JVM) vulnerability risk assessment tool. This initiative aims to empower organizations to identify potential Java runtime exposures before sophisticated AI-assisted attackers can exploit them. However, the company’s narrative surrounding the urgency of this threat is significantly underpinned by claims related to Anthropic’s yet-to-be-publicly verified Mythos AI model, a situation that raises questions about the robustness of its threat framing.
The free risk assessment tool is specifically tailored for DevOps and SecOps teams struggling with comprehensive visibility across their Java estates. The tool functions by scanning networks to detect all JVM instances, including those embedded within applications or running in unmanaged environments, which often elude conventional asset discovery mechanisms. Following the scan, Azul promises to deliver a prioritized remediation roadmap. This roadmap is reportedly cross-referenced against critical security databases such as the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog and the U.S. National Vulnerability Database, providing actionable intelligence for vulnerability management.
While the assessment is offered free of charge, it clearly serves as a strategic lead-generation tool for Azul. The ultimate objective is to convert users of the free service into customers of Azul Core, the company’s commercial JVM offering that includes support and security updates. This move positions Azul Core as a distinct solution within the OpenJDK ecosystem, particularly its security-focused Critical Patch Updates.
Eric Costlow, Azul’s Senior Director of Product Management, elaborated on the company’s strategy in an interview with The New Stack. He highlighted that Azul Core is positioned as the sole OpenJDK distribution that exclusively delivers security fixes without introducing new features or bundled bug patches. This contrasts with other widely used OpenJDK distributions like AWS Corretto and Eclipse Temurin. Costlow emphasized that this security-only approach significantly mitigates the risk of application breakage during patching, a common concern for organizations managing long-running Java applications.
"One of the reasons people haven’t updated their JVMs in a long time is they’re worried about breaking something," Costlow explained. "So they look at it and say, ‘It ain’t broke, don’t fix it.’ What Core offers is a version of Java that only contains security patches – all it does is fix security vulnerabilities. The risk of breaking your application by applying the security-only release is really low, because all it does is fix security bugs."
This differentiation strategy targets the perceived risk associated with updating JVMs that include a broader set of changes. Costlow drew a comparison with competing distributions: "If you grab a Corretto or an Eclipse JVM, they’re very nice people. But they just include everything in their build. Everything that changes, it’s in there. Let’s say it has a 1% chance of breaking something – you update 100 apps, one of them breaks. Our breakage rate might be like 0.1% or something, because we don’t do that other stuff."
The Escalating AI Threat Landscape
Azul’s primary security argument centers on the accelerating pace of cyber threats driven by advancements in Artificial Intelligence. The company contends that AI tools have drastically reduced the "mean time to exploit" for vulnerabilities, shrinking it from months to mere days or even hours. This rapid evolution makes previously unpatched Java environments significantly more perilous than they were even eighteen months ago. Costlow described this phenomenon as AI lowering the barrier to entry for both vulnerability discovery and the subsequent weaponization of these flaws.
"You can build crawlers that look for older Java versions because you can identify them through a lot of signatures," Costlow stated. "And the exploits – where you used to say, ‘I have a version of an exploit that will attack a certain version of Spring, it used to only work in certain scenarios’ – the AI has made it a lot easier to generalize those exploits. The stuff’s easier to find and easier to attack. Unfortunately."
To substantiate these claims, Dana Crane, Product Marketing Director for Platform Core at Azul, presented research in a company blog post. A 2024 study conducted by the University of Illinois Urbana-Champaign indicated that GPT-4, when provided with appropriate contextual scaffolding, could autonomously exploit 87% of known critical-severity CVEs without human intervention, at an estimated cost of $8.80 per successful exploit. A subsequent study by the same research group revealed that AI agent teams achieved a 53% success rate in exploiting zero-day vulnerabilities. More recently, an AI system named ARTEMIS reportedly secured second place in a penetration testing competition against human testers on a live enterprise network of 8,000 hosts. ARTEMIS identified valid vulnerabilities at a cost of $18 per hour, significantly outperforming human testers who incurred costs of $60 per hour.
Scrutiny Over Anthropic’s Mythos Model
While the evidence for AI’s growing offensive capabilities is compelling, Azul’s central claim regarding the urgency of the threat is heavily reliant on Anthropic’s Mythos model. This advanced AI system is currently a "frontier" model, meaning it has not been publicly released and is accessible only to a select group of trusted organizations under strict controls.
The Azul press release explicitly stated that "Anthropic’s Claude Mythos demonstrates that AI can autonomously uncover previously unknown vulnerabilities and generate working exploit paths at scale." Similarly, Azul CEO Scott Sellers remarked in a statement, "Anthropic’s Mythos has shown that AI can now discover and weaponize vulnerabilities on its own – including flaws that survived decades of human review."
Further elaborating in the FAQ section of its materials, Azul cited "how quickly Mythos-class capability escaped its intended containment" as a compelling reason for accelerated patching. However, when questioned during a briefing about whether Azul had directly tested Mythos against JVM vulnerabilities, Costlow admitted that he did not have access to the model. "That’s gated by a lot of government stuff," he told The New Stack. "It’s only for select organizations now." This admission indicates that Azul’s dire threat narrative is, in part, based on the capabilities of a model it has not independently verified or tested, and which remains largely inaccessible to the broader cybersecurity community. This reliance on an unverified, gated model for its primary threat justification could undermine the credibility of its urgent call to action for many organizations.
What the Assessment Tool Actually Delivers
Setting aside the contentious AI threat framing, the free JVM vulnerability risk assessment tool itself offers tangible benefits for organizations. Azul states that the tool operates as a network scanner designed to run over a period of a few days with negligible impact on system performance. Its primary function is to identify the versions and ages of JVMs deployed across the entire technology stack, encompassing application servers, serverless containers, and databases.
The output package from the assessment is comprehensive, providing a security dashboard categorized by risk tier, publisher, and Java version. It includes detailed analysis of exposure against the KEV and CVE databases, cross-referenced with real-world threat intelligence. Additionally, the report identifies end-of-life runtime instances – such as Java 5, 6, and 7 – which Crane noted are "more common than most IT leaders assume." A patch currency gap report further quantifies how far deployed JVM instances deviate from current security patch baselines.
The assessment also addresses regulatory compliance requirements. It is designed to assist organizations in meeting mandates from frameworks such as PCI-DSS, SOX, HIPAA, DORA, NERC CIP, and FedRAMP, all of which necessitate demonstrable visibility into deployed software versions and documented patch histories.
"A lot of people in the PCI DSS space are supposed to be patching their JVMs, but aren’t," Costlow remarked, illustrating the scale of the problem. "If you haven’t patched in eight years, it’s really built up. I refer to it as a CDE tsunami."
Crane further commented on the typical findings from these assessments: "A typical assessment reveals that a small number of Java versions – often just two or three – account for the lion’s share of risk across an enterprise estate. That makes mitigation far more tractable than it initially appears."
Organizations interested in availing themselves of this free JVM vulnerability risk assessment can access it directly from Azul’s website at azul.com/jvm-vulnerability-risk-assessment, or through the company’s network of partners.
