## Anthropic's Claude Mythos Preview: A Generative AI Threat to Cybersecurity or Just Hype? **Anthropic** recently unveiled its **Claude Mythos Preview** model, claiming it marks a pivotal moment in cybersecurity, posing an unprecedented threat to existing defense strategies. But is it truly a game-changer, or just another wave of AI hype? According to Anthropic, **Mythos Preview** possesses the capability to autonomously discover vulnerabilities in operating systems, browsers, and other software, and even develop working exploits. Currently, access is limited to a select group of organizations, including **Microsoft**, **Apple**, **Google**, and the **Linux Foundation**, as part of a consortium called **Project Glasswing**. ### Skepticism and Support While some express skepticism, arguing that existing AI agents already facilitate vulnerability discovery and exploitation, others agree with **Anthropic**'s assessment. Critics suggest **Anthropic** benefits financially from positioning its model as uniquely powerful and exclusive. "I typically am very skeptical of these things, and the open source community tends to be very skeptical, but I do fundamentally feel like this is a real threat,” says **Alex Zenla**, chief technology officer of cloud security firm **Edera**. ### Exploit Chains: The Pivot Point **Zenla** and others highlight **Mythos Preview**'s ability to identify and develop exploit chains – sequences of vulnerabilities exploited together to deeply compromise a target. Many sophisticated hacking techniques, including zero-click attacks, rely on exploit chains. "We are already living in the world where companies run vulnerable software, vulnerable hardware, and struggle to patch. Many companies are not capable of securing their infrastructure—that hasn’t really changed from yesterday to today,” says longtime security engineer and researcher **Niels Provos**. “But from what I understand, **Mythos** is really good at coming up with multistage vulnerabilities, and then also provides the proof of exploitation. I don’t think it intrinsically changes the problem space, but it changes the required skill level to find these vulnerabilities and exploit them.” ### A Head Start for Defenders The limited release of **Mythos Preview** through **Project Glasswing** aims to provide defenders with a crucial head start to identify weaknesses and adapt software development, update cycles, and patch adoption strategies before such capabilities become widely accessible to attackers. **Anthropic**'s frontier red team lead, **Logan Graham**, stated that the urgency surrounding **Project Glasswing** became increasingly apparent as organizations recognized the potential threat. ### Broader Implications The implications of **Mythos Preview** extend beyond tech firms. **Bloomberg** reported that US Treasury secretary **Scott Bessent** and Federal Reserve chair **Jerome Powell** convened a meeting of finance sector leaders to discuss the model's potential impact on cybersecurity. **Jeetu Patel**, president and chief product officer of **Cisco**, a **Project Glasswing** member, emphasized the significance of machine-scale defenses against machine-scale attacks. ### A Call for Proactive Security Some argue that the current situation presents an opportunity to address shortcomings in software development. **Jen Easterly**, former US Cybersecurity and Infrastructure Security Agency director, advocates for moving beyond reactive vulnerability management towards building more secure technology from the start. **Edera**'s **Zenla** views **Mythos Preview** as a step towards AI-driven vulnerability research, accelerating the discovery of exploitable vulnerability chains. “If you get a million vulnerability researchers, they can find a huge number of bugs. But humans are not very good at holding lots of contextual information in their minds for long periods of time, so finding very long chains of vulnerabilities that are actually exploitable together has been rare," she says. “**Mythos** and models like it will accelerate the pace at which attackers will be able to group vulnerabilities into sets that can work together. Some people are going to be grumpy about it for a long time, but I do think the dynamic has shifted.”