Anthropic’s new Mythos AI model is raising serious concerns after tests showed it can independently find and exploit software vulnerabilities, signalling a major change in how cyber risk may develop in the near future.
Mythos AI Brings A New Level of Capability
The model, developed by Anthropic as part of its Claude family, has not been released publicly and is instead being restricted to a small group of partners.
This caution reflects what the model is capable of. For example, in its own technical assessment, Anthropic said Mythos is “strikingly capable at computer security tasks”, with the ability to identify and exploit weaknesses across real-world systems.
In some cases, the model has been shown to discover previously unknown vulnerabilities and produce working exploits with minimal or no human input. Anthropic also noted that “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”
That represents a clear break from earlier AI tools, which have largely focused on assisting developers or identifying issues rather than acting on them.
Why Anthropic’s Mythos Is Raising Concern
The implications have quickly moved beyond the technical community, with regulators, central banks, and government officials now assessing what this type of capability could mean at scale.
Institutions including the Bank of England have already highlighted the potential impact on financial stability, particularly in sectors that rely on complex and interconnected IT systems.
The issue is not simply that vulnerabilities exist, but that the speed and scale of discovery may increase significantly.
In its own assessment, Anthropic warned that “the fallout – for economies, public safety, and national security – could be severe” if such capabilities are not carefully managed.
Traditional vulnerability discovery has always been a time-intensive process requiring specialist expertise, so a model that can carry out that same work rapidly across large codebases fundamentally changes the balance by reducing the time organisations have to respond before weaknesses are identified and potentially exploited.
How Access To Mythos Is Being Controlled
Anthropic has responded to the many concerns by limiting Mythos to controlled use through its Project Glasswing programme. Here, selected partners, including major technology providers and financial institutions, are being given access to test their systems and identify weaknesses before attackers can do the same.
It seems that there is a pretty clear defensive case for this, as the same capability that allows the model to uncover vulnerabilities can also be used by organisations to strengthen their systems more effectively.
Anthropic has framed this as a coordinated effort to prepare the industry, describing the model as “a watershed moment for security” that requires “substantial coordinated defensive action across the industry.”
However, the underlying tension remains, since tools that improve defensive capability can also lower the barrier for attackers if they become widely available or are replicated elsewhere.
An Escalating Security Dynamic
One of the key questions is how quickly these kinds of advanced AI-driven cyber capabilities will spread beyond controlled environments. Cybersecurity has always involved a balance between attackers and defenders, but Mythos suggests that balance may become more volatile as both sides begin to rely on increasingly capable AI systems.
If tools like this become accessible beyond controlled environments, the level of expertise needed to carry out sophisticated attacks could fall sharply, meaning people with far less experience could carry out attacks that previously required highly skilled specialists.
It’s also likely that organisations will respond by adopting similar technologies to automate how they test systems, monitor for risks, and fix vulnerabilities more quickly.
This all points towards a faster-moving environment where advantage depends on how quickly organisations can identify and respond to threats, rather than simply preventing them.
Questions Still Remain
Despite the level of concern, there is still uncertainty around how significant a leap Mythos represents in practice. For example, much of the evidence so far comes from Anthropic’s own testing, and independent verification remains limited. Early external assessments suggest the model is highly capable, but not necessarily far beyond previous systems in every scenario.
There is also a broader context to consider here. AI developers have previously taken cautious approaches to releasing powerful models, sometimes accompanied by strong warnings about potential misuse.
Even so, the broader trend is clear, with incremental improvements in capability having a substantial real-world impact when applied at scale, particularly in areas like cybersecurity where speed and automation already play a critical role.
What Does This Mean For Your Business?
For most organisations, Mythos will not be something they use directly in the short term, but the changes it represents are already relevant.
Faster vulnerability discovery means faster potential exploitation, which increases the importance of keeping systems updated, monitoring for unusual activity, and responding quickly when issues are identified.
Many organisations operate complex environments that include legacy systems, third-party software, and shared infrastructure. These environments often contain weaknesses that are not fully visible until something exposes them, and tools like Mythos show how quickly those gaps could be uncovered.
Cybersecurity is becoming a more dynamic challenge as AI capabilities continue to develop, increasing the pace at which threats evolve and requiring more adaptive approaches alongside stronger baseline protections.
There is also now a broader strategic consideration, as AI is no longer just improving productivity but is beginning to change how risk itself is created and managed, meaning organisations that recognise this early will be better prepared to respond as these capabilities develop.
Anthropic’s Mythos model is not yet widely available, and its full impact is still being assessed, but it offers a clear signal of what is coming next. The organisations that respond effectively will be those that recognise the change early and adjust their approach before the wider landscape catches up.