Anthropic’s Mythos is not the end of cybersecurity. It is the end of excuses.
Every few years, cybersecurity gets its apocalypse story.
A breach. A worm. A supply chain compromise. A newly discovered vulnerability sitting quietly inside systems everyone uses. The story usually begins with panic, moves quickly to blame, and ends with an uncomfortable truth: the disaster was rarely unpredictable. It was just ignored until the cost became impossible to hide.
Anthropic’s Claude Mythos Preview is the latest event being held up as a turning point. The company says the model is powerful enough to reshape cybersecurity, with an ability to find and exploit software vulnerabilities at a level that surpasses all but the most skilled human researchers. Rather than releasing it publicly, Anthropic has placed Mythos inside Project Glasswing, a defensive initiative involving major technology and security organisations including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks.
That alone is enough to make people nervous. A frontier AI model that can find security flaws at scale sounds less like a product launch and more like a warning siren. The obvious fear is that tools like Mythos will lower the barrier for attackers, allowing more people to find vulnerabilities, chain them together, and weaponise them faster than defenders can respond.
That fear is not irrational. Cybersecurity has always suffered from asymmetry. Defenders must protect entire systems. Attackers only need one way in. If AI allows malicious actors to search for weaknesses with more speed, more patience and more contextual memory than human attackers could previously manage, the economics of hacking change.
But the real reckoning is not simply that AI might make attackers more dangerous. It is that AI is exposing how much vulnerable software has been tolerated in the first place.
For decades, the digital world has been built on the assumption that imperfect software is normal. Ship fast, patch later. Add features, fix security when someone complains. Layer monitoring, endpoint protection, incident response and cyber insurance on top of systems that were never secure by design. The industry has grown very good at responding to flaws, but far less good at preventing them.
Mythos matters because it threatens to compress the time between a flaw existing and a flaw being found. That is the uncomfortable shift. Not that vulnerabilities are new. Not that attackers suddenly exist. Not that software is only now risky. The difference is speed, scale and automation.
Project Glasswing is being presented as a way to give defenders a head start. Anthropic says launch partners will use Mythos Preview for defensive security work and share lessons so the broader industry can benefit. The Linux Foundation has framed the initiative as a way to put advanced AI in the hands of maintainers and organisations responsible for critical software.
That is the optimistic version of the story, and it is not without merit. If the same class of model that could help attackers find hidden flaws can also help defenders find and fix those flaws first, then AI becomes a pressure tool for better software. It could help maintainers inspect sprawling codebases, uncover long-buried defects, and prioritise issues that human teams may never have had the time or resources to investigate.
The darker version is that this advantage may not last. Restricted release only buys time. Capabilities rarely remain exclusive forever. Once similar models are widely available, or once open and commercial systems reach comparable performance, defenders may find themselves facing machine-scale vulnerability discovery from both legitimate researchers and hostile actors.
That is why the debate around Mythos has become so heated. Some experts see it as a genuinely dangerous leap. Others see the marketing machinery of artificial intelligence doing what it does best: turning a technical advance into a mythic object. Both positions can be true at once.
Yes, there is hype. The AI industry has every incentive to make its models appear rare, powerful and almost too dangerous to touch. Exclusivity creates urgency. Urgency creates market power. The phrase “too dangerous to release” can be a safety warning, but it can also be a sales strategy.
And yet dismissing the whole thing as hype would be a mistake. Even sceptics should admit the direction of travel is clear. AI systems are becoming better at coding, reasoning across large contexts, testing software behaviour and linking separate pieces of technical information together. That is precisely the skill set needed to move from finding isolated bugs to identifying exploit chains.
Exploit chains are where the conversation becomes serious. A single minor flaw may not be catastrophic. But combine it with another weakness, and another, and another, and suddenly a system that looked adequately defended can be compromised in stages. Many sophisticated attacks work this way. They are not always one dramatic break-in. They are sequences of small permissions, overlooked behaviours, misconfigurations and software defects that become powerful when connected.
That is where advanced AI could shift the skill floor. A task that once required elite human intuition may become accessible to more actors using increasingly capable tools. As one security researcher put it in the reporting that prompted this debate, Mythos may not change the problem space, but it changes the required skill level to exploit it.
That distinction matters. Cybersecurity has never only been about tools. It has always been about who can use them, how quickly, and to what end.
For developers, this should be a deeply uncomfortable moment. If AI can find the vulnerabilities, then the old excuses weaken. “No one will notice” becomes less credible. “It is too obscure” becomes less comforting. “We will patch it later” becomes more dangerous. The window between discovery and exploitation is narrowing.
For businesses, the lesson is broader. Cybersecurity can no longer be treated as a specialist department’s burden. It is a leadership issue, a procurement issue, a staff training issue, a software lifecycle issue and a customer trust issue. The weakest point in an organisation may be an unpatched plugin, a reused password, an exposed admin account, a careless vendor integration, or an employee who has never been taught how modern phishing works.
Australian regulators are already paying attention to the risks posed by frontier AI. Reuters reported that Australia’s prudential regulator has warned banks they are falling behind in adapting to AI-driven cyber risk, with concerns that advanced systems could enable larger and faster attacks. Australian cyber officials have also warned of a rise in AI-driven threats over the next 12 to 18 months, particularly affecting small and medium-sized enterprises.
That should be a wake-up call well beyond the finance sector. Small and medium-sized businesses often assume they are too small to be targeted, but attackers do not need personal interest to cause damage. Automated scanning, credential stuffing, phishing kits and AI-assisted reconnaissance make scale easier. A business does not need to be famous to be vulnerable. It only needs to be exposed.
The temptation, when confronted with something like Mythos, is to imagine cybersecurity as a battle between machines. AI attackers versus AI defenders. Autonomous agents testing, probing, patching, escalating and responding at speeds humans cannot follow.
That may be part of the future, but it is not the whole future. Humans will still decide whether updates are applied. Humans will still approve budgets. Humans will still click links, reuse passwords, configure systems, write policies, ignore warnings and decide whether training is worth the time. The arrival of more powerful AI does not remove human responsibility. It magnifies the consequences of human neglect.
This is why the real cybersecurity reckoning is cultural. Security can no longer be the thing added at the end. It must be built into how software is designed, purchased, deployed, maintained and used. The industry phrase is “secure by design”, but the principle is simple: stop treating avoidable flaws as inevitable.
Former US cybersecurity official Jen Easterly has argued that Project Glasswing could help move the industry toward building technology that is more secure from the start, rather than endlessly defending flawed software after the fact. That is the most constructive way to read this moment. Not as the end of cybersecurity, but as the beginning of the end of complacency.
Still, there is a danger in making AI the centre of the story. Most organisations do not need to start by worrying about elite model-enabled exploit chains. They need to start with the basics they still have not mastered.
Patch systems. Use multi-factor authentication. Train staff. Remove old accounts. Back up data. Segment access. Review vendors. Stop sending sensitive information casually through email. Know what software you run. Know who has access to what. Have an incident response plan before there is an incident.
These are not glamorous controls, but they are the foundations on which more advanced defence depends. AI may change the tempo of cyber conflict, but poor cyber hygiene will remain an open invitation.
The Mythos debate should therefore be seen less as a science-fiction warning and more as a practical deadline. The world is moving toward faster vulnerability discovery. Attackers will adapt. Defenders will adapt. The organisations that cope best will be those that have already built habits of awareness, discipline and continuous learning.
Because in cybersecurity, the most dangerous sentence is not “AI can hack everything.”
It is “we thought we were fine.”
The real lesson of Mythos is that security ignorance is becoming less survivable. The tools are getting faster. The attackers are getting more capable. The margin for delay is shrinking.
Knowledge is power, and in cybersecurity, it is also protection. To strengthen your defensive awareness and build practical cyber skills before the next threat arrives, explore The Hack Academy’s online training courses: https://training.thehackacademy.com/course/