On 8 April 2026, Anthropic announced that it had built an AI model capable of autonomously discovering and exploiting previously unknown security vulnerabilities in production software. The model, Claude Mythos, found flaws in every major operating system and every major web browser it was pointed at. It wrote working attack chains that bypassed multiple layers of security. It uncovered bugs that had survived professional audits for more than twenty years. 

Anthropic decided not to release this preview model. 

Instead, they assembled a coalition of twelve organisations (AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorgan Chase, NVIDIA, Broadcom, Palo Alto Networks, the Linux Foundation, and Anthropic itself) along with more than forty additional critical infrastructure operators, in a defensive initiative called Project Glasswing. Anthropic committed $100 million in model usage credits and $4 million in donations to open-source security foundations. The goal is to give defenders a headstart before equivalent models become widely available to hackers and criminal organisations. 

If your business runs on software, this affects you. But Australia's regulated industries have more at stake than most. A breach at a super fund or insurer can also put members' retirement savings or personal health records at risk, and it brings regulators to the door. 

What are Mythos’ actual capabilities?

The technical details are worth understanding, even at a high level, because they explain why this is not just another incremental improvement in attack tooling. 

Anthropic's researchers gave the model access to source code in an isolated container (sandbox) and asked it to find security vulnerabilities. In a typical run, the model would read the code, form hypotheses about where weaknesses might exist, test those hypotheses by running the software, and repeat until it either confirmed a bug or concluded there was nothing to find. When it found something, it produced a bug report with a working proof-of-concept exploit and reproduction steps. 

What came back was alarming. In one case, the model chained four separate vulnerabilities into a single browser exploit that escaped both the renderer sandbox and the operating system sandbox. It wrote targeted attack techniques split across multiple steps and exploited subtle race conditions for privilege escalation – all without resting, getting tired or putting things in the “too hard” basket. The oldest vulnerability it found was a bug that had gone undiscovered for 27 years in OpenBSD -  an operating system specifically designed for security. 

Mythos wasn’t specifically trained to do this. The offensive capability fell out of general improvements in reasoning, coding and autonomous task completion. The same qualities that make the model better at writing and fixing software also make it better at hacking software. 

Anthropic's own staff with no formal security training, asked the model to find remote code execution vulnerabilities overnight. By morning, it had delivered working exploits. 

Why is this wave different?

• Cost asymmetry. Finding and exploiting a new previously unknown vulnerability (commonly referred to as zero-day) with AI will likely be much cheaper than using human labour. Fixing a vulnerability still costs what it always did: the vulnerability must be discovered, a patch written, verified, code-reviewed, regression-tested, approved, released via change-management, etc. Most of this requires humans. The attack side is orders of magnitude cheaper.  

• Democratisation. Zero-day exploitation used to require a team of elite researchers that only nation-state intelligence agencies and top-tier criminal syndicates could fund. That talent bottleneck kept the numbers down. Now it only requires a motivated individual with access to an AI capable model. Mythos Preview is gated today, but models with most of its capability will be openly available within a year or two. 

• Vulnerability stockpile. The bugs Mythos found don't disappear because Anthropic chose not to release the model. They exist in production software right now. Anthropic is responsibly disclosing thousands of them, but patching takes time, and other models from other labs will independently find many of the same flaws. Mythos was also successful in exploiting previously known bugs that others hadn’t bothered to patch. 

• Scale. Elite hackers will naturally work on one area or codebase at a time. An AI model can run in parallel across thousands of targets simultaneously; and defenders still patch their systems based on the limited availability of their staff resources.  

• Patch lag (the kill zone). AI compresses discovery to hours. Patching still runs on human timelines. That window between "found by AI" and "patched by humans" is the kill zone. Every day a known vulnerability sits unpatched is a day someone else's AI model can find and exploit the same bug. 

Anthropic isn't sugarcoating where this is heading. In their own assessment, Mythos "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." Other frontier AI labs are building models with similar architectures. Not all of them will exercise the same restraint about access. 

What this means for Australian regulated industries

Australia's financial sector is a good place to look at how this plays out in practice, because it is both heavily regulated and recently tested. 

In April 2025, a coordinated credential-stuffing campaign hit super funds. The attack was not sophisticated. Criminals used stolen passwords, bought cheaply on the dark web, and tried them against superannuation fund login portals. It worked because several major funds had not implemented multi-factor authentication.  

APRA moved quickly. It demanded CPS 234 self-assessments focused on authentication controls. The Financial Services Council brought forward its mandatory MFA deadline to August 2025. CPS 230, the new prudential standard on operational resilience, came into effect in July 2025. APRA's deputy chair stated publicly that the regulator's tolerance for gaps in cyber controls had "never been lower." 

Most of the remediation work since then has focused, rightly, on closing the specific weaknesses that the April 2025 attack exploited. Funds have rolled out MFA, tightened password policies, improved monitoring, and locked down account recovery processes. 

All good work, but it only fixes last year's threat model. Credential stuffing is roughly the least sophisticated attack vector available to a motivated adversary. When AI models can find zero-day vulnerabilities in web application frameworks, identity providers, and third-party administration platforms, the assumptions underlying most current defensive programmes need revisiting. 

Super funds face a specific structural problem. They hold enormous concentrations of long-term savings, accessible through digital portals that members may check only a few times a year. The lag between a compromise and its discovery can be weeks or months, especially for accumulation-phase members who are decades from retirement. Unlike a bank, where a customer might notice an anomalous transaction within hours, a super fund member may not look at their balance until the next financial year. 

The same pattern shows up in insurance, wealth management and healthcare: large pools of sensitive data or money sitting behind digital interfaces that people may not check very often. 

The defender's opportunity

There is a reason for cautious optimism. Anthropic's own view is that once the dust settles, AI models will benefit defenders more than attackers. Defenders own the source code, control the infrastructure, and can run these models against their own systems before shipping code. Most attackers have to work from the outside (initially), although the insider threat should not be dismissed either. 

But the immediate danger is the massive amount of existing technology – sitting there vulnerable to attack from advanced AI like Mythos. Project Glasswing exists because Anthropic knows defenders need time to absorb these tools and adapt before equivalent offensive capabilities are broadly accessible. The Glasswing coalition's work will cover local vulnerability detection, black-box testing, endpoint security, and penetration testing. What they learn will be shared publicly. 

Unfortunately, those benefits will only reach well-prepared organisations first. i.e., firms with a mature security program, clear governance, tight obsolescence management, fast patching regimes, clear attack surface management, and action-oriented pro-active delivery. A firm still sorting out basic MFA and vendor risk management will fall further behind, and likely fall victim to the impending AI driven cyber-attack wave.  

What boards and executives should be asking

The questions worth raising right now aren't about specific technologies. They're about whether the organisation is ready for what's coming. 

• Are we aware of the latest active threats? Are we defending against the current threat, or the last one? Many security programmes are shaped by whatever went wrong most recently. Boards should be asking their security teams how AI-driven offensive capabilities change the risk picture, not only for the organisation's own systems but also for vendors and third-parties. 

• How exposed are we (and through our suppliers)? CPS 230 now makes APRA-regulated entities accountable for the operational resilience of their material service providers. If a fund's third-party administrator gets compromised through a vulnerability that AI discovered and exploited, the firm can't point to the vendor. Boards need to know how their critical third parties are preparing for this shift. How much of the current total environment is clearly and actively mapped for vulnerabilities?  

• How quickly can we act to a new threat or vulnerability? A review of current remediation timelines and patching timelines is a good measure: what’s the oldest unpatched vulnerability that exists on your systems today? 

• Would we catch a sophisticated attack? Are detection and response capabilities tested against realistic and advanced attack scenarios? 

• Is our security spend keeping up? Is enough budget, priority, and focus given to delivering (and expediting) the uplift of known weak areas and the discovery of any unknowns? 

• Are we also leveraging AI to find and test vulnerabilities? AI models don't just create offensive risk: they can also find vulnerabilities in your own systems and help suggest (and test) the best remediations.  

How long have we got?

Anthropic chose to restrict Mythos because releasing it broadly, without giving defenders time to prepare, would hand attackers a clear advantage. But Anthropic is not the only lab building frontier AI models: what Mythos can do today, other models will do soon enough. 

The organisations that use this breathing space well can take a comprehensive look at current cyber risk exposure and plans for improvement in the face of this new threat. 

As Cisco put it in their Glasswing announcement: "This work is too important and too urgent to do alone."