Early fears that Anthropic’s new AI model, Mythos, could dramatically turbocharge hacking are looking overstated a month after its release.
The company warned at launch in April that Mythos had uncovered thousands of software vulnerabilities — including flaws across every major operating system and browser — and said the fallout from its spread could be severe.
Governments took notice. Officials in multiple countries huddled with banks to assess risks, and by early May the White House was weighing rules to control how new models are released after safety testing.
But inside the cybersecurity world, the reaction has been more measured — with some saying the broader response has been overblown, and that access to a Mythos-level large language model will not immediately enable hacking operations previously out of reach for bad actors.
“I think there’s a really big communication gap between practitioners and policymakers,” said Isaac Evans, founder and CEO of software security firm Semgrep. The model represents “a real technical advance”, he said, but the response “is not substantiated by what we actually know about how those capabilities will translate in the field”.
Looming crisis?
To be sure, experts who have used the model in controlled environments have reported substantial improvement in vulnerability discovery, and banking industry IT staffs are working to fix scores of system weaknesses in large and small bank technology stacks.
The worry has been heightened further by continued revelations of criminal and state-linked hacking cases involving AI, including Google’s announcement on 11 May that it had detected the first-ever case of a major cybercrime group using AI to discover a previously unknown software flaw and planning a mass exploitation event.
Read: Anthropic to brief financial regulators on Mythos AI risk
The gap between the extent of the threat seen by security professionals and that seen by policymakers has fuelled a narrative that puts Mythos at the centre of a looming security crisis — even as comparable capabilities have been available for some time.
“We’ve been able to use AI to find more bugs than we know what to do with for months if not years,” said one person with extensive vulnerability research experience with early access to Mythos. The challenge is not finding vulnerabilities, they said, but validating, prioritising and fixing them without breaking systems.
Organisations’ ability to process and validate a flood of newly discovered vulnerabilities is generally not where it needs to be, the person said, and that is the bigger challenge introduced by Mythos-level models, even as they acknowledged that the model is an improvement.
“It is capable of finding more with a weaker prompt than the models that came before it,” the person said, referring to the instructions a user provides the model to attempt to achieve a goal. Existing models required more detailed and complicated instructions, the person said, meaning the barrier to entry has been lowered.
Read: Mythos forces South African banks onto high alert
Anthony Grieco, senior vice president and chief security and trust officer at Cisco, said one new and helpful aspect of Mythos is its ability not only to identify vulnerabilities, but to scan much faster vast amounts of code for those vulnerabilities and help experienced practitioners lower the rate of false positives. This, he said, allows defenders to focus on the most pressing cyber risks in their contexts. The model also has fewer guardrails than previous models, allowing users to craft more specific instructions that enable activities that previous models would not.
Grieco said to fully maximise the power of Mythos, organisations need both proper computing power as well as a rigorous harness, a term used to describe the computer environment within an organisation where a large language model runs with specific instructions and limitations.
“If you have a Formula 1 car but you’ve only ever driven a bike, you might be able to get it to go straight,” Grieco said. “But you’re not going to maximise the track time out of the gate.”
Even so, Anthropic’s framing — and its decision to invite select firms to test defences under a programme dubbed Project Glasswing — helped push the conversation about the model well beyond typical security circles. The result: an all-hands-on-deck response that amplified both the perceived threat and the company’s stature, even as the Pentagon labelled Anthropic a supply-chain risk while other parts of the government clamoured for access.
Barriers
For now, Mythos’s scale and computing and infrastructure demands also limit who can use it. But those barriers are unlikely to last.
“I don’t think the architecture is optimised,” said Nick Adam of financial services company State Street during a panel discussion at Vanderbilt University. He pointed to the computer processing infrastructure and harness issue identified by Grieco. “There’s a barrier to entry there — but it will be solved pretty quickly.” — AJ Vicens, (c) 2026 Reuters
Get breaking news from TechCentral on WhatsApp. Sign up here.
