First of all, when looking at all the current reports circulating about the Claude Opus 4.6-based model “Mythos,” it is important to note that most of the information comes from Anthropic itself. And as with any story making the rounds, the principle “audiatur et altera pars” must apply – the other side must also be heard.
The fact is: So far, as part of “Project Glasswing,” various large corporations have been granted exclusive access to the preview version of Mythos.
US pulls away and leaves Europe behind
Just as an aside: The list of companies participating in “Project Glasswing” reads like a Who’s Who of the big tech scene. Among those represented are:
AWS, Crowdstrike, Apple, Palo Alto Networks, Cisco, Microsoft, the bank JPMorganChase, Google, the Linux Foundation, Broadcom, NVIDIA, and Anthropic itself. All of these providers have one thing in common: they are US-based companies. Not a single company from Europe is included. In plain terms, this means that the US is potentially building a massive technological lead here.
(Note: A complete list of all companies with access to Mythos was not available at the time of publication. Subsequent corrections or additions to the text cannot therefore be ruled out.)
What Mythos can do: New possibilities in vulnerability discovery
The technical findings appear promising. Mythos is said to be capable of building entire exploit chains overnight that actually work. The tool even identifies decades-old security vulnerabilities. In a blog post, Anthropic states that some of the discovered vulnerabilities (by its own account “thousands”) remain unpatched and are being reported to the respective vendors and developers as part of coordinated vulnerability disclosure.
Reports like this understandably raise concerns that what critics of AI technologies have been predicting for years has now come true: that attacks will henceforth be fully developed and executed by AI. However, it is not quite that simple. At least not yet. First of all, any AI performing software analysis requires precise instructions on what it is supposed to do. Otherwise, an LLM quickly “hallucinates” and starts identifying plausible-sounding but nonexistent vulnerabilities. Even though, according to Anthropic, Mythos already possesses very extensive capabilities.
The identified vulnerabilities primarily exist in open-source software. In other words, Mythos had access to the full source code and was able to specifically search for weaknesses. This may suggest the idea that open-source software should now be avoided. However, that would not be a wise move – because “security by obscurity” has never worked for long in all the decades that IT has been a topic.
According to Anthropic, the model is also capable of analyzing software for vulnerabilities even when the source code is not available. The argument “no open source code, no problem” is therefore invalid.
Impact of Mythos: Transformation of cybersecurity
concerning. What Mythos will bring about, however, is a shift in thinking across many areas of IT. But shifts in thinking and change are not unfamiliar to us. If I were to resort to a cliché, I would say: “The only constant is change.”
And these changes will extend across many domains. Developers of both open-source and commercial software will need to rethink their vulnerability reporting processes. Even now, many companies are struggling as they are sometimes overwhelmed by a flood of hundreds of vulnerability reports, some of which do not even provide meaningful input. Overzealous researchers unleash an LLM on a file with the instruction “search for vulnerabilities.” The results are then not carefully reviewed by the submitters, even though the quality of the results is naturally mixed and contains many errors. Mythos may have the potential to deliver better results here – but the volume of expected vulnerability reports will remain an issue. Even if, according to Anthropic, the most critical vulnerabilities are “always double-checked by a human” to avoid “overwhelming developers with an unmanageable flood of reports.”
Thus, AI techniques will increasingly need to be deployed in a supporting role to manage the flood of reports – and this requires personnel who are familiar with the technology.
Software and penetration testing, as well as red team exercises, could become significantly faster in the future if experts no longer need to spend several days working on a system but can identify one or more exploitable vulnerabilities within just a few hours. Here, Mythos can indeed make a valuable contribution to cybersecurity.
Challenges: Threat from cybercriminals, remediation of vulnerabilities
However, I do not want to downplay the risks at this point. Even though Anthropic has assured that it does not intend to make Mythos publicly available, it is only a matter of time before competitors catch up. It would be very surprising if no one were currently attempting to replicate Mythos’ capabilities. So it is only a matter of time – whether in six, eight, or perhaps just two months – before attackers, cybercriminals have a tool with Mythos-like capabilities in their hands.
This is particularly interesting with regard to the software supply chain. If attackers equipped with the right tools succeed in gaining access to the infrastructures of software manufacturers, the potential for devastating attacks arises.
When we talk about software, we usually also talk about longevity. And here, Mythos could indeed lead to a massive problem. Some vulnerabilities may not be fixable at all, as doing so could require partially rewriting the application. This applies particularly to software that is already “mature” and has been in use for a long time. And whether this effort is justifiable or feasible is not always certain. The real challenge is not that vulnerabilities are being found. That is actually welcome. But fixing these vulnerabilities will become a massive undertaking, and not just because of the volume. In some cases, software must be modified or even rewritten, as not every vulnerability in legacy software can be easily fixed. And whether this effort is justifiable or feasible in individual cases is not always certain.
The majority of attacks currently target users. Or rather, user accounts. Identity and access management is therefore a central component in the fight against attacker groups. Compromised user accounts are in fact one of the most commonly used entry points in a cyberattack. “Assume the breach” has long been an established mantra. What applies to monitoring user activity must therefore also be applied to the supply chain in the future. And this is where the real challenges for the future lie. It is no longer about preventing a breach, but about containing its consequences.
Cybersecurity means change
But as already stated: the infosec community is accustomed to upheaval and disruption. It will adapt, as it always has. And it will continue to advise everyone of what I can only reiterate:
Panic is a bad advisor.
Those who make security-critical decisions in a state of panic risk becoming what they were trying to combat: a myth.
