Mythos, Attackers, and The Part People Still Want To Skip
Threat Intelligence, Threat Research, Threat Security
Mythos, Attackers, and The Part People Still Want To Skip
By Aaron Beardslee, Threat Security Researcher, Securonix
Anthropic Hit The Brakes
Anthropic built a powerful AI model and then kept it on a short leash.
The important part is not that a model found bugs, which has been coming for a while. What’s worth acknowledging is that Anthropic looked at what Mythos could do and decided broad release was a bad idea.
Attackers do not need a perfect autonomous system. They need leverage. Give them something that speeds up recon, sharpens phishing, shortens exploit development, or helps a mid-tier operator punch above his weight, and it gets used.
According to Anthropic’s own materials, Mythos found and exploited zero-day vulnerabilities across major operating systems and browsers. The company also said more than 99% of the vulnerabilities it found remain unpatched, which is why it withheld most of the technical detail. This forces a harder look at how AI is likely to be used once it moves beyond lab conditions and into attacker workflows.
Attackers Only Need Leverage
The public discussion still circles around the safest use cases.
Attackers are after something that is simpler. They want tools that make the work easier. A model that shortens reconnaissance, improves phishing, helps move from an idea to a usable exploit more quickly, or gives a mid-tier operator a better shot at success becomes valuable fast. This is how new capability enters real workflows. Not with a dramatic handoff from human to machine. Instead, by making the human more effective.
A late 2024 human subject study found that fully automated AI spear phishing performed on par with human experts. Both reached a 54% click-through rate, compared with 12% for the control group. The same study found the AI generated targeting information was accurate and useful in 88% of cases, and the authors concluded that AI could increase phishing profitability by as much as 50% at larger scale.
Europol has been tracking the same trend from a different angle. Its recent reporting points to growing criminal use of AI across fraud, impersonation, and cyber-enabled crime. None of this makes the operator disappear. It gives the operator better tools.
And The Bar Goes Lower
One thing that used to slow offensive work down was the simple fact that good tradecraft takes skill, time, and a broad knowledge base. Reliable exploit development, careful chaining, and patient technical work still required real expertise. There were only so many people who could do that well. Mythos would allow for a single threat actor, and I do mean a single person, to have the skills and knowledge of an entire team of cyber professionals.
Models like Mythos start to change the math. The hard parts are still hard, and experienced operators are still going to outperform everyone else, but some of the lift moves from the human to the machine. That affects how much knowledge someone needs up front, how quickly they can move, and how far they can get before their own limitations catch up with them.
Anthropic’s reporting gives a sense of how compressed that process can become. The company says non-experts were able to use Mythos to find serious vulnerabilities and produce working exploits. In one example, a Linux privilege-escalation workflow reportedly went from prompt to working exploit in less than a day at a cost below $2,000. That kind of compression matters. Work that used to demand more time, more money, and more skill starts to look much more accessible.
Speed is The Rhino in The SOC
The obvious reaction is to push for the same kind of autonomy on the defensive side. No one wants analysts stuck in repetitive work while attackers get faster. Yes, Mythos can find vulnerabilities, even zero-days, and exploit them at relatively ludicrous speeds. Can it do the same discovery and create a viable patch that won’t break the system?
Problems show up when speed gets treated like a substitute for judgment. Anyone who has spent enough time in investigations knows the technically available action is not always the right one. Timing matters. Scope matters. Business exposure matters. Legal exposure matters. The blast radius of a mistake matters. A model can support those calls, but it does not carry the consequences.
The push for fully autonomous security starts to look thin once you get past the demo. Human judgment is not some outdated layer sitting in the way of progress. It is still the control that keeps a security operation from creating avoidable damage inside its own environment.
Perhaps in time Anthropic will create a legitimate, trustworthy, Blue Team version of Mythos that is capable of staging potential patches for vulnerable systems for a security team to review. This is not addressing the extreme risk of Mythos being released to the public, though. I have always argued pen testers and Red Teams don’t exactly behave like a real threat actor or APT group because their motives, agenda, and timeline are drastically different. DPRK doesn’t care about your systems or winning another contract round for next year – they want your crypto and they don’t care how they get it. Their only rule is don’t get caught. If DPRK ever got their hands on a model as advanced and sophisticated as Mythos…
Keeping The Human in Control
Human in the loop has nothing to do with protecting manual work. It has to do with keeping authority tied to accountability. Once a model can reason across tools, make recommendations, and act inside real workflows, a bad output stops being a nuisance and becomes a control problem. A weak summary costs time. A weak action in a live environment can break something important, expose regulated data, or complicate containment when a team can least afford it.
There is already enough evidence to take that risk seriously. OWASP continues to rank prompt injection at the top of the risk stack for LLM applications, and research in this area keeps showing how integrated systems can be redirected away from their intended tasks. In a security environment with access, tooling, and urgency, the margin for error gets very thin.
Let the machine move through volume, connect signals, draft hunts, summarize evidence, and reduce the dead time that burns analysts out. Keep people on the decisions that carry consequence: approvals, containment choices, remediation steps, exceptions, communications, and anything else that can create unnecessary exposure.
Mythos and The Wizard of Oz
Mythos pulled the curtain back. There is a level of restraint in Anthropic’s handling of Mythos that is missing from a lot of the current AI security market. The company did not treat raw capability as a reason to scale deployment. It limited release, wrapped access in Project Glasswing, and paired the model with monitoring and defensive research. However, I don’t think that may be enough. Mythos showed off capability, but just because we can do something doesn’t necessarily mean we should. I am on the fence with this one. I don’t think providing early release to choice security teams is going to soften the blow if Mythos is fully released in the future to everyone. Because updates are going to be made to products, software will evolve as it always does, and new vulnerabilities will be introduced.
Mythos for threat actors at that point will allow them even more speed to cause damage than they are already doing. And defenders would then be even more behind than they already are. Something like Mythos should probably be an enterprise only tool, and like other top tier offensive security tools, be locked behind serious scrutiny for those who are allowed to get their hands on it… as much as I would love to get my hands on Mythos.
