Claude Mythos is everyone’s problem, because cyber power is no longer just in government hands

For decades, the most powerful cyber capabilities were assumed to sit inside governments.

If a tool could break into major operating systems, discover deeply buried vulnerabilities, compromise critical infrastructure, or help build sophisticated exploits, it belonged to the world of intelligence agencies, military cyber units and elite state-backed hacking groups.

That assumption is now breaking.

Anthropic’s Claude Mythos Preview has become the clearest sign yet that frontier AI companies are moving into a realm once dominated by nation states. Anthropic says Mythos Preview has reached a level of coding capability where it can surpass all but the most skilled human researchers at finding and exploiting software vulnerabilities. The company has not released the model publicly, instead making it available only to selected partners through Project Glasswing, an initiative aimed at securing critical software before attackers can exploit it.

On one level, that is reassuring. If a model can uncover serious flaws in operating systems, browsers and infrastructure, it makes sense to put it in the hands of defenders first. Project Glasswing partners include major technology and security organisations with the capacity to patch widely used systems. Anthropic’s decision to restrict access reflects the obvious danger of releasing a model that could help less skilled actors find and weaponise vulnerabilities.

But that is only the comforting half of the story.

The other half is more unsettling: a private AI company says it has built a system capable of reshaping cybersecurity, and the rest of society is being asked to trust that its access decisions, safeguards and incentives are sufficient.

That should concern everyone.

The problem is not simply Mythos itself. The problem is what Mythos represents. It signals a shift from AI as a productivity tool to AI as a strategic cyber capability. A model that can reason through code, identify hidden flaws and help develop exploits is not just a better assistant for software engineers. It is a force multiplier for whoever controls it.

That has enormous defensive value. Mozilla has already said Mythos and other AI systems helped it ship hundreds of Firefox security fixes in April, including long-standing issues that traditional methods had missed. Security researchers have also used Mythos-assisted techniques to investigate difficult targets such as macOS, with Apple reportedly reviewing findings from one such report.

But the same logic cuts both ways. A model that helps defenders find vulnerabilities faster can, if misused, help attackers do the same.

This is the central dilemma of AI cybersecurity. The technology does not neatly belong to either side. It is dual-use by design. The difference between an authorised security researcher and a malicious actor may not be the tool, but the permission, intent and context around its use.

That is why the debate around Mythos has become so intense. Critics are right to be wary of marketing hype. AI companies benefit from portraying their models as uniquely powerful, too dangerous for ordinary access and therefore worthy of special trust. Scarcity creates prestige. Danger creates demand. Responsible restriction can be both a genuine safety decision and a powerful branding exercise.

Yet dismissing Mythos as mere hype would be equally naive. Independent evaluations from the UK AI Security Institute found that Mythos Preview showed significant improvement on multi-step cyber-attack simulations, even as other frontier models are catching up. OpenAI has also expanded its Trusted Access for Cyber program around GPT-5.5 and GPT-5.5-Cyber, giving verified defenders greater access to cybersecurity capabilities while retaining safeguards against malicious uses.

In other words, this is not a one-company story. It is an industry-wide transition.

OpenAI’s Daybreak initiative, positioned as a rival to Anthropic’s Project Glasswing, uses AI agents to identify attack paths, validate vulnerabilities and support remediation workflows. Reuters has also reported that OpenAI has offered European companies access to its latest cyber models to strengthen resilience.

That competition matters. If one company has a cyber-capable model, others will race to match it. If one company restricts access, competitors may choose a different balance between openness, safety and market expansion. If governments decide these models are strategically valuable, they will want access. If criminals see the same potential, they will try to steal, jailbreak or replicate it.

This is how AI companies become geopolitical actors.

The most powerful AI labs are no longer simply building consumer products. They are building systems that may affect cyber defence, military planning, surveillance, labour markets, infrastructure resilience and global supply chains. Their data centres are strategic assets. Their model access policies can influence who gets cyber advantage and who does not. Their partnerships with governments and major technology firms increasingly resemble decisions about national security.

That level of power should not rest solely on press releases and corporate self-restraint.

Mythos raises an uncomfortable governance question: who decides which private organisations get access to tools that can find the weaknesses in the world’s software? Who audits those decisions? Who verifies that defensive-use promises are enforced? Who responds if a model leaks, if a partner misuses it, or if a similar capability emerges from a company with weaker safeguards?

These questions are not abstract. Anthropic itself has said Mythos Preview is unreleased because broader access without stronger safeguards would be too dangerous. Forrester has warned that competitors, including international competitors, may not be as cautious once similar models become available.

The stakes are obvious. Modern life runs on software. Banks, hospitals, power grids, ports, schools, defence systems, cloud platforms, transport networks, smartphones, browsers and home devices all depend on code. That code contains flaws. Some are harmless. Some are catastrophic. Many are old, hidden and waiting to be found.

If AI dramatically accelerates vulnerability discovery, then the world faces two possible futures.

In the better future, defenders use these systems to find flaws first, patch faster and reduce the number of exploitable weaknesses available to attackers. Software becomes more secure because AI helps expose what humans have missed.

In the worse future, attackers gain similar capabilities, patching cannot keep pace, and every unmaintained system, underfunded organisation and slow-moving vendor becomes an easier target. Vulnerability discovery becomes cheaper, faster and more automated, while remediation remains human, bureaucratic and slow.

The gap between those two futures is preparedness.

That means governments need to move quickly on oversight, responsible access frameworks and cyber readiness. It means vendors need to shorten patch cycles and treat secure-by-design principles as mandatory, not aspirational. It means organisations need to know what software they run, which systems are exposed, who has access, and how quickly they can respond when a serious flaw is disclosed.

It also means ordinary people need to stop thinking cybersecurity is someone else’s department.

AI-powered cyber tools may sound remote from daily life, but their consequences are not. When an account is taken over, a school platform is breached, a hospital system goes offline, a business loses access to its files, or a phishing email fools an employee, the damage lands on real people. The attack may be sophisticated, but the entry point is often basic: weak credentials, outdated software, poor awareness, excessive permissions, or a rushed click.

The rise of Mythos does not make everyday cyber hygiene obsolete. It makes it more urgent.

Strong passwords, multi-factor authentication, regular updates, access controls, staff training, phishing awareness, backups, vendor scrutiny and incident response planning are not glamorous. But they are the foundations that decide whether a vulnerability becomes an inconvenience or a crisis.

The danger of focusing only on frontier AI is that it can make cybersecurity feel impossibly distant. If the threat is a superhuman hacking model, what can an ordinary business owner, employee or internet user do?

The answer is: more than they think.

They can understand how phishing works. They can learn why MFA matters. They can stop reusing passwords. They can question unexpected messages. They can recognise suspicious links. They can protect recovery codes. They can reduce unnecessary access. They can treat software updates as urgent. They can build a culture where security is not an afterthought.

That knowledge will not stop every advanced threat. But ignorance will make every threat worse.

Claude Mythos is everyone’s problem because it shows where the world is heading. Cyber power is becoming faster, more automated and more concentrated in the hands of companies that operate across borders and beyond traditional public accountability. The old model, where only governments had the most dangerous capabilities, is fading.

The question now is not whether AI will change cybersecurity. It already has.

The question is whether defenders, businesses and everyday users will learn fast enough to keep up.

Knowledge is power. Build practical cyber awareness and strengthen your digital defences with The Hack Academy’s online training programme: https://training.thehackacademy.com/course/

Photo Credit: DepositPhotos.com