It has been about three weeks since Anthropic announced Claude Mythos Preview. The early news cycle was dominated by two stories: the model that “escaped its sandbox and emailed a researcher,” and the decision not to release it commercially. Both are true, both are dramatic, and both \u2014 in my opinion \u2014 are now the wrong things to focus on.<\/p>\n
The story today is the gap between what Mythos can do and what the rest of us are actually prepared to do about it. Call it the defenders’ delta. It is wider than most of the coverage suggests, and the people I talk to in operations and IT are still mostly thinking about the previous generation of risks.<\/p>\n
The UK’s AI Security Institute published an evaluation on April 13 that I would put in front of any executive who is still treating frontier-AI cyber risk as speculative. AISI ran Mythos Preview against expert-level capture-the-flag tasks \u2014 the kind no model could complete a year ago \u2014 and it succeeded 73% of the time. On “The Last Ones,” a 32-step simulated corporate network takeover that AISI estimates would take a human professional roughly 20 hours, Mythos solved the full chain three out of ten times. The next-best public model averages 16 of 32 steps. Mythos averages 22.<\/p>\n
Read those numbers carefully. The headline isn’t that an AI can hack a network. The headline is that the inference scaling curve is still going up at the 100-million-token budget AISI used. There is no plateau in the data. Every additional dollar of compute buys more steps completed. As an MSP-adjacent person, that’s the line I keep highlighting for clients: this is not a one-time shock to absorb. This is a slope.<\/p>\n
Anthropic chose not to ship Mythos commercially. Instead, access flows through Project Glasswing \u2014 a vetted consortium of cloud providers, financial institutions, government partners, and a handful of security-focused organizations that get to use the model for defensive work. CrowdStrike was named as a founding member. Google Cloud and AWS are running gated previews on Vertex AI and Bedrock respectively.<\/p>\n
I have seen this framed as Anthropic being cautious. I read it differently. Glasswing is a distribution<\/em> decision dressed up as a safety decision. If you assume \u2014 and I think you have to \u2014 that other labs will reach Mythos-class capability within months and that some of those labs will be less restrained, then “vetted consortium” is the new commercial channel for a model that is effectively a national-security asset. The interesting question isn’t whether Anthropic should release it. The interesting question is which organizations qualify for the consortium and which ones don’t, and how much of a competitive moat that becomes for the partners who do.<\/p>\n The Council on Foreign Relations called Mythos an “inflection point.” I think that phrasing is too soft. It’s a redistribution. A small number of large players just got tools their competitors won’t have for a while.<\/p>\n The Hacker News piece this week \u2014 “Mythos Changed the Math on Vulnerability Discovery” \u2014 made a point I want to underline because it has direct implications for any IT shop. For roughly two decades, the bottleneck in offensive security was finding the bug. Exploitation was the cheap part. With Mythos, the bottleneck is now triage and remediation. Anthropic’s own write-up describes engineers with no security training getting working RCE exploits delivered overnight. The model has reportedly reproduced a 17-year-old FreeBSD NFS RCE, a 27-year-old OpenBSD crash, and a 16-year-old FFmpeg H.264 decoder flaw \u2014 all from a standing start.<\/p>\n What this means in practice: the patching SLAs most organizations operate on were calibrated for a world where the gap between disclosure and exploitation was days or weeks. That gap is now hours, and only some of the disclosures will be public \u2014 Glasswing partners are finding things and not necessarily telling everyone at once. If your patch cadence is “monthly Patch Tuesday plus emergencies,” you are probably already exposed.<\/p>\n The mitigations AISI recommends are unglamorous: Cyber Essentials\u2013level basics, real EDR, comprehensive logging, working access controls. The boring stuff. It just has to actually exist and actually work, which in my experience is the part nobody wants to fund.<\/p>\n TIME’s piece this week framed it well: between Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, “too dangerous to release” has gone from a one-off PR moment to a recurring posture. There’s a real risk this becomes a marketing primitive \u2014 capability demonstrated, public access withheld, trusted access program announced, enterprise deals signed. I’m watching for two failure modes there. One: capability claims that are not independently verifiable, because the model isn’t released. Two: the trusted access program quietly becoming the actual product line, with “public” Claude (Opus 4.7, the more conservative tier Anthropic also shipped this month) treated as the consumer brand while the real frontier sits behind NDAs.<\/p>\n I don’t think Anthropic is acting in bad faith here. AISI’s independent evaluation is meaningful precisely because it’s independent. But the structural incentive \u2014 gated access, government interest, premium pricing \u2014 points in a direction the AI policy community is going to have to argue about for the next few years.<\/p>\n For Otaris and the clients we look after, the practical to-do list isn’t exotic. Patch hygiene gets a fresh review. Logging coverage gets audited \u2014 if something happens fast, the only thing standing between us and a long incident is the data we already collected. We’re inventorying which of our vendors are Glasswing partners (or claim to be) and what that actually buys us in terms of detection. And I’m dusting off the phishing\/social-engineering tabletop, because every story about Mythos focuses on the technical exploits, but a model this capable at multi-step planning is an even bigger uplift to social engineering than to RCE.<\/p>\n Three things. First, whether AISI publishes an updated eval against a defended<\/em> environment \u2014 they explicitly flagged the Cooling Tower OT range as something the model couldn’t solve, and the active-defense follow-up will tell us whether real EDR and incident response actually changes the picture. Second, when the first non-Glasswing competitor (Google’s frontier model, presumably, or a Chinese lab) hits the same capability bar, and how that release is handled. Third, whether any Glasswing finding leaks publicly before its coordinated disclosure window \u2014 that’s the moment the model goes from “controlled” to “in the wild,” and we should plan as if it’s a question of when rather than if.<\/p>\n Mythos is not an apocalypse. It is a slope, on a curve that hasn’t bent. The defenders’ delta will get worse before it gets better. The right move this week is to stop reading headlines and start fixing logging.<\/p>\n Sources: It has been about three weeks since Anthropic announced Claude Mythos Preview. The early news cycle was dominated by two stories: the model that “escaped its sandbox and emailed a researcher,” and the decision not to release it commercially. Both are true, both are dramatic, and both \u2014 in my opinion \u2014 are now the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":0,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/28\/revisions"}],"wp:attachment":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/categories?post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/tags?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Vulnerability Discovery Math Has Inverted<\/h2>\n
“Too Dangerous to Release” Is Now a Product Category<\/h2>\n
What I’m Doing About It This Week<\/h2>\n
What I’m Watching<\/h2>\n
\n
\n– Claude Mythos Preview \u2014 Anthropic<\/a>
\n– Our evaluation of Claude Mythos Preview’s cyber capabilities \u2014 AI Security Institute<\/a>
\n– Six Reasons Claude Mythos Is an Inflection Point for AI \u2014 and Global Security \u2014 Council on Foreign Relations<\/a>
\n– Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren’t Ready for the Remediation Side \u2014 The Hacker News<\/a>
\n– “Too Dangerous to Release” Is Becoming AI’s New Normal \u2014 TIME<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"