Taking the Myth out of Claude Mythos

This isn’t a Mythos story.

That’s the first thing to get clear, because with most of the current noise its difficult to get past this. Claude Mythos Preview (released 7th April) under the glasswing project isn’t the real story. It’s a problem that has been building for some time.

For the first time, under evaluation by UK AI Security Institute identified that Mythos had completed a full 32-step corporate network attack simulation end-to-end, from initial reconnaissance through to full network takeover. A milestone worth noting, because it compresses what used to be fragmented human pen testing and red teaming workflows into a single continuous chain.

The Institute’s most optimistic conclusion is also the weakest part of the analysis. They note they cannot confirm the model could compromise a well-defended network because the environment lacked active defenders, defensive tooling, and penalties for triggering alerts. There will be plenty of naysayers challenging the capability at this point, see past this and keep reading.

It identified a 27-year-old vulnerability in OpenBSD, which is has had a reputation for being a hardened operating systems in production use, plus many others, which are listed in the full analysis here. I’ve written about technology step changes previously, this isn’t just an incremental improvement in bug finding. It is a change in how discovery of vulnerabilities can operate. When a system bypasses both legacy tooling and hardened environments, the assumption that “defenders would catch it” requires more evidence than currently exists.

There is tremendous hype and we are tricked into treating Mythos as something entirely new, as if it introduces a different class of vulnerability or a fundamentally new attack surface. What’s really changed is the ability to operate with speed, persistence, and consistency that is very difficult to replicate manually.

It’s also worth noting that Mythos capabilities were not explicitly engineered by Anthropic. Anthropic’s own researchers note that the model was not trained to be an offensive security system. These behaviours emerge as a downstream effect of improvements in code understanding, reasoning, and autonomy. Intelligence applied to code does not distinguish between defence and offence, in this use case, it operates across both.

Could this impact the future of Claude Code Security for the software engineering community at large, I think it will, watch this space.

From a Mythos capability perspective the public evidence is uneven. The open-source results are backed by benchmarks and detailed case studies, which show a clear step change in difficult code auditing and exploit development. The closed source and reverse engineering (fuzzing) claims are more limited in what can be independently assessed. This is the moment we pause on what was achieved, without access to additional data.

What is clear to me, is that Mythos (and others, which i’ll come on to) have solved vulnerability discovery in full. In a space that was previously slower, more manual, and dependent on specialist skills. So, to be clear is not about discovering entirely new software vulnerabilities or weaknesses entirely. It is about compressing the time and effort required to find and ‘chain’ together the ones that already exist.

The gap between discovery and exploitation is getting smaller. What used to be weeks or months is compressing into hours. Attack chains are no longer staged across teams and tools. They are continuous, adaptive, and increasingly autonomous. Lateral movement, privilege escalation, and objective completion is no longer constrained by the human condition.

This is not just a speed problem

This is where most responses i’ve seen drift into a familiar pattern. Move faster. Patch faster. Detect faster. The briefing released by the Cloud Security Alliance, SANS Institute, and the OWASP GenAI Security Project reflects that direction. It correctly identifies the need to point AI at your own systems and find vulnerabilities before attackers do. That is 100% necessary, but in my view it’s not enough.

Because this is not just a speed problem. It is a mismatch between the speed of our human evolved security models and machine speed adversaries. The industry is already feeling that tension. Every organisation wants autonomous defensive capability, but almost all of them keep it in observation mode. I’ve written about the rise of the agentic AI defender, and this very moment on the horizon.

The moment you allow systems to act, liability shifts. If an agent takes down production, accountability is immediate and personal. That is not a theoretical concern, it is already influencing operating decisions at the CISO level. So we could end up in a constrained by systems that can identify risk at machine speed, but are forced to wait for human approval to intervene.

The gap in the attack surface

Take a moment to reflect, if vulnerability discovery scales at ridicules speeds, then volume stops being a meaningful metric. Counting CVEs and tracking patch velocity becomes increasingly disconnected from organisations actual risk. Notwithstanding what this will do to the fragile CVE / CWE reporting platforms already squeezed for funding with political support uncertain. Now consider what is exploitable, what expands the blast radius, and what is reachable in production will become key questions that matter.

Most security programmes, particularly those built out of compliance and regulatory framework necessity, are not built to answer those questions quickly. They are built to find problems, very few are built to close them within a specific timeframe. That distinction used to be manageable because there was time between discovery and exploitation. That time buffer is now closing in on us. In a world where time to exploit approaches zero, delay is no longer operationally acceptable.

There is also an economic shift and commercial impact underneath this. What was once resource constrained is becoming accessible. The cost of finding and operationalising critical vulnerabilities is dropping to a level that expands the pool of capable actors. This is no longer limited to highly resourced teams, or left to your boutique or accredited pen testing and red team engagements. The barrier to entry is lowering, which is a good thing, while the AI skills competence to harness and govern these tools remains a gap in most organisations. This is where the Mythos conversation needs to be grounded in my view, not necessarily in the hype behind zero days, and not in capability FUD theatre.

The uncomfortable reality is that most breaches do not require any of this. Recent incidents, exacerbated by overly optimistic trust in our supply chains, have shown that credential abuse, misconfigurations, social engineering, and basic access failures remain sufficient. The front door is still open in most environments, with many organisations yet to address key cyber hygiene factors. The UK Government sent an open letter to industry business leaders this week acknowledging the same. AI does not need to invent new attack paths if existing ones remain unaddressed. It just needs to move through them faster and more completely than before.

Advanced chaining of vulnerabilities

What changes with systems like Mythos is not the existence of vulnerabilities. It is the ability to silently chain them. That’s the real step-change.

Individually, many of these weaknesses are known, accepted, or deprioritised. Linked together into a continuous attack sequence, they become operational pathways that can be executed at speed and at scale. Currently in a non AI enabled SOC (AISOC) thats where defenders will start to lose control, not because they lack awareness, and skill in many cases, but because they cannot intervene fast enough.

There is a tendency to frame this as a race. Attackers faster, defenders faster, everything accelerating. I’m not sure this is helpful to a community already under pressure at daily risk of burn out, outside of those taking advantage commercially of the status quo. Rather than questioning whether execution itself should be unconstrained. If non-deterministic systems are allowed to discover, decide, and act without a governing layer, then this unwinnable. Not because defenders are too slow, or they don’t have the tools, but because the system permits outcomes faster than it can validate them.

This is where OpenAI enters the picture, not as a like for like competitor to Mythos, but as a response to the same underlying shift. Trusted Access for Cyber is not about matching capability in my view. It is about controlling exposure. It assumes that advanced models will continue to evolve, and that the primary control point moves upstream to identity, access, and governance. For that matter, I believe that identity is your new perimeter (one for another article).

The missing layer isn’t just detection or access control, it’s pre-execution governance, the ability to determine whether an action should be allowed to execute in a given system state before it happens. Discovery at machine speed without authorisation at machine speed creates a new class of risk that existing models do not account for. This is the part many organisations are not yet structured to handle. They can see the problem, but are not setup to intervene, and if you can’t intervene in time, you don’t have control.

This also forces a more uncomfortable question. How do you know you havn’’t already been compromised, and when you are what actually needs to survive. Not the full enterprise, not every system, but the minimum viable business. The functions that must remain operational for the organisation to continue to trade. In an environment where you cannot protect everything simultaneously, getting this right matters. You should prioritise what cannot fail, harden it first, and design around the assumption that everything else is exposed.

The priority now is exposure time

Most organisations will default to doing the same things faster. Patch faster, monitor more, attempt to tighten access. That’s necessary yes, but it doesn’t solve the underlying problem. Those controls assume time exists between discovery and exploitation, and that assumption is no longer true.

You must determine what is exploitable, what is reachable, and what materially expands your blast radius. These attack chains don’t target systems in isolation, they can exploit the relationships between them. If you haven’t mapped those dependencies, you don’t understand your blast radius.

You cannot defend against what is already known when discovery itself is expanding. Understanding your own codebase, legacy technical debt, your hidden dependencies, and unexamined paths. Offensive AI systems will not assume something has been checked, they will check everything. The barrier to critical OT/ICS system vulnerability exploitation will also be breached, especially those with opaque but tenuous IT system interoperability.

Patching, where possible, becomes a time bound decision, not a hygiene task. Detection without immediate response becomes delayed awareness. And access control defines how far an attack chain can move once it starts. This is where most organisations fail. Not in seeing the problem, but in acting on it.

The constraint isn’t technical, its governance.

Defensive AI is often kept in observation mode because no one is willing to let it act. Systems that can identify risk at machine speed, but are forced to wait for human approval to intervene. That gap is now part of the attack surface. Closing the gap requires a shift, but not just a faster response, but controlled autonomy. The ability to define when action is allowed, under what conditions, and with what safeguard controls.

If vulnerabilities become more abundant, reducing attack surface matters more than dashboards and processing findings. The organisations that survive this wave, will not be the ones that patch everything fastest, but the ones that are harder to break to begin with. Resilience will not be measured by how much you find, but by how little an attacker can do once they do. Because in the time it takes to escalate, triage, and align internally, an AI system has already moved from discovery to exploitation and into your environment.

This is where we are now. The question is no longer whether you are secure, it‘s how long you remain exposed after you know you are not.

This article was originally posted on the Security Effects blog.