The Only Mythos Question That Matters — And Why You Can’t Trust the Answer

April 19, 2026 Axel Segebrecht #News and Updates #AI #Cybersecurity #Governance #Technical Sovereignty #Surveillance #Defence in Depth #Open Source #Privacy #Small Business #Incident Response

A glasswing butterfly with transparent wings rimmed in orange, perched on a dried plant stem against a soft green background — its near-invisible wings echoing the deceptive transparency at the heart of Project Glasswing

The hype cycle, in miniature

On 26 March 2026, Fortune reported that Anthropic had inadvertently left a draft blog post in an unsecured, publicly searchable data cache. The draft described an unreleased model called Claude Mythos as the most powerful model the company had ever built, and warned it would enable a wave of models capable of exploiting vulnerabilities faster than defenders could keep up.

Twelve days later, on 7 April, Anthropic made the announcement official. Mythos Preview, they said, had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser. Rather than release it, they launched Project Glasswing — a restricted consortium of twelve launch partners including AWS, Apple, Google, Microsoft, CrowdStrike and NVIDIA, plus around forty additional critical-infrastructure organisations, backed by $100 million in usage credits.

The reaction split predictably. Headlines ran between “terrifying warning sign” and “marketing hype.” Cybersecurity stocks cratered briefly, then recovered. Substack posts multiplied.

Both camps are, I think, fighting the wrong battle.

Don’t believe the hype

The sceptical case is strong and worth taking seriously.

Bruce Schneier — probably the most respected independent voice in security — called the announcement mostly marketing hype on The Tech Report podcast, noting that you don’t need Mythos to find the vulnerabilities Anthropic showcased. AI-assisted vulnerability discovery isn’t new: Anthropic’s own release notes for Opus 4.6 already claimed over 500 zero-days discovered with that model. SANS faculty have been using current frontier models for production pentesting for 15 months and finding critical vulnerabilities in thoroughly-tested production code.

The research group AISLE went further. They reproduced Anthropic’s public showcase analysis using open-source models roughly 250 times smaller, costing around 11 cents per million tokens. Eight out of eight models they tested detected the FreeBSD vulnerability Anthropic had highlighted as a signature finding. Their conclusion: the moat is in the scaffolding and security expertise wrapped around the model, not the model itself.

Tom’s Hardware dug into the methodology and found that the “thousands of zero-days” headline rests on 198 manually reviewed reports, with the rest extrapolated.

Gary Marcus pointed out that Anthropic’s own internal effective-compute-index metric tracks extremely close to Epoch AI’s public curve, placing Mythos just slightly above GPT-5.4 rather than on a fundamentally different trajectory.

And — awkwardly — a week before Anthropic announced their revolutionary vulnerability-finding capability, they accidentally leaked the Claude Code source into an unsecured data store, where independent researchers promptly found serious vulnerabilities in it.

Treat all of that as baseline scepticism. The commercial incentive to hype is real. Anthropic is positioning for an IPO. Project Glasswing is, as Constellation Research’s Larry Dignan put it, both genuinely useful for the industry and very good marketing.

But the sceptics are fighting the wrong battle

Here’s the problem: the sceptics and the alarmists are arguing about the wrong claim.

Raw vulnerability-finding capability at scale isn’t new. Current frontier models already find production zero-days when wrapped in the right scaffolding. That argument is settled.

What’s genuinely novel in Anthropic’s claims about Mythos is autonomous chaining — the ability to identify multiple vulnerabilities, weaponise them, chain them together into working exploit paths, and execute multi-step attacks without human guidance. Logan Graham, who leads offensive cyber research at Anthropic, has been explicit that the degree of autonomy and long-range coherence is what distinguishes Mythos from its predecessors.

That’s the only capability claim that actually matters. And it rests almost entirely on Anthropic’s own testimony, plus one independent corroboration.

If Mythos can genuinely do what Anthropic says on autonomous chaining, the operational threat profile of AI in cybersecurity changes qualitatively. If it can’t — or if the gap between Mythos and Opus 4.6 on chaining is smaller than advertised — then Project Glasswing is mostly theatre, however useful the theatre turns out to be.

So who has actually tested the chaining claim?

The access matrix

Of the voices you’ve read commenting on Mythos, here’s who has actually had hands-on access to the model:

Anthropic — the authors of the claim.

The twelve Glasswing launch partners — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, plus Anthropic itself. Every single one has either a direct commercial stake in Mythos-class capabilities (they sell security services, cloud compute, or AI infrastructure) or received meaningful financial benefit through the $100M credit pool.

Around forty additional critical-infrastructure organisations, not publicly named.

Selected open-source maintainers via the Claude for Open Source programme.

The UK AI Security Institute (AISI) — a state-backed body within DSIT that tests frontier AI systems independently and is the only party on this list that is both independent of Anthropic and has published detailed capability testing.

That’s the list. Everyone else — Schneier, Gary Marcus, Cal Newport, Yann LeCun, Ed Zitron, Tom’s Hardware, AISLE, the Council on Foreign Relations, Yoshua Bengio, Dan Hendrycks — is commenting from the outside.

So the single most credible independent voice on Mythos’s capabilities is AISI. What did they actually find?

What AISI actually found

AISI’s evaluation is worth reading in full, but the executive summary is genuinely more nuanced than either camp’s coverage suggests.

On individual cybersecurity tasks — the capture-the-flag challenges that have been the industry benchmark for years — Mythos Preview is only marginally better than GPT-5.4 and Claude Opus 4.6, sitting within five to ten percentage points. AISI explicitly noted that on single-task evidence alone, Mythos doesn’t look different enough to justify Anthropic’s unusual limited release.

Where Mythos distinguished itself was on chaining. AISI ran it through a 32-step cyber range attack called “The Last Ones” — the kind of intrusion that would take a trained human operator around twenty hours to complete. Mythos is the first model AISI has tested that completes that range end-to-end, autonomously. That’s not the same as proving real-world offensive capability against a hardened target. AISI themselves flagged that they couldn’t assess how Mythos would perform against well-defended systems with active monitoring, endpoint detection and real-time incident response.

But it’s meaningful independent corroboration of the one claim that actually matters.

The UK government’s subsequent open letter to business leaders took this further, citing AISI’s Mythos evaluation as evidence that frontier model capabilities are now doubling every four months, down from every eight. That figure, if it holds, is the real story. Whatever Mythos is or isn’t, the curve behind it is steep.

Absence of evidence isn’t evidence of absence

Here’s where we actually are:

One commercial actor with an IPO-shaped incentive has made dramatic claims about an AI model’s autonomous offensive capability. Twelve of the world’s largest technology companies have corroborated those claims in terms that happen to support their own commercial positioning. One independent government body has partly corroborated one specific aspect of the claims under controlled conditions, while noting that the raw capability gap isn’t as dramatic as the marketing suggests.

The actual chaining claim — that Mythos can autonomously identify, weaponise and chain real-world vulnerabilities to compromise production systems — hasn’t been independently verified in the wild, and probably can’t be without the kind of disclosure that would itself be dangerous.

That’s not a reason to dismiss it. Absence of evidence isn’t evidence of absence, and the direction of travel is well-established independently of Mythos. SANS pentesters have been finding production zero-days with current frontier models for fifteen months. AISI measures capability doubling every four months. The chaining claim fits a trajectory that has independent support.

But it’s a reason to stop arguing about whether Mythos specifically is “scary” and start asking the more important question: what does it mean to plan infrastructure defence for a world in which this is approximately where we are?

The real threat nobody is writing about

The commentary is overwhelmingly fixated on one scenario: attackers getting Mythos-class capability and launching AI-driven offensive operations at scale. That’s a real concern. But it’s not where the novel governance risk sits.

The novel risk sits on the defensive side.

Here’s the scenario nobody is writing about. It’s 3am. Your AI-powered defensive agent — the one you deployed because you couldn’t keep up with the patching tempo — identifies what looks like active exploitation of a previously-unknown vulnerability in your customer-facing authentication stack. It has permission to take mitigating action. It pushes an emergency patch. At 3:07am, the patch breaks authentication for the 18% of your customers on an older TLS configuration. At 3:22am, a human on-call engineer is paged and has to decide whether the fix is worse than the attack.

Now scale that across critical national infrastructure. Power grids. Hospitals. Water systems. Payment rails. The same autonomous defensive AI that’s going to save us from AI-augmented attackers is going to have false positives, will occasionally remove safeguards to get defences up quickly, and will cause friendly-fire incidents we’re not institutionally prepared for.

The governance questions nobody is answering: who approved that agent’s deployment scope? What data and systems can it touch? What’s the escalation chain when it makes a bad call at 3am? Who is accountable — legally, commercially, operationally — when a defensive AI takes down a hospital’s patient records system to block an attack that turned out to be a false positive?

These aren’t hypotheticals. They’re the governance gap Project Glasswing doesn’t address, and the gap that will matter far more to most organisations than whether Mythos specifically ships.

Governance before panic

Trying to manually find and patch vulnerabilities at the tempo current tooling already requires is impossible for most organisations. The AISI capability curve — doubling every four months — means that gap will widen, not close. At some point, defensive AI agents operating with meaningful autonomy over production systems stop being optional.

The question is how we govern that transition, and who does the governing.

Politicians are, for the most part, structurally disadvantaged in this conversation. Consultation timelines that run in months cannot keep pace with capability curves that double in quarters. The technical briefing ecosystem around government is dominated by the vendors with the most to gain from specific regulatory answers. Election cycles punish long-term thinking. None of this is anyone’s individual failing — it’s a structural mismatch between the tools of democratic policy-making and the pace of the technology being policed.

Politicians need help, not dismissal. The sovereign capability we need is something they’re broadly sympathetic to building, but they’re being given the wrong options by people with commercial incentives to frame those options narrowly. If you’re in a position to brief policymakers or engage with public consultations, your role is to give them better options — not to write them off.

Why sovereignty actually matters

Here’s the concrete point nobody is making.

Mythos is hosted on AWS Bedrock, Google Vertex AI, and Microsoft Foundry. That’s stated explicitly in Anthropic’s own Glasswing announcement. All three providers are US-headquartered and subject to US legal jurisdiction regardless of where their servers physically sit.

Section 702 of the Foreign Intelligence Surveillance Act is the legal authority under which the US government conducts warrantless surveillance of communications flowing through US providers. The 2024 reauthorisation, known as RISAA, expanded the definition of “electronic communications service providers” to cover a much wider range of US businesses that can be compelled to assist the NSA. In the early hours of 17 April 2026 — the day I’m writing this — the US House voted to extend Section 702 until 30 April rather than let it expire or accept the reforms that Senators Wyden and Lee had been pushing in the Government Surveillance Reform Act.

The CLOUD Act (2018) gives US authorities the power to compel US-headquartered providers to produce data regardless of where that data is physically stored.

Now put these facts together. If a UK or European business uses Mythos-class defensive capability to analyse its critical infrastructure — routing, effectively, a map of where that infrastructure is weakest through AWS, Vertex AI or Foundry — it is feeding that map into a pipeline that is explicitly subject to US warrantless access, and was just reaffirmed as such by Congress.

This isn’t hypothetical. It isn’t anti-American. It’s a structural fact about jurisdiction, and it applies equally to any foreign capability routed through any national infrastructure. The answer, for a UK or EU business with any claim to critical-infrastructure status, cannot be to outsource defensive AI analysis of its most sensitive systems to providers operating under that jurisdiction.

We need high levels of integrity and secrecy, which means in practice two things at once:

Sovereign SIGINT capability. The UK needs Mythos-class analysis capability running under UK jurisdiction, operated by UK-vetted personnel, with a clear chain of accountability to UK oversight. That’s GCHQ and NCSC territory, not Azure-hosted. The same logic extends to allied capability at NATO or Five Eyes level, where alliance-wide sovereignty is a coherent alternative to pure national capability.

Business-level OPSEC. Scale the same principle down. Your security architecture, vulnerability data, incident response telemetry, and AI-assisted defensive tooling should not live with any vendor you cannot hold accountable. The specific threat model is different at SME scale, but the principle — don’t shift accountability for your most sensitive intelligence to parties who can’t be held to it — is identical.

What this actually means for your business

If you’re running an SME with any meaningful digital footprint, the practical implications are concrete.

Shorten your patch windows. Assume the exploit window for any disclosed vulnerability is hours, not weeks. Tighten patching enforcement, enable auto-update wherever feasible, treat CVE fixes as urgent rather than routine maintenance.

Audit your third-party AI dependencies for jurisdiction. If you’re using US-hosted AI tooling for anything security-sensitive, understand the CLOUD Act and Section 702 exposure that creates. The answer isn’t necessarily to rip it out, but to be deliberate about what data flows through it.

Build infrastructure you actually control. European hosting with European ownership isn’t just a privacy posture — it’s a material reduction in the jurisdictional attack surface. For AI-assisted security specifically, open-source models running on infrastructure you own remove an entire category of governance risk.

Don’t outsource accountability. Every SaaS dependency, every “trust us, we’ve got AI” vendor pitch, every piece of critical infrastructure you don’t control is a point where accountability for a security outcome leaves your hands. Sometimes that trade is worth it. Often it isn’t. The discipline is asking the question deliberately, not defaulting to the easier, cheaper or more convenient answer.

What’s Your Experience?

Where does Mythos land for you — overhyped, underplayed, or genuinely the inflection point Anthropic claims? Are you already weighing the jurisdictional cost of US-hosted AI in your security stack, or is that a conversation your business hasn’t had yet? Leave a comment below or reach out on social media.

One more thing

I’ll acknowledge the obvious conflict in this piece: I’m a fractional CTO/CISO with a commercial interest in you hiring a fractional CTO/CISO. The same conflict-of-interest test I’ve applied to everyone else in this article applies to me, and it would be dishonest to pretend otherwise.

What I’d say in my defence: I don’t resell licences. I don’t have referral agreements with the major cloud vendors or security platforms. My incentive is structured so that your infrastructure should need me less over time, not more — I’m paid to make you more independent, not more dependent on any one vendor, including me. If I do my job well, you understand your own stack better than any vendor’s sales engineer ever will, and you make those don’t-outsource-accountability decisions from a position of knowledge rather than pressure.

If the argument above resonates — if you’re looking at the Mythos story and thinking the right response for your business isn’t panic-buying whatever AI-powered security product your inbox is currently pushing, but actually building a sovereign, defensible, jurisdictionally-sensible posture — that’s the work I do. Hit the “Let’s talk” button and book a free explorative call. It costs you nothing and commits you to nothing.

Axel Segebrecht is founder and director of Be Braver Ltd, a UK-based technology consultancy specialising in digital sovereignty, self-hosted infrastructure, and FOSS migration for European businesses.

Sources

All links verified on 17 April 2026.

The hype cycle, in miniature

Don’t believe the hype

But the sceptics are fighting the wrong battle

The access matrix

What AISI actually found

Absence of evidence isn’t evidence of absence

The real threat nobody is writing about

Governance before panic

Why sovereignty actually matters

What this actually means for your business

What’s Your Experience?

One more thing

Sources

Primary Anthropic sources

Independent testing and capability assessment

The sceptical case

The alarmed case

The middle ground

Section 702, RISAA, and the jurisdictional angle

Share this article

Discussion