in-depth: Anthropic’s Mythos Will Force a Cybersecurity

Anthropic announced this week the debut of its new Claude Mythos Preview model, a development it claims marks an unprecedented existential threat to existing software defense strategies and a critical juncture for cybersecurity. The company asserts Mythos Preview possesses the capabilities to autonomously discover vulnerabilities in virtually any operating system, browser, or software product, and subsequently develop working exploits for hacking.

To manage this perceived risk, Anthropic is initially releasing the model to a select group of organizations, including Microsoft, Apple, Google, and the Linux Foundation, as part of a consortium named Project Glasswing. This move has ignited widespread debate about whether a true cybersecurity reckoning has arrived and what its practical implications might be.

A New Era of Exploitation

While some experts remain skeptical, arguing that existing AI agents already facilitate vulnerability discovery and exploitation without fundamentally altering the paradigm, others concur with Anthropic's assessment. Alex Zenla, CTO of cloud security firm Edera, acknowledged initial skepticism but stated, “I do fundamentally feel like this is a real threat.”

Specifically, researchers point to Mythos Preview’s advanced ability to identify and develop “exploit chains.” These are sequences of vulnerabilities that can be exploited in combination to deeply compromise a target, akin to Rube Goldberg machines for hacking. Such sophisticated techniques, including zero-click attacks, are highly prized by advanced threat actors. Longtime security engineer Niels Provos noted that while companies still struggle with vulnerable software, Mythos's proficiency in creating multistage vulnerabilities and providing proof of exploitation significantly lowers the skill barrier for attackers.

Project Glasswing: A Head Start for Defenders

Anthropic's decision to restrict Mythos Preview's initial release to Project Glasswing participants aims to provide defenders with a crucial lead time. This allows them to use the model to uncover weaknesses in their own systems and begin to adapt software development, update cycles, and patch adoption strategies before such powerful capabilities become widely accessible to malicious actors.

Logan Graham, Anthropic’s frontier red team lead, told WIRED that initial outreach to organizations for Project Glasswing saw conversations quickly converging on the obvious threat. “It's really important that Mythos Preview gets in the hands of defenders to give a head start,” Graham emphasized.

Industry and Government Take Note

The potential impact of models like Mythos Preview extends beyond the tech sector. Bloomberg reported that US Treasury secretary Scott Bessent and Federal Reserve chair Jerome Powell recently convened a meeting with finance sector leaders in Washington, D.C., to discuss the cybersecurity implications.

Jeetu Patel, President and Chief Product Officer of Cisco, a Project Glasswing member, characterized Mythos Preview as “a very, very big deal.” He highlighted the need for machine-scale defenses against potential machine-scale attacks. “What Anthropic did here is a fantastic thing, because it just creates a level of asymmetry against the bad actors,” Patel said.

Shifting the Paradigm: From Defense to Design

Despite the alarm, some, like security consultant Davi Ottenheimer, view the frenzy as an overblown part of the AI hype cycle, describing it as a mere “shift, like learning how to fight with machine guns when others are still using bolt-action rifles, but it’s not magical and mystical.” However, others argue that specific advances, even if incremental, are crucial opportunities to raise awareness and instigate necessary mentality shifts across industries.

The real reckoning, Anthropic suggests, is not an end to cybersecurity but a fundamental re-evaluation of its mission. Jen Easterly, former CISA director, wrote that the moment offers an opportunity to move “beyond endlessly defending against flawed software and toward building technology that is more secure from the start.” This represents a shift from a reactive posture of patching vulnerabilities to a proactive “secure by design” approach.

Edera's Zenla likens Mythos Preview not to an immediate revolution but to a step towards the “infinite monkeys at infinite typewriters” scenario for security. “Mythos and models like it will accelerate the pace at which attackers will be able to group vulnerabilities into sets that can work together,” she explained. “Some people are going to be grumpy about it for a long time, but I do think the dynamic has shifted.”

FAQ

Q: What is Anthropic’s Claude Mythos Preview model? A: Mythos Preview is a new generative AI model from Anthropic that the company claims can autonomously discover vulnerabilities in virtually any software system and develop working exploits for hacking. It is particularly adept at creating complex “exploit chains.”

Q: Why is Mythos Preview considered a significant cybersecurity threat? A: Its ability to autonomously find and chain multiple vulnerabilities, including those leading to zero-click attacks, lowers the skill barrier for attackers and significantly increases the pace and sophistication of potential threats. This capability is seen as an unprecedented challenge to current defense strategies.

Q: What is Project Glasswing? A: Project Glasswing is a consortium of a few dozen organizations, including major tech companies like Microsoft and Apple, to whom Mythos Preview is being exclusively released. The goal is to give these key defenders a “head start” to use the model to find weaknesses in their own systems and prepare for the broader implications before such AI capabilities become widespread.