When AI firm Anthropic launched Project Glasswing and Claude Mythos Preview, along with the claim that the model is so powerful, it cannot be released to the public, many experts were cynical.

Anthropic’s claims were clear: Claude Mythos is able to find multiple hidden vulnerabilities rapidly, potentially transforming the way patches are done in the future. But the frontier AI model could also be used by adversaries to find and exploit bugs more quickly than patches can be applied. 

Is Claude Mythos Preview as powerful as the hype suggests, and what does the arrival of the model, and others like it, mean for CISOs?

Solid Hype

The hype around the frontier AI model is “real and solid,” with “some very clear caveats, “ says Dr Oliver Farnan, head of research at Reliance Cyber. “The company has built a powerful model and decided not to sell it. It could be an abundance of caution, or a very clever sale technique.”

He points out that the forthcoming launch of ChatGPT 5.5 appears to be adopting the same approach with the AI Safety Institute reporting that it “reaches a similar level of performance” on its cyber evaluations.

According to Anthropic’s announcement, Claude Mythos boasts some impressive capabilities.

The model identified an OpenBSD flaw had remained hidden for 27 years.

While the model’s full real world performance is still unclear, the details published suggests its advanced reasoning capabilities allow it to interpret system logic without specific cybersecurity training, says Vivien Mura, global CTO, Orange Cyberdefense. “The level of attention around Mythos reflects how quickly AI is beginning to move into areas traditionally handled by human security specialists, rather than definitive proof of impact at scale.”

Vulnerability Discovery And Exploitation

Experts say the arrival of Claude Mythos Preview will have a major impact on vulnerability discovery and exploitation. Indeed, if vulnerabilities can be found at speed, patches will need to be applied just as quickly.

The patch burden is likely to become far more challenging for IT and security teams, says Dr Farnan. “If AI can find vulnerabilities faster, vendors will ship fixes more quickly, and organisations will have to work out what matters, what is exposed, and what can safely be patched now.”

That may push some organisations towards continuous automated patch deployment, but this only works if they properly understand their own infrastructure, he points out.

What Mythos really changes is speed, agrees Rob T. Lee, chief AI officer and head of research, SANS Institute. “These frontier AI models can find vulnerabilities at a scale and pace we simply haven’t dealt with before – in some cases close to 100 times faster than what previous models were able to do in terms of code enumeration.”

A crucial point for security teams is that patching itself has become a double edged sword, says Lee. “As soon as a patch is released, it can be reversed and analysed, often becoming an exploit blueprint itself. This shortens the window organisations and customers have to deploy fixes, while increasing pressure on teams to discover and understand vulnerabilities before patches ship."

AI Developments 

Now Mythos has appeared, with ChatGPT 5.5 close behind it, expect more frontier AI models with the ability to solve security woes. Mythos is a milestone, but it is not an isolated phenomenon, says Orange Cyberdefense’s Mura. “In the coming months, we can anticipate the emergence of competing models, potentially open-source, that meet or exceed Mythos's capabilities.”

If the safeguards on such models are bypassed for malicious use, Mura predicts this could “sharply escalate the threat landscape,” enabling attackers to “industrialise sophisticated, automated hacking processes that require little human effort.”

Rik Ferguson, VP of security intelligence at Forescout sees Claud Mythos as “an early visible sign of the direction of travel.”

“These capabilities will improve, spread, and become harder to contain inside restricted programmes or elite hands,” Ferguson warns. “The industry needs a mindset shift, not just another round of tactical adaptation.”

Visibility 

As models such as Claude Mythos emerge, it’s important than CISOs ensure complete visibility of their environments, 

If your organisation does not know what it has, where it is exposed, what depends on what, or how to contain damage quickly, that weakness becomes more serious in a machine-speed threat environment, says Ferguson. “This will put more pressure on vulnerability management, software supply chain assurance, and operational resilience.”

The firms that cope best will be the ones with “the clearest visibility, the strongest architectural discipline, and the most realistic understanding that prevention alone is no longer enough,” says Ferguson.

From now onwards, UK companies are going to have to do some “very boring but necessary work,” according to Dr Farnan: “Asset management, configuration management and network segmentation are going to be key components. For example, if a host with a network facing service is vulnerable but it isn't exposed to the ability for immediate attack, the risk is clearly lowered. However, if attackers find the path to the vulnerability by changing, say, firewall configurations between them and the system – then all bets are off.”

Experts also advise fighting fire with fire, ensuring you are up to date with the latest technology. As AI is increasingly used in security, including powerful models such as Claude Mythos, one of the most important steps organisations can take immediately is improving their ability to find vulnerabilities in their own code before attackers, says Lee. “That means building up a dedicated vulnerability operations component to your security teams, rather than an afterthought.”

He thinks AI has to be a mandated part of this effort. “If it isn’t already embedded in day to day security work, organisations will struggle to use it effectively for vulnerability discovery.”

Kate O'Flaherty Cybersecurity and privacy journalist