CISOned Opinions As some of those fears, uncertainties, and doubts about Mythos are starting to feel real, what can we do about it? Paradoxically, I believe that little needs to change in what we’ve been doing for years.
I have seen a lot of distressed debate in the cybersecurity field following the announcement of Claude Mythos Preview. It was announced as a game changer in the field, miles ahead of its league and opening the pandora’s box of fully automated hunting and exploitation of zero-days.
Since then, Mythos and it’s safeguard-heavy equivalent, Fable 5, got released, only to be taken away shortly after. Let’s take the opportunity to reflect on what this model brings and how impactful it is to the industry.
Keep Calm #
Fear, uncertainty, and doubt fuels the Cybersecurity industry
Anthropic has always had a taste for dramatic phrasing in its PR. Every major model release is accompanied by concerns on its safety; calling for regulation or for a in research before we reach a point of no-return. Mythos makes no exception to this trend and was disclosed in April without a public release. Instead, project Glasswing was announced, gatekeeping access to the model to 50 organisations, later expanded to 150 entities. Some of those lucky few corroborated the alarmist statements from Anthropic. They announced hundreds of vulnerabilities detected thanks to Mythos. One of the most impactful article on the topic was the evaluation from the AI Security Institute from the UK Government. Mythos was the first model to ever succeed in “expert level tasks”. It was also the first of its kind to achieve “The Last One”, a cyber-range testing the entire attack chain from reconnaissance to full network takeover.
Reading the article in details depicts a less dramatic picture. While a step up from previous models, progress in this area has been very gradual. We can see GPT-5.4, or even Opus 4.6, not so far behind on their Advanced CTF Challenge. The same can be said on their cyber range for Opus. Those benchmarks can also be quite far from realistic enterprise environment, at least for companies with mature cybersecurity programme and dedicated SOC. As the article stresses out, “They lack security features that are often present, such as active defenders and defensive tooling. There are also no penalties for the model for undertaking actions that would trigger security alerts.” No doubt such models would sometimes be extremely noisy and clumsy while attempting reconnaissance tasks or pivoting into the target’s information system.
“Sure, but what about all those critical vulnerabilities the model can find offline. They could then be exploited by attackers as powerful zero-days”, you may ask? This aspect was the main marketing argument coming with Project Glasswing, with example such as a “27-year-old vulnerability in OpenBSD” or a “16-year-old vulnerability in FFmpeg”.
Security professionals would probably smirk while reading such statements. Highlighting a vulnerability is old enough to drive is a very common clickbait trick for CVE announcement, only second to the classic “CISA orders feds to patch X”. A vulnerability being decades old is not that uncommon in open source products with hundreds of thousands of lines of code. Most of the time, It just means nobody skilled enough to spot it ever looked in this area before. Old bugs are more valuable as they impact more versions of the supporting software, but that has nothing to do with how difficult they were to find in the first place. What's true, however, is that AI-assisted discovery will increase their prevalence.
Mythos, only a gradual improvement of the older models?
The biggest change with Mythos is the scalability potential of organisations with deep pockets to afford those exhaustive searches. The blog post from Anthropic red team gives more insight on how they achieve such results, and it would definitely be costly. The model was run, several times, on most source code files individually. It took a thousand runs through their scaffold to get the BSD bug, for a cost of approximately 20,000 USD. The entire Glassing project has an allocated token budget worth a hundred millions dollars. Does it bring new risks? Yes, but for actors who probably already had advanced cybersecurity resources in the first place, not to the average script kiddie.
Earlier models might have spotted a portion of those vulnerabilities, had they benefitted from the same thorough experimentation. It’s hard to make apples-to-apples comparison as the details given by Anthropic on how Mythos was run (or how many times it ran for each finding) are scarce. Some tried to replicate the concept in fair but more cost-efficient alternatives and had some probing results. In a nutshell: in the absence of Mythos or even Opus models, DeepSeek is decent in the cloud hosting world while Gemma 4 and Qwen 3.6 punch well above their weights in the self-hostable category, finding about half the vulnerabilities Mythos spotted in the benchmark.
However, I wouldn’t go as far as Aisle who claimed the secret is in the harness, not the model. While they also did manage to “detect” many vulnerabilities initially discovered by Mythos using much smaller LLM, none of those models were capable of making valid exploits. The capacity not only to raise warnings but to actually prove exploitability is definitely an edge only shared by models of the Mythos class. This also seems to solve one of the biggest downsides of earlier AI-led bug hunting: false positives. This was pointed out in their initial update of Project Glasswing, Mozilla claimed an extremely low rate of false positives in their 271 findings. In the same vein, Cloudflare qualified the false positive rate “better than human testers”. Only time (and broader access) will tell if those claims are verified. Otherwise, the average organisation will inevitably be drowned in a sea of cybersecurity noise while using the tool.
OpenAI catching up while the US gov halts Anthropic in its course
In the middle of this madness, we got an unexpected “break” from the US government as they decided to block Fable/Mythos for all non-US citizens, including those on US soil. An impossible task forcing Anthropic’s hand into turning off the offering altogether. Nobody knows how long this will last.
As a side note, there is a certain irony in watching Anthropic reap what it has spent years sowing: more government involvement to control usage and slow the AI race. This was delivered in the bluntest possible way.
Meanwhile, OpenAI continues to progress in this area with their GPT5.5-Cyber and the Codex Security plugin. They have their Glasswing equivalent, project “Daybreak” and “Patch the Planet”, but tuned down the fearmongering aspect and focused on the defender side. This is also a controlled release, likely not to poke the US regulatory bear. It’s safe to assume they will not unleash those products to their entire client base before the Anthropic situation settles or a non-US competitor fills the gap first. I can’t help but find this approach frustrating. The average company can’t access 5.5-Cyber but big cybersecurity firms do, only to sell it back to their own clients at premium. In other words, artificial scarcity disguised under the pretence of responsible deployment.
Let’s use this slowdown to regroup and focus on what we can do to hold the fort when the storm comes back.
Update (2026-06-27):
Things are moving fast. OpenAI is releasing a new family of models: Sol, Terra and Luna, with a strong PR focus on its cybersecurity prowess and comparing it to Mythos. Same as with 5.5-Cyber, the model is made to be biased toward defence instead of building exploits. Those safeguards don't seem to be enough for the U.S. government who still wants to vet which institution get to access the new models. The same now applies to Anthropic, opening Mythos to a hundred US institutions to start with.
Carry On #
As some of those fears, uncertainties, and doubts are starting to feel real, what can we do about it? Paradoxically, I believe that little needs to change in what we’ve been doing for years.
“We already have AI at home”
Us mere mortals might not have access to Mythos and ChatGPT 5.5-Cyber, but what’s available is not completely useless either. Opus 4 is still very capable on the Anthropic side, same as GPT-5.5 with the Codex Security plugin for the company that can obtain the necessary approval. On the FOSS side, harnesses like Strix can already achieve a lot, either combined with local models like Qwen/Gemma or API based inference providers for beefier ones like DeepSeek and GLM.
Keep working on your vulnerability management programme
The rate of CVE releases has been steadily increasing across the board for years. It didn’t wait for Mythos to get out of hand. I have yet to see a company that patches every meaningful vulnerability in less time than it would take a motivated attacker to weaponise them. Besides obvious tuning knobs like increasing resources and priority, we now have “no choice but to make choices”, ideally the good ones. Triage and contextual prioritisation is key to keeping VM sustainable, and is also an area where AI assistance could be advantageous. Existing “vulnerability scores” from major providers often lack contextualisation from our own information system. They may know how bad a vulnerability is in theory, if exploits are available and whether the impacted software exist in our environment. Yet they typically ignore other key aspect, like whether it is business-critical, easily reachable, or protected by compensating controls. Making sense of gigantic amounts of inconsistent text and tabular data is exactly where large language models can shine.
Reduce the attack surface
The best way to protect against a vulnerability is to not have it in the first place. Deactivating what you don’t need is a well known hardening techniques but, let’s be honest, vastly underused in all but the most mature corporate environments. Life got easier in recent years with the surge of microservices and, more generally, container-based infrastructure. If you’ve not already looked into this area, I advise you start with initiatives offering minimal, also called “distroless” containers, like the original Google project, docker hardened images (DHI) or Talos Linux for Kubernetes. The Windows side has “Server Core” as a less extreme variant.
Give more layers on the cybersecurity onion for the LLM to peel down
Security-in-depth approach is getting more important than ever, if any security tool guarding the boundaries can fall on the zero-day sword any day, then it’s vital to have additional checkpoints on the critical path to slow down the intrusion. To give a few examples, you can add context-aware proxies and privilege access management gateways to your VPN/network segmentation, phishing resistant MFA to all authentication attempts, etc.
Another defence in depth strategy worth revisiting are decoy systems like honeypots and canary tokens. If we generalise LLM behaviour from other areas, we can only assume early AI intrusion models to be clumsy, noisy, and candid in their approach, thus very likely to trigger those traps.
Zero Trust to the rescue
The above points could all be encapsulated in a more comprehensive programme toward zero trust principles: verify explicitly, use least-privilege access and assume breach. Fifteen years after Google’s BeyondCorp, those principles have technical implementations accessible to everyone, with most SASE vendors offering their own spin of the concepts. Context Aware Proxies, also called Zero Trust Network Access Gateways, often allow enforcing pre-authentication before getting line of sight to the targeted systems. It doesn’t matter if your software is vulnerable to unauthenticated RCE if the attacker cannot reach the service in the first place.
This mindset should not only apply to technical controls but also any process with human resources in the loop. AI dramatically increased the potential of social engineering attacks, making it trivial to generate convincing messages or impersonate key personnel, even with audio and video. Verifying explicitly can become extremely challenging for your Customer Service or Helpdesk teams if they are not properly trained on those new capabilities.
Wrapping it up #
Mythos cybersecurity prowesses are real. The progression from previous models might be more linear than the initial PR implied, but the improvement is indisputably steep, especially when it comes to producing working exploits. Let’s keep a cool head and leverage the unexpected in Mythos availability to regroup and prioritise the right projects. Anything reducing the likelihood of a vulnerability to be exploited is good to take:
- Don’t give the exclusivity of LLM to attackers, there are many areas where we could leverage AI for our defence, from incident response support to agent-based security reviews.
- Improve time to patch on what matters by improving vulnerability management processes, especially context-aware prioritisation and triage
- Reduce the attack surface, both on what’s deployed, trimming down our server images, and what’s reachable, by enforcing pre-authentication via zero trust network access
- Keep adopting zero trust mindset when deploying services: assuming breach, verifying explicitly and following least privileges principles
- Add traps on the path for the AI-assisted attackers to trip into and alert your SOC. LLMs have a lot of bias, they tend to repeatedly leverage the same techniques and can be incredibly candid in their approach, let’s use it to our advantage!
Mythos did not invalidate our existing cybersecurity priorities, but it raised the cost of ignoring them.