AI is changing cyber security faster than most organisations are prepared for
TL;DR: Claude Mythos Preview, Anthropic's most capable AI model, can autonomously find and exploit vulnerabilities across all major operating systems and browsers. CyberOne's AI Attack Readiness Assessment helps organisations understand what an AI-assisted attacker would find in their environment before they do.
For years, security leaders have warned that AI would fundamentally change the threat landscape. That moment has now arrived and it has a name: Anthropic's Claude Mythos.
Anthropic's Claude Mythos Preview is a general-purpose language model that performs strikingly well at computer security tasks. In response to its capabilities, Anthropic has launched Project Glasswing, an effort to use Mythos Preview to help secure the world's most critical software and to prepare the industry for the practices that will be needed to stay ahead of cyber attackers.
The results of that effort are significant, the Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities, bugs that were not previously known to exist, in every major operating system and every major web browser. In one example, engineers at Anthropic with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight and woke up the following morning to a complete, working exploit.
This is not a future threat. It is happening now.
AI-assisted cyber capability changes the economics and speed of attack.
That does not mean every attacker suddenly has access to frontier tools like Mythos but they will, with Anthropic's CEO Dario Amodei warning that there is a 6-12 month window to patch tens of thousands of software vulnerabilities uncovered by the company’s Mythos model before other AI solutions such as DeepSeek catch up.
The gap between vulnerability discovery and exploitation is shrinking. AI-assisted attackers do not need to start with highly sophisticated zero-days, they will often start with the basics. AI makes it easier to find and prioritise these weaknesses at speed. That is why organisations need to look at their environment through the eyes of an AI-assisted attacker.
Claude Mythos Preview is Anthropic's most capable AI model. It is not yet publicly available. Anthropic has released it initially to a limited group of critical industry partners and open source developers through Project Glasswing, with the aim of enabling defenders to begin securing the most important systems before models with similar capabilities become broadly available. <
Project Glasswing is the coordinated defensive initiative built around that model. Microsoft has received private research preview access to Claude Mythos Preview through this programme and is participating in Project Glasswing, an initiative focused on applying these advances responsibly and reducing cyber risk across the industry.
The scale of what Mythos Preview has already found is significant. Across testing, thousands of additional high- and critical-severity vulnerabilities have been identified and are being responsibly disclosed to open-source maintainers and closed-source vendors. In 89% of 198 manually reviewed vulnerability reports, expert contractors agreed with Claude's severity assessment exactly and 98% were within one severity level (Anthropic).
To put that in perspective: Mythos Preview found a 27-year-old bug in OpenBSD, an operating system known primarily for its security and a 17-year-old remote code execution vulnerability in FreeBSD that allows anyone to gain root access to a machine running NFS, starting from an unauthenticated user anywhere on the internet. Both were found fully autonomously, without any human involvement after the initial prompt.
These are not obscure edge cases, these are production systems that have been continuously reviewed by expert security professionals for decades.
AI-assisted capability changes the economics and speed of attack in 3 important ways.
AI can discover more issues, more quickly, across a broader surface area than previous methods. When paired with advanced security tooling, recent models are demonstrating the ability to find software vulnerabilities at a level approaching experienced human security researchers. Because these systems can work around the clock, limited only by available resources, organisations will face a greater volume and diversity of vulnerabilities and attackers will too.
The process of turning publicly known vulnerabilities into working exploits, which historically took skilled researchers days to weeks per bug,, now happens much faster, cheaper and without human intervention. That changes the window organisations have between a vulnerability being disclosed and it being actively exploited.
Not every attacker has access to Mythos Preview, but the same trajectory that produced Mythos will produce comparable capability elsewhere. Mythos Preview is only the beginning. The organisations building resilience now will be better placed when those capabilities become widely available. The starting point for most attackers remains the basics:
AI makes it faster and easier to find and prioritise those weaknesses at scale. That is why organisations need to view their environment through the eyes of an AI-assisted attacker.
Anthropic's own guidance to defenders is clear:
Even where publicly available models cannot find critical-severity bugs, starting early by designing the appropriate processes and tooling with current models will be valuable preparation for when models with capabilities like Mythos Preview become generally available.
Microsoft's Security Response Centre (MSRC) is evolving its own processes in direct response, introducing additional automation to validate the quality and severity of vulnerabilities and support remediation at AI speed, while keeping human developers in the loop to maintain correctness and quality.
Both points carry the same message for organisations: waiting is a decision.
The window between vulnerability discovery and exploitation is narrowing and the organisations that have already reviewed their exposure will be significantly better placed.
The emergence of frontier AI tools such as Anthropic's Claude Mythos Preview marks a significant shift in cyber risk. These tools are capable of identifying large volumes of previously unknown vulnerabilities across major operating systems, browsers and software ecosystems and in some cases assisting with exploit development.
For most organisations, the immediate issue is not whether an attacker has access to Mythos itself. The real issue is whether their security environment is ready for a world where vulnerability discovery, attack-path mapping, exploit chaining, reconnaissance and infrastructure targeting can be accelerated by AI.
CyberOne has developed an AI Attack Readiness Assessment to help organisations understand their real exposure to AI-assisted cyber threats, in practical terms and without the noise.
It is built around one question: how easy would it be for an AI-assisted attacker to find a route into your organisation?
This is not a theoretical exercise, it is a structured, consultant-led review of the controls, systems, identities, vulnerabilities and configurations that determine whether your business is genuinely resilient.
The assessment begins with a briefing for leadership, IT and security teams. It is delivered by CyberOne consultants who have hands-on experience of using Claude Mythos Preview in real-world testing environments, meaning we understand exactly how AI-assisted attackers operate, because we have used the same tooling ourselves. The briefing covers:
The technical element identifies what an AI-assisted attacker would prioritise in your specific environment:
The Mythos moment is not a distant warning. It is a current market condition. The organisations that understand their exposure now will be in a materially stronger position than those that discover it later, under pressure.
CyberOne's role is to take organisations from uncertainty to action with a clear picture of where the real exposure is, what needs to be fixed first and how to build a stronger security posture against the next generation of AI-assisted threats.
Find out what an AI-assisted attacker would discover before they do, contact CyberOne to arrange your AI Attack Readiness Assessment.