Key Takeaways
- Azul launches Mythos to discover and inventory JVMs across enterprise environments
- 35+ billion JVMs run globally, many unpatched and invisible to security teams
- AI-powered vulnerability scanning makes outdated Java runtimes easier targets
Azul Systems is betting that most enterprises cannot answer a simple question: how many Java Virtual Machines are running in your environment right now? The company's new security product, Mythos, scans networks to find JVMs, catalog their versions, and flag those running without critical patches. The pitch is straightforward. If you cannot find your Java runtimes, neither can your security team. But attackers, increasingly armed with AI-assisted scanning tools, can.
The timing matters. Log4Shell, the critical vulnerability disclosed in December 2021, affected 93% of enterprise cloud environments according to cloud security researchers. That crisis forced organizations to realize they had no inventory of where Java ran, which versions existed, or who owned them. Two years later, the visibility problem persists.
Why JVM visibility remains a blind spot
Azul estimates 35 billion JVM instances run globally. That number sounds inflated until you consider how Java actually deploys. A single application server might spawn dozens of JVM processes. Containers multiply the count. Microservices architectures spin up instances dynamically. The JVM is everywhere, and everywhere invisible.
Traditional asset management tools track servers and containers. They do not track what runs inside them. A security scanner might find an open port or a known CVE in a package manifest. It will not tell you that a JVM running your payments service is three minor versions behind and missing a critical deserialization fix.
Scott Sellers, Azul's CEO, has been blunt about the gap: "Most organizations have no idea how many JVMs they're running, let alone which versions or patch levels. It's a massive blind spot." Mythos aims to close it by discovering JVMs across an environment, fingerprinting their exact versions, and correlating that data against known vulnerabilities.
What Mythos actually does
The product works as an agent-based scanner. Deploy it across your infrastructure, and it inventories every JVM instance it finds. For each one, Mythos reports the vendor (Oracle, Azul, Amazon Corretto, Eclipse Adoptium, and others), the exact version string, and the patch level. It then maps those findings against Azul's vulnerability database.
The output is a prioritized list. Which JVMs are critically vulnerable? Which are merely outdated? Which belong to production workloads versus development environments? That context matters for triage. Patching a staging server running Java 11.0.15 is different from patching the same version on a customer-facing application.
Azul has an obvious commercial interest here. The company sells Zulu, its own JDK distribution, along with support contracts and the Azul Platform Prime runtime optimized for low-latency workloads. Mythos feeds that pipeline. Find the unpatched JVMs, then sell the customer a supported, automatically patched replacement.
The AI angle is real, not hype
Azul's marketing leans into AI-powered threats, and the concern is legitimate. Large language models and AI agents can accelerate reconnaissance. Feed a model a list of IP addresses and ask it to identify which ones run vulnerable Java versions. Combine that with automated exploit generation, and the window between vulnerability disclosure and active exploitation shrinks.
Recent demonstrations support this. Anthropic's Claude model found flaws in classified U.S. government systems during a red team exercise, completing in hours what human analysts might take days to discover. The same acceleration applies to mundane vulnerability scanning. Attackers do not need sophisticated AI to probe for outdated JVMs. But AI makes it faster, cheaper, and harder to outrun.
Shows how AI accelerates vulnerability discovery, the threat Azul is responding to
Competitive landscape for Java security
Azul is not alone in this market. Snyk, Veracode, and Contrast Security all offer application security tools that cover Java. Container security vendors like Aqua Security and Sysdig scan images for vulnerable packages, including JDK components. Traditional vulnerability scanners from Tenable and Qualys can detect outdated Java installations.
Mythos differentiates on specificity. General-purpose scanners treat the JVM as one component among thousands. Azul treats it as the primary runtime layer that deserves dedicated tooling. Whether that depth justifies a separate product depends on how heavily your stack relies on Java. For shops running 60% or more of their workloads on JVM platforms, which describes much of financial services, healthcare, and large enterprise IT, the focus may be worth it.
What this means for engineering teams
The broader lesson is not about Azul specifically. It is about runtime visibility as a security requirement. Container registries track image versions. Package managers track dependencies. But the runtime itself, the JVM or Node.js or Python interpreter executing your code, often escapes inventory.
Log4Shell taught that lesson painfully. Organizations spent weeks hunting for vulnerable Log4j instances because they did not know where Java ran. Two years later, how many have built systematic visibility into their runtime layer? For most, the answer is still not enough.
Logicity's Take
Azul's Mythos solves a real problem, but it is also a lead generation engine for Zulu subscriptions. Engineering leaders should evaluate it against their existing tooling. If you run Snyk or a container security platform, check whether those tools already report JVM versions with sufficient granularity. If not, dedicated JVM scanning fills a gap. Pricing is not public, but expect enterprise licensing tied to the number of hosts or JVMs scanned. For teams on Amazon Corretto or Eclipse Temurin looking to avoid vendor lock-in, consider that Mythos discovery works regardless of which JDK you deploy, so the vendor lock-in risk is lower than it might appear.
Frequently Asked Questions
How many JVMs are running globally?
Azul estimates more than 35 billion active JVM instances worldwide, counting individual processes across servers, containers, and cloud workloads.
Why is JVM visibility a security problem?
Traditional asset management tracks servers and containers but not the runtimes inside them. An outdated JVM with known vulnerabilities can run undetected for years.
What does Azul Mythos do?
Mythos scans enterprise environments to discover JVM instances, identify their exact versions and vendors, and flag those with known vulnerabilities or missing patches.
How does AI increase the risk to unpatched JVMs?
AI-powered tools can scan networks and identify vulnerable software faster than manual methods, shrinking the window between vulnerability disclosure and exploitation.
Does Mythos only work with Azul's JDK?
No. Mythos discovers and inventories JVMs from any vendor, including Oracle, Amazon Corretto, Eclipse Adoptium, and others.
Need Help Implementing This?
If your team needs guidance on JVM security, runtime visibility, or evaluating tools like Azul Mythos against your existing stack, reach out to Logicity's consulting partners for a security architecture review.
Source: The New Stack / Darryl K. Taft
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
