Is Your Business Ready for the Claude Mythos Moment?

AI is changing cyber security faster than most organisations are prepared for

TL;DR: Claude Mythos Preview, Anthropic's most capable AI model, can autonomously find and exploit vulnerabilities across all major operating systems and browsers. CyberOne's AI Attack Readiness Assessment helps organisations understand what an AI-assisted attacker would find in their environment before they do.

For years, security leaders have warned that AI would fundamentally change the threat landscape. That moment has now arrived and it has a name: Anthropic's Claude Mythos.

Anthropic's Claude Mythos Preview is a general-purpose language model that performs strikingly well at computer security tasks. In response to its capabilities, Anthropic has launched Project Glasswing, an effort to use Mythos Preview to help secure the world's most critical software and to prepare the industry for the practices that will be needed to stay ahead of cyber attackers.

The results of that effort are significant, the Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities, bugs that were not previously known to exist, in every major operating system and every major web browser. In one example, engineers at Anthropic with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight and woke up the following morning to a complete, working exploit.

This is not a future threat. It is happening now.

The New Reality: Attackers Will Move Faster

AI-assisted cyber capability changes the economics and speed of attack.

That does not mean every attacker suddenly has access to frontier tools like Mythos but they will, with Anthropic's CEO Dario Amodei warning that there is a 6-12 month window to patch tens of thousands of software vulnerabilities uncovered by the company’s Mythos model before other AI solutions such as DeepSeek catch up.

The gap between vulnerability discovery and exploitation is shrinking. AI-assisted attackers do not need to start with highly sophisticated zero-days, they will often start with the basics. AI makes it easier to find and prioritise these weaknesses at speed. That is why organisations need to look at their environment through the eyes of an AI-assisted attacker.

What Claude Mythos Preview & Project Glasswing Actually Mean

Claude Mythos Preview is Anthropic's most capable AI model. It is not yet publicly available. Anthropic has released it initially to a limited group of critical industry partners and open source developers through Project Glasswing, with the aim of enabling defenders to begin securing the most important systems before models with similar capabilities become broadly available. <

Project Glasswing is the coordinated defensive initiative built around that model. Microsoft has received private research preview access to Claude Mythos Preview through this programme and is participating in Project Glasswing, an initiative focused on applying these advances responsibly and reducing cyber risk across the industry.

The scale of what Mythos Preview has already found is significant. Across testing, thousands of additional high- and critical-severity vulnerabilities have been identified and are being responsibly disclosed to open-source maintainers and closed-source vendors. In 89% of 198 manually reviewed vulnerability reports, expert contractors agreed with Claude's severity assessment exactly and 98% were within one severity level (Anthropic).

To put that in perspective: Mythos Preview found a 27-year-old bug in OpenBSD, an operating system known primarily for its security and a 17-year-old remote code execution vulnerability in FreeBSD that allows anyone to gain root access to a machine running NFS, starting from an unauthenticated user anywhere on the internet. Both were found fully autonomously, without any human involvement after the initial prompt.

These are not obscure edge cases, these are production systems that have been continuously reviewed by expert security professionals for decades.

Why This Changes the Threat Model for Every Organisation

AI-assisted capability changes the economics and speed of attack in 3 important ways.

1. Vulnerability Discovery at Machine Speed

AI can discover more issues, more quickly, across a broader surface area than previous methods. When paired with advanced security tooling, recent models are demonstrating the ability to find software vulnerabilities at a level approaching experienced human security researchers. Because these systems can work around the clock, limited only by available resources, organisations will face a greater volume and diversity of vulnerabilities and attackers will too.

2. The Exploit Gap is Closing

The process of turning publicly known vulnerabilities into working exploits, which historically took skilled researchers days to weeks per bug,, now happens much faster, cheaper and without human intervention. That changes the window organisations have between a vulnerability being disclosed and it being actively exploited.

3. Attackers Do Not Need Frontier Access Today.

Not every attacker has access to Mythos Preview, but the same trajectory that produced Mythos will produce comparable capability elsewhere. Mythos Preview is only the beginning. The organisations building resilience now will be better placed when those capabilities become widely available. The starting point for most attackers remains the basics:

• Exposed systems
• Identity weaknesses
• Unpatched software
• Misconfigured cloud services

AI makes it faster and easier to find and prioritise those weaknesses at scale. That is why organisations need to view their environment through the eyes of an AI-assisted attacker.

What Defenders Should Be Doing Right Now

Anthropic's own guidance to defenders is clear:

• Use currently available frontier AI models to strengthen defences now
• Shorten patch cycles
• Review vulnerability disclosure policies
• Automate technical incident response pipelines

Even where publicly available models cannot find critical-severity bugs, starting early by designing the appropriate processes and tooling with current models will be valuable preparation for when models with capabilities like Mythos Preview become generally available.

Microsoft's Security Response Centre (MSRC) is evolving its own processes in direct response, introducing additional automation to validate the quality and severity of vulnerabilities and support remediation at AI speed, while keeping human developers in the loop to maintain correctness and quality.

Both points carry the same message for organisations: waiting is a decision.

The window between vulnerability discovery and exploitation is narrowing and the organisations that have already reviewed their exposure will be significantly better placed.

Introducing CyberOne’s AI Attack Readiness Assessment

Helping organisations understand whether they are ready for the next generation of AI-assisted cyber attacks

The emergence of frontier AI tools such as Anthropic's Claude Mythos Preview marks a significant shift in cyber risk. These tools are capable of identifying large volumes of previously unknown vulnerabilities across major operating systems, browsers and software ecosystems and in some cases assisting with exploit development.

For most organisations, the immediate issue is not whether an attacker has access to Mythos itself. The real issue is whether their security environment is ready for a world where vulnerability discovery, attack-path mapping, exploit chaining, reconnaissance and infrastructure targeting can be accelerated by AI.

CyberOne has developed an AI Attack Readiness Assessment to help organisations understand their real exposure to AI-assisted cyber threats, in practical terms and without the noise.

It is built around one question: how easy would it be for an AI-assisted attacker to find a route into your organisation?

This is not a theoretical exercise, it is a structured, consultant-led review of the controls, systems, identities, vulnerabilities and configurations that determine whether your business is genuinely resilient.

Executive AI Threat Briefing

The assessment begins with a briefing for leadership, IT and security teams. It is delivered by CyberOne consultants who have hands-on experience of using Claude Mythos Preview in real-world testing environments, meaning we understand exactly how AI-assisted attackers operate, because we have used the same tooling ourselves. The briefing covers:

• How AI accelerates vulnerability discovery and attack-path mapping
• How attackers use AI for reconnaissance and exploit chaining
• Why traditional annual penetration testing is no longer sufficient on its own
• Why exposed assets, identity weaknesses and poor cloud configuration now carry disproportionately higher risk in an AI-assisted threat environment

Consultant-Led Technical Assessment

The technical element identifies what an AI-assisted attacker would prioritise in your specific environment:

• Exposed systems, cloud services, identities and misconfigurations
• Weaknesses in Microsoft Security configuration across Microsoft Defender, Microsoft Entra ID and Microsoft Sentinel
• Vulnerabilities likely to be surfaced and prioritised by AI-assisted tooling
• Patch and remediation gaps across your environment
• Attack paths across endpoint, identity, cloud, email, network and SaaS services
• Gaps in detection, logging, monitoring and response capability
• Priority actions ranked by real-world risk, not theoretical severity

What Happens Next

The Mythos moment is not a distant warning. It is a current market condition. The organisations that understand their exposure now will be in a materially stronger position than those that discover it later, under pressure.

CyberOne's role is to take organisations from uncertainty to action with a clear picture of where the real exposure is, what needs to be fixed first and how to build a stronger security posture against the next generation of AI-assisted threats.

Find out what an AI-assisted attacker would discover before they do, contact CyberOne to arrange your AI Attack Readiness Assessment.