Anthropic recently made a striking claim about its Mythos Preview model: that language models capable of autonomously identifying and exploiting security vulnerabilities at scale could upend two decades of relatively stable security equilibrium.¹ It’s a serious statement from a serious organisation, which is exactly why it deserves to be taken seriously.

But it’s also worth remembering what futurist Roy Amara observed back in the 1970s: we tend to overestimate the impact of technology in the short run and underestimate it in the long run. A single model release is rarely the revolution it first appears to be. The trajectory, however, is another story. 

What Mythos actually tells us

The third-party evidence on Mythos Preview, including an evaluation by the UK Government’s AI Security Institute,² paints a picture that is impressive but more measured than the headlines suggest. The model performs comparably to other frontier models on most cybersecurity tasks, is slightly better at expert-level challenges, and was the first model to solve a 32-step corporate network attack simulation. 

It also failed an operational technology environment attack simulation, and evaluators were careful to note that their test ranges lacked the active defenders and defensive tooling present in real-world environments. 

In other words: capable, and getting more so, but not quite the autonomous super-hacker some coverage implied. 

What matters more than Mythos itself is the broader trajectory. AI-assisted vulnerability discovery has been accelerating for years. The ball was already rolling; Mythos is merely the latest and most visible push. 

How the threat is actually changing 

A useful way to think about this is that a credible threat requires three things to align: capability, opportunity, and intent. 

Intent, at least for the threat actors already targeting organisations like yours, remains largely unchanged. What’s changing is the other two. 

Opportunity is expanding. As AI accelerates vulnerability discovery, more weaknesses are being identified, faster and by more actors simultaneously. Every unpatched system, exposed service, or misconfigured permission represents a window that is now far more likely to be discovered and tested. 

Capability is expanding too. AI gives threat actors the ability to scale operations in ways that previously required larger and more specialised teams. Time-to-exploit is shrinking. Attacks are becoming increasingly automated. Weaknesses that might once have remained obscure are now more likely to be chained together into functioning exploits. 

In the long term, the expertise barrier is likely to fall even further. That changes who you need to defend against, not just how. 

The response: two moves 

Here’s the reassuring part. The news may be exotic, but the response is fairly boring. Reduce the opportunities available to threat actors, and improve defensive capabilities at the same pace the threat landscape is evolving. 

Reducing attacker opportunity means gaining visibility over your assets, reducing exposure, and closing the doors you’ve left open. It means knowing what you have, what is internet-facing, and what is unnecessarily accessible. Strong authentication. Restricting high-privilege accounts. Network segmentation. Disabling unused services. 

None of this is new, but the case for doing it well has become more urgent. 

Increasing defender capability means matching the tempo of the threat. Patch velocity – the speed at which you identify, test, and deploy fixes – needs to tighten. The window between a vulnerability being discovered and being exploited is shrinking. Historically, thirty days was considered acceptable for critical patches. That assumption is now under real pressure. 

Alongside that, detection and response capabilities need to keep pace. The faster attackers can move, the more your ability to identify and contain an incident matters. It’s also worth considering how your own security teams can use AI and automation to operate at comparable speed. 

Where to go from here 

If you have limited baseline security in place, start there: assets, visibility, and the fundamentals. If the basics are already covered and you’re wondering where to focus next, the answer increasingly lies in threat intelligence: understanding which actors are actually likely to target organisations like yours and prioritising accordingly. 

Not every threat actor is coming for you. Knowing which types of attackers target organisations like yours – including why and how they operate – changes where you focus your effort. Once you have that clarity, resilience becomes an execution challenge. 

The stakes of doing the basics well have gone up. The basics themselves haven’t changed all that much. 

If you’d like to think through what this means for your organisation specifically, we’d be happy to have that conversation. 

Sources 

1 https://red.anthropic.com/2026/mythos-preview/ 

2 https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilitieshttps://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities