Maksim Kabakou - Fotolia
Claude Mythos forces the conversation on defensive AI
The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt.
While we’ve seen a lot of hype about AI in cyber security, Anthropic’s Claude Mythos has suddenly and significantly changed the rules of offensive security. The arrival of Anthropic’s Claude Mythos on 7 April 2026 created a paradigm shift in the economics of a cyber attack. AI has rapidly changed the cyber security landscape – and faster than most risk models assume. The window between discovery and weaponisation has collapsed, with time to exploitation dropping from 2.3 years in 2018 to 20 hours today.
AI is making vulnerability discovery, exploit generation, and attack orchestration faster and cheaper. Tools like Mythos show that AI can identify critical zero-days, generate working exploits, and orchestrate attacks at a speed and scale that traditional security processes were never designed and built to cope with.
However, some things have been exaggerated and not everything has changed overnight. The fundamentals remain essential. Mythos is a structural acceleration, not a magic new category of risk. The basics such as identity, segmentation, MFA, patch discipline, zero-trust, secrets rotation, and egress filtering have become even more important, not less.
AI has lowered the cost and skill barrier for finding and exploiting vulnerabilities faster than organisations can patch them. While defenders must manage every exposure across code, infrastructure, identity, suppliers, and agents around the clock, the attacker only needs to find one route into the organisation. So, today at least, attackers have the advantage. It’s now time for defenders to turn the same tools inward to find and fortify any weaknesses first.
So, how can CISOs adapt quickly enough?
The first point of call is code review and vulnerability discovery. Organisations should immediately point AI agents at their most critical codebases, then move toward large language model (LLM)-driven review inside continuous integration and development (CI/CD) pipelines. Every piece of code, whether written by humans or generated by AI should go through automated security review before it is merged.
Many organisations still treat AI as a productivity tool rather than a change in the threat model. The mistake that many are making is assuming old patch windows, old incident timelines, and old risk assumptions still hold. Organisations are also underestimating AI agents as a new attack surface. Prompts, tools, retrieval pipelines, escalation logic, and agent permissions all need controls before agents should be permitted to enter production.
Read more about Claude Mythos
- Anthropic's Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and drive unprecedented levels of hacking.
- As AI tools such as Claude Mythos Preview can speed vulnerability discovery for attackers, CIOs are automating detection and response to keep pace.
- Claude Mythos has the potential to enhance global cyber security or undermine it by becoming a weapon in the hands of threat actors.
The biggest change CIOs and CISOs need to make in how they approach cyber security is to update their operating model from human-speed security to AI-speed resilience. This will involve mandating responsible AI adoption across security functions, embedding AI review into software delivery, defending agents as first-class assets, rehearsing simultaneous high-severity incidents, updating board reporting and risk models, and hardening the fundamentals without delay.
AI is increasing the speed and volume of software development, so security must move earlier and faster. Security review can no longer be a manual gate at the end of development. It needs to be embedded into the pipeline, with AI agents reviewing code continuously and all code – whether human- or AI-generated – assessed before merge.
At the present time, AI is making it both easier and more difficult to find and fix vulnerabilities. But the fact is that the risk is growing faster than most organisations’ ability to respond. AI makes it easier for defenders to discover their own weaknesses, but it also makes it easier for adversaries to find and weaponise them. AI must be used defensively now, preparing for a flood of patches, and building response capabilities that can operate at scale.
Being Mythos-ready means limiting blast radius, discovering vulnerabilities before adversaries do, building scalable responses, and empowering teams with AI agents now.
John Bruce is CISO at Quorum Cyber, an Edinburgh-based managed security services provider (MSSP).
