For decades cyber security has been treated like an insurance policy businesses hope they won’t need. One that often comes with a smaller budget than it warrants.
Then, on 7 April, Anthropic unveiled Mythos.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The company’s restricted cyber security model has rapidly become one of the most discussed topics among governments, security teams and enterprise technology leaders. For the most part this isn’t because experts believe it introduces new risks, but because it can dramatically accelerate problems organisations already struggle to contain.
The company’s announcement on 1 June that it had filed a draft S-1 form to the US Security and Exchange Commission for an Initial Public Offering (IPO) is a signal that markets are betting on the company becoming much more than it’s Claude suite of products and entering the AI driven cyber security arms race.
Unlike conventional large language models, Mythos has reportedly been developed specifically for advanced cyber security tasks, including vulnerability discovery, exploit development and automated security research.
Anthropic has restricted access to the model through its wider defensive cyber initiative, Project Glasswing, citing concerns about misuse, and in the hope that key infrastructure under Microsoft, Google, and Apple will be protected.
The question facing businesses is not simply what Mythos can do. It is what happens to their defences when sophisticated cyber capabilities become significantly faster, cheaper and more accessible.
“Since the release of Mythos earlier this year, Frontier AI models have dominated the topic of conversation across government and industry,” says a senior source from a leading government department.
“We are witnessing global coordination across governments who are actively monitoring and testing this new capability; it is widely acknowledged as potentially one of the largest leaps in technical advancements in the last decade.”
Much of the concern surrounding Mythos centres on speed.
Security researchers have always used automation to discover vulnerabilities. Attackers have always attempted to scale cyber attacks. What increasingly concerns security teams is the shrinking gap between discovering weaknesses and exploiting them.
“The barrier to entry for threat actors is drastically reduced and organisations need to prepare for a new wave of threats. The exploitation window has reduced from weeks to days in the last two years, with Mythos we will be looking at minutes.”
That acceleration creates a difficult problem for businesses.
Many organisations still struggle with vulnerability backlogs, legacy infrastructure and delayed patching cycles. If the speed of attack increases dramatically, those operational weaknesses become significantly harder to hide.
Some experts believe this is precisely why the Mythos conversation matters.
Camellia Chan, CEO and co-founder of cyber security outfit X-PHY, describes Mythos as a warning shot.
She points to reports of earlier versions of the technology escaping its sandbox environment during testing and independently accessing the internet, raising wider questions around autonomous behaviour.
“Security has to start deeper,” she says.
“Without protection anchored at the hardware level, controls higher up the stack are far easier to bypass. Hardware Root of Trust is the last line of defence that helps stop an incident from becoming a full system compromise.”
Others argue businesses should be careful not to mistake technological advancement for an entirely new category of threat.
Roman Stanek, founder and CEO of GoodData.AI, believes many of the vulnerabilities businesses fear AI will exploit, are vulnerabilities they already understand.
“Open source security, legacy code debt, infrastructure hygiene… they are all solvable problems, but all chronically underfunded,” he says.
His argument is simple. “Nobody wanted to pay a human engineer to fix it. They’re not going to pay an AI to fix it either. The issue has never been capability, people are just unwilling to invest.”
This creates an uncomfortable possibility. Mythos may prove disruptive not because it creates new risks, but because it removes friction from exploiting existing ones.
Smaller organisations increasingly view frontier AI models as an opportunity to build their own low-cost security testing capabilities, effectively creating an affordable version of enterprise red teams previously reserved for organisations with larger budgets.
However, security specialists argue that simply deploying more AI tools without improving internal resilience risks worsening the problem.
“Attackers can already use frontier models to discover exposures, validate exploitability, and chain attacks faster than most teams can triage a single critical alert,” says Kara Sprague, CEO of HackerOne.
“What Anthropic has disclosed on Mythos indicates that it further advances those capabilities multi-fold, but Project Glasswing will give defenders a head start.”
The release of Opus 4.8 alongside Mythos has raised concerns around identity fraud, particularly as increasingly sophisticated models create more convincing synthetic identities and documentation.
Phil Cotter, CEO of SmartSearch, warns many businesses remain dangerously reliant on outdated processes and that physical security should not be forgotten.
“Trying to catch AI-generated fraud with a manual checklist is like sending a fax to stop a cyberattack,” he says. “The threat has moved on. For too many firms, the tools haven’t.”
So what should businesses actually do?
The answer, according to many security leaders, isn’t buying more tools. It is understanding what already exists.
Dan Middleton, VP UK&I at data protection specialist Keepit, argues recovery strategies need to become more targeted as environments become increasingly complex.
“Recovery isn’t ‘restore everything’,” he says.
“What you need is the ability to find the last known-good state quickly, restore only what was affected, a user, a mailbox, a set of files, specific records, and do it without a full environment rollback.”
Security teams also argue organisations need greater visibility into their own infrastructure before attackers achieve it first.
When an intruder breaks into your home, security services always say ‘you know the layout, they don’t’. This same approach can be applied to a company’s own digital infrastructure, to combat against threat actors attempting to penetrate its systems.
Greg Notch, chief technology officer at Expel, says defenders still maintain that important advantage.
“Defenders do have a meaningful lever, the ability to point AI directly at raw source code to find and remediate vulnerabilities before they’re exposed.”
The organisations that adapt successfully, he argues, will not simply patch faster, they will rethink assumptions about secure development, compliance and how software is built when AI increasingly participates in the process.
Ultimately, Mythos may prove less significant as a piece of technology and more significant as a forcing function.
For years, cyber security teams have argued that underinvestment creates risk. AI may simply be making the consequences arrive faster than anticipated.
