{"slug": "claude-mythos-opens-the-cybersecurity-pandoras-box", "title": "Claude Mythos Opens The Cybersecurity Pandora’s box", "summary": "Anthropic has developed a new AI model, Claude Mythos, which it claims is too powerful to release publicly due to its ability to identify critical security flaws in operating systems, browsers, and software libraries. The company has restricted access to a small group of launch partners, including AWS, Apple, Google, Microsoft, and the Linux Foundation, under Project Glasswing, while it decides on a wider release. The move has drawn skepticism as a marketing tactic reminiscent of OpenAI's earlier GPT-2 rollout, but independent tests from the UK's AI Security Institute and reports from open source developers confirm the model's significant cybersecurity capabilities.", "body_md": "# Claude Mythos Opens The Cybersecurity Pandora’s box\n\nThis is exactly what Anthropic claimed to have achieved with [Claude Mythos](https://red.anthropic.com/2026/mythos-preview/)), its newest and most powerful model which‚ according to Anthropic‚ is **too powerful to be released to the public**.\n\nIn its announcement, Anthropic said its new model identified security problems in several operating systems (Linux, OpenBSD, FreeBSD), browsers (Firefox), and widely-used software libraries (FFmpeg)..\n\nMaking such a powerful tool available to anyone (including bad actors) would be irresponsible, so Anthropic only **gave access to a small group of “launch partners”** (among them AWS, Apple, Google, Microsoft, and the Linux Foundation) under [Project Glasswing](https://www.anthropic.com/glasswing). The idea is to give important organizations and open source projects advance warning and tools to find more security problems, while Anthropic decides what to do with the wider release of Mythos.\n\n## The fine art of Doom Marketing\n\nOf course, the idea is also to hype up the capabilities of the new model.\n\nOpenAI already played the “Our new AI is so powerful, we can’t give it to you” card with [GPT-2](https://openai.com/index/better-language-models/), a model that today [anyone can train for under $100](https://x.com/karpathy/status/2017703360393318587).\n\nThe tactic still works‚ [the media](http://(https://www.bbc.com/news/articles/crk1py1jgzko)) ([another example](https://www.nytimes.com/2026/04/07/technology/anthropic-claims-its-new-ai-model-mythos-is-a-cybersecurity-reckoning.html)) and the wider [public](https://www.youtube.com/watch?v=SQhfkWdxVvE) have bought Anthropic’s doom marketing wholesale. Fear sells, and an AI that can hack anyone is as bad as it gets (or as good as it gets, if you’re in marketing.\n\n## Where there’s smoke…\n\nJust because it’s marketing doesn’t mean it’s not true.\n\nFor a while now, many security researchers [have been increasingly impressed with AI cybersecurity capabilities](https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/).\n\nIn their testing of Mythos, the AI Security Institute (part of the UK government) “[found significant improvement on cyber-attack simulations](https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities)“.\n\nOpen source developers have seen an increasing number of security reports, too: Linux kernel developers (participants in Project Glasswing) said “[All open source projects have real reports that are made with AI, but they’re good, and they’re real](https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/)“. In a similar vein, the developer of the popular open source utility “curl”, who was very vocal about bad AI bug reports in the past, recently [used AI to find 50 real bugs in the project](https://etn.se/index.php/72494).\n\nEven the NSA, the feared U.S. cybersecurity agency, is reportedly [using Mythos](https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon) despite Anthropic being banned from U.S. government use just weeks before.\n\n## The scariest AI of them all?\n\nBased on all the reports, there seems to be some substance to Anthropic’s doom marketing. But let’s stop panicking, breathe for a bit, and try to rationally unpack what might be happening.\n\nThe new model is certainly very capable, but it’s not obvious that it’s miles ahead of what’s already there. In fact, the researchers at Aisle [tasked small local models with finding the same bugs](https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier) with (limited) success, concluding that **the most important part is the approach, not model capability**.\n\nBasically, you can ask the model to carefully review every single part of the codebase and find security bugs. The AI never gets tired of the tedious grind and is happy to spend a lot of time and burn a lot of tokens (and money) in the effort. And if there is something suspicious, there’s a high likelihood it’ll find it.\n\nThe researchers point out that more capable models will do better, but **you don’t need an out-of-this-world capability to achieve these impressive results**.\n\nSo, on one hand, we don’t need to be scared of Mythos. It’s likely an incremental improvement over previous models. On the other hand, this means *everyone can already do this*, and probably already is.*Now*, you can panic.\n\n## GPT enters the Chat\n\nAs further proof, just a week after the Mythos announcement, OpenAI released [GPT-5.4-Cyber](https://openai.com/index/scaling-trusted-access-for-cyber-defense/), a dedicated AI model for cyber defense.\n\nAvailable only to “**verified individual defenders** and **teams responsible for defending critical software**“, the new model shows that no great leap forward is required for such a tool.\n\nIn fact, both OpenAI and Anthropic have since released newer versions of their flagship models, GPT-5.5 and Claude Opus 4.7, respectively.\n\nThe AI Security Institute tested GPT-5.5 as well, and noted that “[GPT-5.5 shows that rapid improvement on cyber tasks may be part of a more general trend](https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber-capabilities)“.\n\nThese models have been trained to **refuse cybersecurity-related requests** (unless you’re in the program), but the Chinese models are just a few months behind in general coding capabilities, and have no such guards.\n\n## Where do we go now?\n\nTo quote one of the security researchers, “**vulnerability research is cooked**“. There’s no going back; motivated actors can already do a lot with the current AI tools, and we’ll only get increasingly powerful ones in the future.\n\nIn the short run, this can look pretty bad: expect more exploits, hacks and bugs across all kinds of software, from critical infrastructure to supply chain attacks against popular software libraries.\n\nIn the long run, however, I believe this is a good thing: motivated attackers with a lot of money already have stashes of 0-days (unpublicized vulnerabilities). Now, **more people will be able to use AI to find these problems in their own code and patch them**, leading to more secure software overall.\n\nThis is why Anthropic’s Glasswing and OpenAI’s “Trusted Access for Cyber” programs are a **good first step**, even though they’re available only to select participants. In the future, using open-weights models in a similar manner will bring these capabilities to everyone, cheaply.\n\nBuckle up, it’s gonna be a bumpy ride.", "url": "https://wpnews.pro/news/claude-mythos-opens-the-cybersecurity-pandoras-box", "canonical_source": "https://shiftmag.dev/claude-mythos-opens-the-cybersecurity-pandoras-box-9622/", "published_at": "2026-05-11 13:39:21+00:00", "updated_at": "2026-05-30 20:32:50.585737+00:00", "lang": "en", "topics": ["artificial-intelligence", "large-language-models", "ai-safety", "ai-policy", "ai-products"], "entities": ["Anthropic", "Claude Mythos", "OpenAI", "GPT-2", "AWS", "Apple", "Google", "Microsoft"], "alternates": {"html": "https://wpnews.pro/news/claude-mythos-opens-the-cybersecurity-pandoras-box", "markdown": "https://wpnews.pro/news/claude-mythos-opens-the-cybersecurity-pandoras-box.md", "text": "https://wpnews.pro/news/claude-mythos-opens-the-cybersecurity-pandoras-box.txt", "jsonld": "https://wpnews.pro/news/claude-mythos-opens-the-cybersecurity-pandoras-box.jsonld"}}