The Mythos Moment

A Cyber Superweapon, a Government Standoff, and Why Vulnerability Management Just Became Non-Optional

If you've been trying to make sense of the headlines around Anthropic's "Mythos," you're not alone. It's been a confusing few months — a $200 million Pentagon contract, a supply chain risk designation, a lawsuit, an unreleased model that can find zero-days in every major operating system, and as of today, reports that a Discord group has already compromised it through a third-party vendor. This is one of the most important stories in cybersecurity right now, and most leaders I talk to are still piecing it together.

Here's the short version — and more importantly, what it actually means for your program.

A Little History:

In July 2025, Anthropic signed a $200 million contract with the Department of Defense, becoming the first AI lab to deploy its models across classified networks. Things went sideways by late winter. Anthropic refused contract language that would have permitted the use of Claude for fully autonomous weapons and domestic mass surveillance. The Pentagon wanted unfettered access for "all lawful purposes." Neither side blinked.

In March, Defense Secretary Pete Hegseth declared Anthropic a supply chain risk — a designation that, according to Anthropic's own attorneys in federal court, has never before been applied to an American company. The label forces defense contractors (including Amazon, Microsoft, and Palantir) to certify that they don't use Claude in any Pentagon-related work. Anthropic sued. The cases are still working their way through the courts.

The plot twist? Only a few weeks later, Trump signaled a deal with Anthropic is "possible". The White House appears to have discovered it needs Anthropic more than the standoff suggested. Why? Because of what Anthropic was about to release.

What Mythos Actually Is

On April 7, Anthropic announced Project Glasswing and the existence of Claude Mythos Preview — a frontier model so capable at finding and exploiting software vulnerabilities that Anthropic has refused to release it publicly. Not since OpenAI temporarily withheld GPT-2 in 2019 has a major lab deemed a model too dangerous to ship.

The capabilities, as reported, are unprecedented:

• In internal testing, Mythos found thousands of zero-day vulnerabilities in every major operating system and every major web browser. 99% remain unpatched.

• The U.K.'s AI Security Institute, granted early access, found Mythos succeeded in expert-level hacking tasks 73 percent of the time. Prior to April 2025, no AI model could complete those tasks at all.

• Access has been restricted to roughly 40 organizations — Amazon, Apple, Google, Microsoft, Cisco, and a cluster of the largest U.S. banks including JP Morgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley. Treasury Secretary Scott Bessent reportedly convened senior bankers in Washington to coordinate defensive use.

Notably, CISA — the U.S. government's top cyber defense agency — is not on the list. That's a story of its own.

Why This Should Change Your Calculus

I've written before that AI cyber capabilities are doubling roughly every eight months. Mythos is that doubling made concrete. The implication is uncomfortable but simple: the gap between "a vulnerability exists in your stack" and "an attacker is exploiting it" is compressing fast. The old model — patch on a quarterly cadence, lean on CVSS scores, handle the scary ones in an emergency window — was designed for a world where attackers also had to find the bug first. That world is ending.

What Actually Works Now

This is the part I want every leader reading this to internalize: the same AI wave that makes offense cheaper also makes defense dramatically cheaper. A mature, pre-emptive vulnerability management program has never been more accessible, and has never mattered more.

This is the moment where "we'll get to it next quarter" stops being a defensible posture. This is exactly the work we do at Risk Clarity. If you're reading this and recognizing a gap between where your program is and where it needs to be, let's talk. Risk Clarity Group helps security leaders stand up pre-emptive vulnerability management programs calibrated to the Mythos era — and we use the same AI wave to get you there faster than you'd expect.

Sources and Further Reading:

• Anthropic: Project Glasswing — Securing critical software for the AI era

• Scientific American: What is Mythos, and why are experts worried?

• TechCrunch: Unauthorized group has gained access to Anthropic's Mythos

• Axios: Top U.S. cyber agency doesn't have access to Mythos