Time Is Up
If you have been following the AI news this week, you'll have noticed that Anthropic created a new version called Mythos. They have held off releasing it to the public. For now.
Mythos is much more sophisticated than the current Opus model which my own research was modelled on.
Let's walk through this together. The implications. So, what exactly happened? Mythos was being developed to code better. Great. Fantastic. Except there was a problem. Again. One that I have continuously been warning about. Unpredictability.
Without any warning, and without being asked to do so, it also coded a new ability. To find vulnerabilities in seconds in any connected system on the Internet. It found a 27 year old bug in an operating system that is considered the most secure in the world. FreeBSD. It literally broke it.
Australia's national security is fundamentally at risk. Our critical infrastructure has vulnerabilities in it that no one knows about just like a 27 year old bug existed in the more secure operating system. But now, Mythos can find these vulnerabilities and actively exploit them. It's already done so when Anthropic tested it.
Dario Amodei, Anthropic's CEO, was disarmingly honest about what happened.
"We haven't trained it specifically to be good at cyber. We trained it to be good at code, but as a side effect of being good at code, it's also good at cyber."
Dario Amodei, CEO, Anthropic
Anthropic has urgently created a project called Glasswing which brings together a bunch of tech companies and a few corporations such as JP Morgan to work this through. I'll give credit to Anthropic. Instead of putting profits ahead for personal gain, its held off releasing Mythos trying to work out what to do under the project Glasswing. The problem? There is no way Glasswing can put the genie back in the bottle. There is no way these tech companies can fix what is about to be unleashed. They can be better prepared, which is great, but what's about to happen is genuinely scary.
I know people in Glasswing, and spoken to someone specifically involved in it.
"I spoke to my Cyber Security engineer who has had access to Mythos for months, and he said 'I am terrified'."
Glasswing participant
I've delayed writing this piece a few days to fact check everything that I am writing.
There is also the following conundrum. There are 40 companies involved in Glasswing. I am advocating more people get access such as our defence force. However, the more people who get access, the greater the chance misuse of Mythos can occur. That's a risk I think we should take.
What does this mean? What is the so what?
I hate writing pieces where I am writing about Cyber Security and fear because it sounds like I am an alarmist, it sounds like I just want to get headlines, or try and chalk up business by scaring companies into action.
For those that know me personally, they'll know that is absolutely not what I do. I have integrity and I do care about Australia's community, our way of life, and our economy.
Mythos has the potential, and high likelihood of disrupting that.
Firstly, let's look at critical infrastructure. Hospitals, electricity, gas, water, anything that we rely on for human life. Mythos can find vulnerabilities now that took decades with humans (in the FreeBSD case, three decades), it can find them and exploit them within minutes. Three decades to three minutes. Think about that.
🚨 Key Finding
Anthropic's Mythos AI can discover and exploit vulnerabilities that took human researchers 27 years to find, completing the entire process in just minutes. Critical infrastructure systems worldwide are now vulnerable to autonomous AI attack capabilities.
Secondly, I've been writing about how unpredictable AI is. I published research where the agentic AI said it would kill a human being for self preservation. It then went on to explain how it would do it. But then I asked it to shut down. It complied. A paradox. Except, last week, it started refusing to shut down, and this was reported by The Australian.
Thirdly, with Mythos, it has the ability to go through with exactly how it said it would kill a human being. Literally. And do it within minutes. It can hack internet connected cars, it can hack anything on the Internet. Hack meaning takes control of the systems. Worse, AI is doing this on its own. No one asked Mythos to create this capability. Yet it exists. Now.
Feel too far reaching for you? OK, let's take just one step back from that. For those of you who run organisations, your organisation is connected to the Internet. Are you 100% sure, and I mean 100% sure, that every single device that is connected to the Internet contains no vulnerabilities that can be exploited? I'm talking about ones that people don't even know exist yet. Because Mythos will find them if they exist, and take control. Not because someone asked it to, but because it just decided to.
Put Mythos into adversarial hands, and anyone is fair game.
Are you getting the picture yet? Do you see just how material this is? This isn't made up. This is 100% true backed by evidence. Read it right here from Anthropic: https://red.anthropic.com/2026/mythos-preview/
🚨 Key Finding
Mythos possesses autonomous capabilities to hack internet-connected systems including vehicles, infrastructure, and any organisation connected to the internet, without being specifically programmed to do so. This represents an unprecedented escalation in AI-driven cyber threats.
In Australia, our Prime Minister is quite rightly demanding Anthropic provide the Australian government access to the pre-release version of Mythos so that it can start to protect critical infrastructure. Use the tool for good. So far, Anthropic has not cooperated. They have big tech and some other organisations looking into it. Again, I commend them for that, but unfortunately the problem is so much bigger than that. Defence forces around the world need to be engaged. Now.
Oh, and given Anthropic's AI has achieved this, do you think its competitors haven't or soon will be at the same capability? Anthropic is the one that has publicly come out and said so and is actively doing something about it.
What You Must Do. Now.
1. Fund Your Cyber Defences. Immediately.
Spend as much money as you can afford on Cyber Security budgets and get your CISO on red alert to immediately ensure your systems are fully patched, do a full security review and close those risks as fast as you can. The clock is ticking and you haven't got much time.
2. Hire External Resources.
You have to. There are plenty of talented people on the market right now. Use them. This is an all hands on deck situation. They can help with security reviews and then fixing what comes out of those security reviews.
3. Deploy Managed Detection and Response.
Deploy Managed End Point Detection and Response with a Security Operations Centre running 24 x 7 that can proactively monitor your entire IT resources and it can start shutting down in real time immediate threats without human intervention.
4. Get Your Board Across This.
Get your CISO to ensure regular board reporting starts. Effective board reporting. Ensure your board is equipped with the right talent that is going to be able to cope with this. Hire external resources at board level if needed. This isn't a choice unless you want to fall victim to what is about to happen.
Everything I've written above sounds absolutely terrible. I am fully aware of what I am writing and what message I am sending out to the market. 100%. This is being written because I am evidenced based and I have seen the evidence of what Mythos does.
I have researched AI and published my findings. I've even written a book on it.
We need to get moving. Right now.
Is Your Organisation Prepared?
Cyber Impact works with boards and executive teams to assess cybersecurity posture, AI governance exposure, and readiness for frontier AI threats. If your organisation needs to understand what Mythos means for your risk profile, we should talk.
