With input from Bloomberg, War on the Rocks, Reuters, and BBC
A few hours before Anthropic unveiled its latest model, Claude Mythos Preview, one researcher thought they had a solid grip on the future of cyber threats. By evening, that confidence was gone.
Mythos didn’t just raise the bar. It bulldozed it.
In tests, the model was able to autonomously find and exploit serious software vulnerabilities – some buried for decades – across major systems. No credentials. No human hand-holding. Just a prompt and time. Engineers without deep security backgrounds reportedly asked it to hunt for flaws overnight and woke up to working exploits.
That kind of capability used to sit inside government intelligence agencies. Now it’s sitting inside a private company’s lab.
Anthropic CEO Dario Amodei has long drawn parallels between advanced AI and nuclear weapons, often pointing colleagues to The Making of the Atomic Bomb. The comparison isn’t about destruction in the literal sense – it’s about control.
Mythos feels like that kind of inflection point. Not just a better tool, but something that rewrites the rules.
Cybersecurity has always had a kind of balance. Nation-states built the most powerful tools, and while leaks happened, they were rare and slow to spread. That model starts to fall apart if a system like Mythos can compress years of capability-building into a single release cycle.
Anthropic’s own numbers hint at the scale: the model successfully turns known vulnerabilities into working exploits more than 70% of the time. It has also uncovered thousands of “zero-day” flaws – previously unknown weaknesses – many missed by years of audits.
And that’s the version the public hasn’t seen.
Mythos isn’t widely available. Anthropic has kept it behind closed doors, offering limited access through a program called Project Glasswing to a small group of companies, including Google, Microsoft and Cisco.
The idea is simple: use the model defensively before it escapes into the wild.
At the same time, the US government is moving to give select federal agencies access, a sign officials are taking the threat seriously. European regulators and banks are also circling, trying to figure out what this means for financial stability.
Because once something like this spreads, it won’t stay contained.
Anthropic itself estimates comparable capabilities could emerge elsewhere – open-source projects, rival labs, or state-backed programs – within six to 18 months.
History suggests that timeline may be optimistic.
Cybersecurity has always been a race. Attackers need one way in; defenders need to lock every door.
Mythos tilts that equation hard.
The current system – where vulnerabilities are found, disclosed, patched over weeks or months – was built for a slower era. Now imagine thousands of flaws discovered in days. The backlog alone becomes unmanageable.
And even if defensive AI tools catch up, they run into a different bottleneck: bureaucracy. Patching systems isn’t instant. It involves approvals, testing, coordination across vendors, sometimes even regulatory sign-off. That lag doesn’t shrink just because the threat accelerates.
In critical infrastructure – hospitals, power grids, water systems – the challenge gets worse. Many operators don’t have the resources to act quickly, even if they know exactly where they’re vulnerable.
There’s another shift here, and it’s arguably more unsettling.
For decades, advanced cyber tools were largely the domain of governments. When they leaked – like the NSA-linked exploits that later powered global ransomware attacks – the fallout was huge, but still traceable.
Mythos changes who gets to play.
A small, skilled group once needed time, infrastructure and funding to launch a major cyberattack. With AI like this, that barrier drops. The gap between amateur and state-level capability shrinks fast.
That’s what keeps analysts up at night: not just what governments might do, but what everyone else suddenly can do.
Washington isn’t starting from scratch. There are policies in place – AI safety rules, cyber incident reporting requirements, annual threat assessments flagging AI-driven attacks as a major risk.
None of them were built for this.
They focus on testing models before release or responding after breaches happen. Mythos sits in the uncomfortable middle: powerful enough to change the threat environment, but not yet widespread enough to trigger full-scale crisis response.
What’s missing is coordination – and speed.
Some experts argue for a centralized response, led at the highest levels of government, to manage both the spread of these capabilities and the defense of critical systems. Others push for real-time sharing of vulnerabilities between companies and agencies, something the US has struggled to enforce for years.
Even then, there are limits. You can’t instantly patch everything. Some systems – medical devices, nuclear controls – aren’t designed for rapid updates at all.
There’s a sense of a countdown ticking in the background.
If Anthropic is right, similar models will surface elsewhere within months. Once that happens, containment becomes nearly impossible. The cyber world shifts into something more chaotic, more unpredictable – what some describe as “asymmetry at scale.”
For now, Mythos is still inside the lab, carefully rationed, closely watched.
But history has a habit of repeating itself. Powerful technologies rarely stay locked up forever.
The real question isn’t whether tools like Mythos spread. It’s how prepared anyone is when they do.
The latest news in your social feeds
Subscribe to our social media platforms to stay tuned