Early fears that Anthropic’s new AI model, Mythos, could dramatically turbocharge hacking are looking overstated a month after its release.
The company warned at launch in April that Mythos had uncovered thousands of software vulnerabilities — including flaws across every major operating system and browser — and said the fallout from its spread could be severe.
Governments took notice. Officials in multiple countries huddled with banks to assess risks, and by early May the White House was weighing rules to control how new models are released after safety testing.
But inside the cybersecurity world, the reaction has been more measured — with some saying the broader response has been overblown, and that access to a Mythos-level large language model will not immediately enable hacking operations previously out of reach for bad actors.
“I think there’s a really big communication gap between practitioners and policymakers,” said Isaac Evans, founder and CEO of software security firm Semgrep. The model represents “a real technical advance,” he said, but the response “is not substantiated by what we actually know about how those capabilities will translate in the field.”
To be sure, experts who have used the model in controlled environments have reported substantial improvement in vulnerability discovery, and banking industry IT staffs are working to fix scores of system weaknesses in large and small bank technology stacks, Reuters reported on May 12.
The worry has been heightened further by continued revelations of criminal and state-linked hacking cases involving AI, including Google’s announcement on May 11 that it had detected the first-ever case of a major cybercrime group using AI to discover a previously unknown software flaw and planning a mass exploitation event.
PRACTITIONERS SEE MEASURED RISK
The gap between the extent of the threat seen by security professionals and that seen by policymakers has fueled a narrative that puts Mythos at the center of a looming security crisis — even as comparable capabilities have been available for some time.
“We’ve been able to use AI to find more bugs than we know what to do with for months if not years,” said one person with extensive vulnerability research experience with early access to Mythos. The challenge is not finding vulnerabilities, they said, but validating, prioritizing and fixing them without breaking systems.
Organizations’ ability to process and validate a flood of newly discovered vulnerabilities is generally not where it needs to be, the person said, and that is the bigger challenge introduced by Mythos-level models, even as they acknowledged that the model is an improvement. “It is capable of finding more with a weaker prompt than the models that came before it,” the person said, referring to the instructions a user provides the model to attempt to achieve a goal. Existing models required more detailed and complicated instructions, the person said, meaning the barrier to entry has been lowered.
Anthony Grieco, senior vice president and chief security and trust officer at Cisco CSCO.O, said one new and helpful aspect of Mythos is its ability not only to identify vulnerabilities, but to scan much faster vast amounts of code for those vulnerabilities and help experienced practitioners lower the rate of false positives. This, he said, allows defenders to focus on the most pressing cyber risks in their contexts. The model also has fewer guardrails than previous models, allowing users to craft more specific instructions that enable activities that previous models would not.
PROJECT GLASSWING TESTS DEFENSES
Grieco said to fully maximize the power of Mythos, organizations need both proper computing power as well as a rigorous harness, a term used to describe the computer environment within an organization where a large language model runs with specific instructions and limitations.
“If you have a Formula One car but you’ve only ever driven a bike, you might be able to get it to go straight,” Grieco said. “But you’re not going to maximize the track time out of the gate.”
Even so, Anthropic’s framing — and its decision to invite select firms to test defenses under a program dubbed Project Glasswing — helped push the conversation about the model well beyond typical security circles. The result: an all-hands-on-deck response that amplified both the perceived threat and the company’s stature, even as the Pentagon labeled Anthropic a supply-chain risk while other parts of the government clamored for access.
The White House is discussing with AI labs more widespread use of their technology, a White House official told Reuters. An Anthropic spokesperson said the company is working “closely with the U.S. government to quickly advance shared priorities,” and working with the government to give more parties access to Mythos.
FINDING VULNERABILITIES WITH AI IS ONLY THE START
Mythos — and to some extent OpenAI’s GPT-5.5 — has dominated national security discussions about AI. But those debates often gloss over a simpler point: vulnerability-hunting AI is not new. The real problem is what comes next.
“Our adversaries have gotten really good without AI,” said Cynthia Kaiser, a former senior FBI cybersecurity official now at Halcyon. “Ransomware attacks are happening in under an hour,” she said, adding that most threats still don’t rely on AI at all.
For now, Mythos’ scale and computing and infrastructure demands also limit who can use it. But those barriers are unlikely to last.
“I don’t think the architecture is optimized,” said Nick Adam of financial-services company State Street during a panel discussion at Vanderbilt University. He pointed to the computer processing infrastructure and harness issue identified by Grieco. “There’s a barrier to entry there — but it will be solved pretty quickly.”
Topics
InsurTech
Data Driven
Artificial Intelligence
Cyber
