Cyber Security

Mythos: The Most Boring Revolution in Cybersecurity?

By Thorsten Delbrouck, Group CSO at Giesecke+Devrient

Anthropic’s timing in loosening the sharing restrictions around Mythos is flawless. They are hitting the security community at the exact moment when many teams are looking past the initialpanic and realizing a fundamental truth: the primary threat is not some revolutionary, magical new insight that only the absolute latest flagship model can provide. The actual concern lies elsewhere, far away from the realm of action thrillers. 

Anthropic has undoubtedly orchestrated a masterful marketing stunt. From the ominous name to the whispered capability rumors, right down to the artificial scarcity of its initial release, the playbook is obvious. Yet, this theater still has one remarkably useful side effect: it takes all that manufactured exclusivity and directs much-needed, urgent attention toward a very real, painfully mundane operational problem: for boards and executives, the question is no longer only “How many vulnerabilities do we have?” but “How many can we realistically handle?” 

First: What Is Mythos Not? 

One thing you certainly shouldn’t expect is that Mythos is an almost magical tool that you point at software installed somewhere, and after a brief pause, it reveals a new, unimpeded path into that very system and even provides the necessary tools to do so. A tool that cracks any encryption and bypasses any authentication. 

That’s a concept we know from action thrillers: typically involving a small box, securely nestled in a custom-fit foam recess inside an aluminum briefcase, which must not fall into the wrong hands at any cost. 

A Few Basics About Vulnerabilities 

Vulnerabilities in software products have long been detected through automated processes, but LLMs have taken this search to a new level. Before the widespread use of AI, it was primarily possible to find known vulnerabilities based on specific, known patterns, though even small deviations or variations could lead to errors being overlooked. 

Awareness of the importance of security has been growing for years. The effort that companies and private initiatives invest in uncovering vulnerabilities is increasing, and as a result, the number of those found has also been rising: According to CVE.org and the U.S. National Vulnerability Database, a little over 48,000 CVE vulnerabilities were published in 2025. 

Ever since the story of Sissa and the chessboard full of grains of rice, we’ve known how poorly humans can estimate exponential growth. 

And the growth is not only driven by better detection. It is not without irony that the same companies presenting their latest models as salvation from cyber threats are, at the same time, fueling part of the problem. AI-assisted coding tools accelerate software production, but they frequently produce sloppy, vulnerable code – expanding the very attack surface their security products promise to reduce. From an economic standpoint, this is brilliant. From a security perspective, far less so. 

Who Does This Affect? 

In short: everyone. Teams that operate their own IT systems must be familiar with all the components they use. They need to gather information about new vulnerabilities, analyze their  exposure, and define appropriate  countermeasures. If necessary, those countermeasures must be tested before fixes are prioritized and implemented. Throughout the process, teams mustalso monitor for any unwanted side effects elsewhere. 

Teams that develop software themselves must constantly test their own software, ideally with AI support. They must also keep track of all external components (libraries, etc.), test them, and replace them or implement other countermeasures if vulnerabilities are identified. And this can, of course,  lead to unwanted side effects elsewhere. 

That is exactly as labor-intensive as it sounds. And if the number of vulnerabilities in this environment continues to grow exponentially, it won’t take much to throw the entire system off balance. 

So Why All the Hype Around Mythos Right Now? 

A model considered potentially too dangerous for the public sparks maximum curiosity. It is a classic mechanism for creating exclusivity, driving demand, and increasing company valuations. At the same time, however, there is also the suspicion – and at least the possibility – that Mythos might actually be particularly good at finding security-related flaws. Probably even in older software products, and perhaps even when the software was written in programming languages no longer widely used today. 

Initial results from the closed testing phase of “Project Glasswing” suggest that this assumption may not be entirely unfounded. In tests, the model reportedly detected a 27-year-old vulnerability in the OpenBSD operating system, traditionally considered extremely secure. In another scenario, the AI reportedly chained together multiple vulnerabilities in the Linux kernel to gain root privileges. This isn’t entirely new. In the fall of 2025, the predecessor model, Claude Code, was reportedly misused by malicious actors to automate targeted attacks at scale. 

Will Mythos Now Break All Software Products? 

No, it is not to be expected that “Mythos” will suddenly break a wide variety of products across the board and leave major holes in systems everywhere – in companies, government agencies, banks, universities, hospitals, or elsewhere. 

But it doesn’t even have to be that dramatic to create serious problems for many organizations. Even today, many IT teams are already struggling under a heavy workload: All the “new topics” surrounding AI, cloud infrastructure, sovereignty, and related issues are landing on teams that are already occupied with alert triage, incident response, phishing analysis, vulnerability and patch management, as well as documentation, audits, and reporting. And this is where the next shift becomes relevant: AI systems are already quite good at finding software vulnerabilities, and very likely they will keep getting better at it. That is the actual imbalance: discovery is becoming increasingly automated, remediation is not. 

In a lot of organizations somewhere, someone still has to understand the vulnerability, assess whether it is relevant in the given context, decide what comes first, write or obtain a patch, test it, roll it out, and then hope that nothing else breaks. These people do not scale exponentially. They have maintenance windows, change boards, legacy systems, suppliers, dependencies, budgets, meetings – and occasionally even vacations. 

The risk, then, is not that Mythos, or any other model, suddenly burns down the digital world overnight. The more plausible risk is far more boring, and therefore probably more dangerous: AI-assisted vulnerability discovery could simply produce more work than defenders are able to absorb. 

So Whose Problem Is This, Actually? 

First of all, the pressure is not only coming from the technology side. Regulations like NIS2 and the EU Cyber Resilience Act are imposing mandatory vulnerability reporting timelines — 24 or 72 hours, depending on the regime. That means organizations can no longer quietly deprioritize what they cannot fix in time. They must report it, explain it, and document what they intend to do about it. In a world where AI-driven discovery keeps producing more findings than teams can absorb, these obligations do not just add paperwork. They turn every unresolved vulnerability into a potential compliance event — with regulatory consequences attached. 

Vulnerability management needs to move out of the purely technical basement and into management meetings. It is no longer enough to know how many critical vulnerabilities exist somewhere in the organization. Leadership also has to know whether the organization can realistically respond. How many findings can be analyzed? How many systems can be patched without disrupting operations? Where are the bottlenecks? In the security team? In development? In testing? In suppliers? In the approval process? 

And there is an even more uncomfortable question: What happens when the answer is “not enough”? Then organizations must prioritize ruthlessly, accept residual risk, build additional response capacity, or, in extreme cases, take systems offline. None of this sounds particularly futuristic. But it is exactly the future that may arrive first. 

The Boring Future 

Mythos will not end the world. No single model will. But it is a useful reminder that the cybersecurity challenge ahead is not a Hollywood scenario — it is an operational one. That is why Mythos is perhaps less interesting as a product than as a signal. 

It points to a world in which the limiting factor is no longer the ability to find vulnerabilities, but the ability to deal with them. Organizations will have to invest in mitigation capacity: better prioritization, cleaner software portfolios, faster patching processes, more automation, and yes, probably AI support in remediation too – which, of course, creates its own new set of problems. 

But doing nothing is not a strategy. If the number and complexity of vulnerabilities continue to rise faster than the ability to respond, the bottleneck will not be in the technology. It will be in the organization. 

Author

Related Articles

Back to top button