Is Mythos a Cybersecurity Tipping Point or Just a Great Piece of Marketing?

AI giveth and it taketh away. On the one hand it is single-handedly decimating the revenue model on which many journalists (and their employers) depend. But before it takes our jobs, it’s providing endless opportunities for news, features and commentary. No story has been more prominent in cyber than the impact of Mythos Preview on the future of security.

The received narrative is that it represents a “tipping point/paradigm shift/watershed moment”: a model so powerful that it will dramatically escalate threats and revolutionise defences. But is it really going to change the game? Many cybersecurity leaders I’ve spoken to are remarkably sanguine about the prospect. 

The case for Mythos

Model maker Anthropic claims Mythos is “strikingly capable” of finding zero-day (undiscovered) vulnerabilities in products – including every major OS and web browser. And weaponising these in chained exploits to achieve full system takeover. These capabilities are so powerful that Anthropic is not releasing them to the general public. That’s partly because of the massive operational costs involved in hosting Mythos. But also because it wants to give the vendor community time to patch its products.

This is where the marketing genius of Mythos kicks in. Anthropic has always sought to portray itself as a responsible AI developer – as opposed to OpenAI or xAI. By positioning Mythos as too dangerous to release, it’s able to cement this reputation, while building hype and demand. This is where the other pillar of the strategy comes in: Project Glasswing.

Those who have paid handsomely to be a part of this initiative get access to Mythos to make their products more secure. And carve out competitive advantage. After all, if they don’t, these businesses may fall behind rivals as their products are hacked and customers suffer serious security breaches. It’s the ultimate expression of the old fear, uncertainty and doubt (FUD) tactic so beloved of cybersecurity vendor marketers. Reports that older AI models can find many of the same vulnerabilities as Mythos only add to the sense of marketing’s heavy hand in the project.

Anthropic CEO Dario Amodei has certainly done nothing to counter this narrative. In fact, he recently ramped up the rhetoric, warning that Chinese AI models are only around 6-12 months behind Mythos. That means there’s not much time left for vendors to patch. And in the meantime, rivals are introducing their own offerings: ChatGPT-5.5 is optimised for security-related tasks and has also been released to a limited number of customers only.

Best practice never goes out of style

Even if we take Anthropic at its word, there are some important caveats to the doomsday scenario narrative. Yes, as more companies use these models to find faults in their products, more patches will need to be deployed by customers. The UK’s National Cyber Security Centre (NCSC) recently warned of an AI-fuelled “vulnerability patch wave” that’s set to crash over the nation’s businesses.

Yet once this initial surge is over, things should settle down a little. Products will be safer and less exploitable, as long as customers keep them updated. And developers will build AI into their pipelines – to make software more secure by default. There are only so many vulnerabilities that these machines can find in existing code.

Defenders should ultimately benefit more than attackers.

Security teams can also prosper by doubling down on existing best practices to accelerate patching and mitigate the impact of zero-day exploits. The NCSC urges organisations to switch on automatic updates and hot patches, and adopt risk-based prioritisation of security updates. Accurate asset inventories, robust access controls, secure configuration and comprehensive logging will also help, it says.

We must remember that the flaws Mythos and models like it find are not new categories of vulnerabilities. Best practice defence in depth still works. In its tests, the UK’s AI Security Institute (AISI) even said it is still unclear whether Mythos Preview “would be able to attack well-defended systems”.

Fancy another Y2K?

So is Mythos a genuine technology tipping point or just a great bit of marketing? Annoyingly for headline writers, the truth is most likely somewhere in between the two. It (and models like it) represent a step-change in bug-finding capability. And as vendors use it to tackle the technical debt that has accumulated in their products over time, the patch deluge for customers will be very real.

But security teams can get through this. By automating as much of patch management as possible, there’s a way forward. It will take a Y2K bug-level of effort, but it’s possible.

After that, it’s down to individual organisations. Mythos isn’t doing anything new. It’s accelerating and amplifying risks already present in the cybersecurity landscape. The cat-and-mouse game between network defenders and their adversaries will continue, but with higher stakes.

Around half of discovered vulnerabilities still remain unpatched a year after being published. That will need to change in a post-Mythos world where AI and automation make it easy for low-skilled hackers to find and exploit exposed systems. Stronger protections will need to be put in place for securing end-of-life software.

For CISOs, the benefit of Anthropic’s hype machine is that the story has cut through to the boardroom. Now is the time to capitalise on that awareness, and secure investment for strategic, defensive AI tools, code-review solutions and automated patch management.

Anthropic is a business burning through cash, and one doing everything it can to inflate its valuation ahead of a likely IPO. So we should approach its proclamations with a little scepticism. But that doesn’t mean it’s steady as she goes. In many organisations, cybersecurity needs to change. Maybe this is the shove it needs.