Anthropic’s Claude Mythos Preview has triggered a wave of bold claims about the future AI and its role in cybersecurity. Reports of thousands of vulnerabilities discovered, including issues that have supposedly existed undetected for decades, position the model as a transformative force in both attack and defence. Alongside this, initiatives like Project Glasswing signal an industry effort to get ahead of the risks before they fully materialise.

Mythos ai claims vs reality: separating capability from hype 

However, it is important to note that Mythos has not been publicly released and remains restricted to a controlled group of organisations, making independent validation of these claims limited. But as with any emerging technology, it is important to separate capability from the hype.

From a cybersecurity perspective, the claims surrounding Mythos demand scrutiny. According to Integrity360 CTO Richard Ford, early evaluation of the model presents a more measured reality:

“The reported evaluations of Mythos as an autonomous attack tool shows it is capable, but not necessarily better than existing large language models. That said, if used by threat actors it will be effective at targeting organisations with weak security postures.”

The conversation is not about whether Mythos is revolutionary in isolation, but about how it performs in real-world conditions. Even if it is not significantly ahead of current models, its ability to scale activity and operate autonomously introduces a different kind of risk. Attack capability does not need to be perfect to be dangerous. It only needs to be consistent and widely accessible.

Anthropic’s claims around vulnerability discovery are particularly attention grabbing. The suggestion that thousands of previously unidentified vulnerabilities have been uncovered, including some dating back nearly three decades, speaks to the potential of AI-driven analysis. However, these results are largely self-reported, with limited independent validation.

As Richard notes:

“There is a degree of caution needed here. The results are self-claimed with little external verification. The question is whether this is being overstated or if it reflects genuine capability. Is it more marketing hype? This might need to be viewed alongside the recent removal of their products for US federal use. A sceptic might say, are they in need of a good news story?”

Industry scepticism and the need for independent validation 

Scepticism is justified in the cybersecurity community. New technologies often arrive with ambitious claims, and it takes time for independent testing and real-world use to validate them. We’ve seen similar hype and concern when ChatGPT was first released, and the fear mongering of AI malware creation and autonomous malware attacks, neither of which came to fruition in the way and timescales suggested. The timing of such announcements also invites further examination, particularly given wider industry dynamics and commercial pressures.

Reviewing Anthropic’s Mythos Preview System Card, which outlines their assessment of it’s capabilities, you can see it achieved some of the claims under specific conditions. This includes uncensored checkpoints and the removal of guardrails to optimise performance and avoid refusals. This was alongside brute forcing scenarios at large compute cost. Both of which are not representative of real world use once released.

If the capabilities described are accurate, the implications are significant. One of the most immediate impacts could be on the bug bounty ecosystem and the role of ethical hackers:

“If these claims hold true, it has the potential to disrupt bug bounty programmes and the wider ethical hacking market. We are already seeing early indicators of this with AI-driven platforms performing strongly in competitive CTF environments.”

However, the current limitations of AI remain an important counterbalance:

“Where these systems fall down is in understanding deep business logic. That contextual layer is still something that requires human expertise.”

Organisations must prepare for ai-driven cyber threats now 

This reinforces a key point. AI is advancing rapidly, but it has not replaced the need for skilled practitioners. Instead, it is changing how they work and where their expertise is most valuable.

There is also a broader, more constructive interpretation of these developments. If AI can identify vulnerabilities at scale, it has the potential to significantly improve organisational security. Faster detection of zero-days and continuous testing could strengthen resilience across the board.

But this introduces a new operational challenge as Richard explains:

“The issue is not just finding vulnerabilities; it is what you do with them. Organisations already struggle to prioritise and patch effectively. If AI exponentially increases the volume, that challenge becomes even more difficult, while attackers gain more opportunities.”

This is where the conversation returns to control. Whether Anthropic’s claims are fully realised or not, the direction is clear. AI will increase the speed and scale of both attack and defence. Organisations must be prepared to manage that reality.

Project glasswing and the race to secure ai systems 

Initiatives like Project Glasswing are a step in the right direction, aiming to secure AI systems before they are widely exploited. However, as Richard highlights:

“Identifying vulnerabilities is only part of the equation. Patching, testing, and deploying fixes at scale is not quick or trivial, particularly if the numbers increase significantly. And it’s not just apply patches, the patches themselves need to be created. Whether the modest timescales afforded by Project Glasswing will give enough time for vendors to create patches, especially if there is a large volume of them, is something we will find out over the coming weeks and months. The release of Mythos is on hold for now but Anthropic won’t sit on it forever.”

Ultimately, the debate around Anthropic Mythos is less about whether the claims are entirely accurate and more about what they represent. AI is reshaping cybersecurity at a fundamental level. The organisations that succeed will be those that adapt quickly, building both the capability to leverage AI and the controls to manage it effectively.

As Richard puts it:

“Any organisation that is not building an AI-driven cyber defence will fall behind and move directly into the crosshairs of attackers.”

Whether the claims around Mythos are overstated, the need for control is not.

cybersecurity fundamentals still matter in the age of ai 

Crucially, it reinforces the importance of getting the fundamentals right. Regular application of security updates, strong access controls, secure configuration, and comprehensive logging remain essential. Protecting against common threats is still the foundation of effective cybersecurity, whether those threats are AI-assisted or not. Organisations that embed these basics, alongside building AI-driven cyber defence capabilities, will be best placed to stay resilient as the threat landscape evolves.

If you need help with your cybersecurity needs, get in touch with the experts at Integrity360 today.