Anthropic Mythos: The model, the myth and the mundane

But there are important caveats that tend to get lost in the mainstream media and infomercial coverage! They don’t make for apocalyptic news headlines, but let’s look at them anyway!

First, Mythos failed AISI’s OT-focused “Cooling Tower” range, getting stuck on the IT sections. Second, the ranges lack active defenders and defensive tooling, and they do not penalise models for actions that would trigger security alerts. Third, and this is from AISI’s own conclusion: they cannot say whether Mythos would succeed against a well-defended system. What they can say is that Mythos is capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has already been gained.

Note that last qualifier, “weakly defended and vulnerable,” because it does a lot of heavy lifting. It’s the difference between “AI can break into anything” (which is what the headlines suggest) and “AI can exploit systems that are already broken” (which is what the data shows).

Rob Bowley did some useful cost analysis on the AISI data. Accounting for Mythos’s token pricing (five times Opus 4.6 per token), the high variance across runs, and the higher token usage on the harder later steps, a successful Mythos run comes out at roughly US$880-3,500. A human expert completing the same range: 14 hours, once, reliably. The economics are interesting to say the least!

Independent analysis has been even less flattering. VulnCheck researcher Patrick Garrity estimated the confirmed vulnerability count at around 40, despite Anthropic’s claim of “thousands of additional high- and critical-severity vulnerabilities.” Mozilla’s CTO Bobby Holley, after confirming that Mythos found 271 vulnerabilities in Firefox, noted that none were bugs that an elite human researcher couldn’t have found. And an Aisle replication study tested Mythos’s showcase vulnerabilities using small, cheap, open-weight models and found they produced much of the same analysis.

The 27-year-old denial-of-service flaw in OpenBSD’s TCP SACK implementation and the 16-year-old FFmpeg H.264 decoder vulnerability? Well don’t forget that Mythos had access to the source code because FreeBSD and OpenBSD are both free and open source software (FOSS) projects allowing, as per the stated intention of FOSS, to allow reviews and improvements to be made by anyone. But, I digress…

And the Firefox JavaScript-engine vulnerabilities. Well, they’re there but the benchmark did not represent exploitation of a stock end-user Firefox browser: Anthropic says it used a testing harness mimicking a Firefox 147 content process, without the browser process sandbox or other defence-in-depth mitigations. So if you turn off security controls, apparently things get less secure… who’d have guessed!?

Then there is the irony. Anthropic restricted access to Mythos under Project Glasswing, worried it was too dangerous for general release. Within days, unauthorised users accessed it by guessing URL patterns from previous deployments, using information exposed in the Mercor data breach and access associated with a third-party environment. Mercor, an AI staffing firm supplying contractors to Anthropic, was itself compromised via the LiteLLM supply chain attack in March 2026: a cascading compromise that started with a backdoored security-vulnerability scanner!

So while the media is focussed on excitedly interviewing the big end of town about the futuristic and unstoppable AI cyber weapon, it forgets to note that the company associated with building the “weapon” was compromised by the kind of decidedly un-futuristic supply chain attack that proper vendor risk management and credential rotation would have mitigated. As Horizon3.ai CEO Snehal Antani noted: attackers don’t need Mythos. They just need a target organisation that fails to implement effective risk identification and treatment plans, and proper credential management.

Make no mistake: AI really does accelerate the pace with which attackers can get stuff done, and we use AI tools extensively in our own testing and assessment work. So we have direct experience of how AI changes the game for offensive-security practitioners.

Our Head of Testing and Assessment has spent recent months using LLMs to develop custom command and control (C2) tooling for red team engagements. The objective is straightforward: off-the-shelf C2 frameworks like Cobalt Strike and Sliver have well-known signatures that EDR products are trained to recognise. By contrast, our own custom tooling, built from scratch using non-standard implementations, often sidesteps those signatures quite effectively.

The development process is instructive. Rather than asking an LLM to “build me a C2” (which tends to hit guardrails and bypasses the developer’s understanding of the code), the approach was iterative: build a small component, ask the LLM to extend it, refine, repeat. By including specific constraints in the prompts (“don’t use library X,” “implement the parsing natively rather than importing a standard module”), the LLM produces custom implementations that avoid the indicators of compromise (IOCs) that defenders rely on. The resulting client binary is around 50 kilobytes and capable of most reconnaissance tasks, and which took one person a couple of months to build in his spare time. Oh and it can and does bypass what is likely to be your favorite EDR!

During development, one model introduced a subtle but critical error: it implemented a network protocol using little-endian byte order instead of the big-endian required by the specification. The code worked in local testing but failed against real-world infrastructure. After several unsuccessful debugging attempts, a switch to a more capable (and more expensive) model identified the root cause immediately. The fix was applied, development switched back to the cheaper model, which now had the corrected context and continued without issue. The ability to swap models while maintaining development context is a significant capability accelerator.

And none of this requires access to Mythos, or even to commercial API services. Capable open-weight models like Kimi can be run locally, with quantisation techniques bringing larger models within reach of consumer GPUs. A motivated attacker running an open-weight model locally has no guardrails, no usage logging, no terms of service, and capabilities already far beyond what is needed to breach an organisation with immature security controls. The tightening of guardrails on commercial models (which our testers have observed first-hand) is a reasonable step, but it is not a meaningful barrier to anyone determined enough to run their own infrastructure.

We’ll go into more detail in a follow-up post, but the point is this: AI eliminates much of the programming knowledge barrier for offensive development, allowing a practitioner who knows what they want to build to get there much faster than they could by hand. What it does not do is replace the expertise required to know what to build in the first place, or to understand why the output is wrong when it is. The experienced tester who uses AI as a development accelerator is genuinely more dangerous than they were two years ago. A novice asking an LLM to “hack this website” is going to have a bad time.

The proof-of-concept development for our recent Application Control bypass research (CVE-2026-25166) was AI-assisted. We use AI-generated content in our social engineering and phishing exercises. Our testers have tested the custom C2 tooling described above against leading EDR products with encouraging results. AI is a force multiplier for competent practitioners, on both sides of the fence. But it is a multiplier, not a replacement and the fundamental equation hasn’t changed. The sky is not falling. The question is whether you’ve been up to check the roof lately!

The pattern is familiar. A new offensive capability appears. The media has a field day. Vendors use the fear to sell services. And the actual fix turns out to be the same boring stuff it has always been.

In 2020, when the Australian Prime Minister warned of “sophisticated, state-based cyber actors” targeting Australian organisations, we wrote a post pointing out that the attackers were exploiting known vulnerabilities with patches available for months, and falling back to standard spear-phishing when that didn’t work. The Telerik UI vulnerability they were reportedly exploiting could be demonstrated with Metasploit by anyone with the slightest clue. Despite the resigned doom of the announcement, we took an optimistic view: it was wrong for organisations to accept that they must be victims to this unstoppable APT force. They could instead take proactive steps to implement risk-based measures with reference to accepted frameworks and, with small consistent improvements, be a master of their own destiny.

The APT (Advanced Persistent Threat) craze made a lot of people a lot of money. A new TLA was made popular, threat intelligence platforms were sold, and entire business models were built on the premise that only expensive, specialised defences could protect against nation-state adversaries. And yet, when you looked at what the “advanced” threats were actually doing, it was the same old, boring, not-leading-edge techniques: shared accounts and single-factor authentication, exploiting unpatched software, phishing credentials, abusing misconfigured access controls, and moving laterally through flat networks.

The same was true when OpenAI announced in 2019 that GPT-2 was “too dangerous to release” because it could generate convincing fake text. That particular sky didn’t fall either. Phishing attacks got somewhat better but had no additional effect on the organisations that were proactive and implemented a risk-based, maturity-improvement program.

Here’s the thing that tends to get lost in the noise: AISI’s blog post ends with a recommendation that amounts to “do the basics well”: security updates, access controls, security configuration, and logging. The SANS editors who commented on the AISI findings reached the same conclusion. Lee Dukes pointed to the CIS Controls Implementation Group 1 as an effective defence. William Murray’s entire contribution was four words: “Think least privilege and defence in depth.”

And to add to the sentiment, TrustedSec’s Justin Elze puts it well when he says: Mythos doesn’t replace the existing reality of how organisations get compromised; it lands on top of it. What changes is the cost of ignoring the fundamentals.

All of which is great, because it’s what we have been saying for years, writing in these blogs, chatting to our clients, and occasionally screaming into the void: Risk management frameworks exist. The CIS Controls exist. The ACSC Essential Eight exists. ISO 27001 exists. The NIST CSF v2 exists. None of these are new, none of them are exciting, and none of them will generate feverish media coverage. But they work, when they are actually implemented, verified and maintained.

And what if that doesn’t happen? Well for just one of very many examples, consider how, in a recent penetration test, we discovered that a national managed service provider (MSP) was using shared, single-factor accounts for their client’s system administration work. And there was no evidence that the password had ever been changed. This is an MSP, an organisation that other businesses trust with their IT environments! You don’t need Mythos to compromise that network: You need to find a business that uses an MSP with password-only authentication, and ten minutes. Boring, unexciting, real.

As Sarah *sighs wistfully* said, “The future is not set. There is no fate but what we make for ourselves”. Despite the hype from the media and big business, organisations are not helpless victims waiting for AI to come and destroy them. They are, with a risk-based approach and reference to control frameworks and standards, already well able to defend themselves against the kinds of attacks that they’re most likely to face, and to manage their defences in response to their frequently-reviewed level of risk.

But, if the organisation chooses inaction and complacency? The choice is there, AI will just accelerate the consequences.