Anthropic’s announcement that its Mythos AI model had uncovered thousands of software vulnerabilities - including flaws spanning major operating systems and browsers - prompted urgent discussions among governments and financial institutions when the company released the model in April. By early May, the issue had risen to the level of national policymakers, with the White House considering tighter rules governing model releases after safety testing.
Yet inside cybersecurity circles the initial alarms have been met with a more measured response. Practitioners familiar with Mythos say the model does represent a notable technical improvement in vulnerability discovery, but they do not see it as an automatic ticket to previously unreachable hacking operations.
Measured assessments from practitioners
Isaac Evans, founder and CEO of software security firm Semgrep, summarized the divide succinctly: "I think there’s a really big communication gap between practitioners and policymakers." He acknowledged Mythos as "a real technical advance," but added that public reactions "are not substantiated by what we actually know about how those capabilities will translate in the field."
Those who have run Mythos in controlled settings report significant gains in the speed and breadth of vulnerability identification. Banking IT teams, both at large and small institutions, are already addressing numerous weaknesses in their technology stacks that surfaced during early testing. The pace of discovery has intensified concerns, especially against a backdrop of continuing disclosures of criminal and state-linked hacking activity that has involved AI-assisted techniques. On May 11, Google announced it had detected a major cybercrime group using AI to discover a previously unknown software flaw while planning a broad exploitation event - a development that increased attention on AI-enabled vulnerability hunting.
Why the threat picture is less straightforward
Several experienced vulnerability researchers who had early access to Mythos emphasized that tools capable of finding large numbers of bugs have existed for months or years. "We’ve been able to use AI to find more bugs than we know what to do with for months if not years," said one person with extensive vulnerability research experience. The difficulty, that person said, is not finding flaws but validating, prioritizing and remediating them without disrupting systems. In other words, the downstream workflow required to convert discovery into exploitable operations or into fixed systems remains a bottleneck.
That same source noted Mythos lowers the barrier to discovery by requiring a weaker prompt - the user instruction that guides the model - than prior models. Existing models often demanded more intricate and detailed instructions, whereas Mythos can produce results with less elaborate prompting.
Anthony Grieco, senior vice president and chief security and trust officer at Cisco, highlighted additional practical benefits Mythos offers defenders: its ability to scan vast swathes of code much faster than predecessors and to help experienced teams reduce false positives. Both factors can allow organizations to concentrate on the most pressing risks in their specific operational contexts. Grieco also observed that Mythos carries fewer guardrails than prior models, which can permit more precise instructions that enable tasks earlier models would have resisted.
Infrastructure and harness constraints
Even for organizations intent on maximizing Mythos’ capabilities, Grieco said two components are essential: substantial computing power and a rigorous harness - the controlled computing environment where a model operates under specified constraints and instructions. "If you have a Formula One car but you’ve only ever driven a bike, you might be able to get it to go straight," he said. "But you’re not going to maximize the track time out of the gate."
Those practical requirements mean Mythos’ computational and infrastructure demands currently limit who can effectively run it at scale. Panelists at a Vanderbilt University event echoed that point: Nick Adam of State Street said the model’s architecture is not yet optimized and pointed to the same compute and harness hurdles Grieco identified. He added that while those barriers exist now, they are likely to be resolved "pretty quickly."
Project Glasswing and government reaction
An aspect of Anthropic’s approach that broadened the spotlight was its invitation to select firms to test defenses under a program called Project Glasswing. That initiative, and the company’s own public framing of Mythos’ capabilities, moved the discussion outside typical security communities and into government and industry-wide crisis conversations.
The heightened visibility produced an intense response: some parts of government sought access to the model while others raised supply-chain concerns. The Pentagon labeled Anthropic a supply-chain risk and other agencies pushed to gain access. A White House official said officials are discussing with AI labs measures to expand how their technology is used more widely. An Anthropic spokesperson said the company is working "closely with the U.S. government to quickly advance shared priorities," and that it is collaborating with the government to broaden access to Mythos for more parties.
Discovery is just the beginning
National security conversations have focused heavily on Mythos - and to some extent on other advanced models such as OpenAI’s GPT-5.5 - but those debates sometimes overlook a simpler reality: using AI to hunt for vulnerabilities is not novel. The harder problems follow discovery.
Cynthia Kaiser, a former senior FBI cybersecurity official now at Halcyon, underlined that many adversaries have been highly capable prior to AI. "Our adversaries have gotten really good without AI," she said, noting that ransomware attacks can be executed in under an hour and that most threats continue to operate without AI assistance.
For now, the combination of scale, compute intensity and infrastructure harnessing required to run Mythos at full capacity constrains its immediate, widespread misuse. Still, stakeholders caution these obstacles may erode over time, increasing accessibility.
Practical implications for organizations and markets
Security professionals describe the present situation as a management and systems problem as much as a technical breakthrough. Organizations that lack robust vulnerability validation pipelines and remediation capacity face the greater risk: a surge in discoveries can overwhelm teams and create difficult prioritization choices, particularly in sectors with large, heterogeneous technology footprints such as banking and critical infrastructure.
The banking sector has already devoted IT resources to patching vulnerabilities surfaced in early Mythos tests. For sellers of vulnerability-management tools, scanning and harness infrastructure, and consulting services to help triage and remediate findings, the demand picture may increase. Defense and government agencies that treat supply-chain integrity as a priority are also actively engaged, balancing access for defensive purposes against concerns about proliferation.
Where this leaves policymakers and practitioners
Policymakers and cybersecurity practitioners appear to view the threat through different lenses. Policymakers, responding to public-facing claims and to programs that invite external scrutiny, have tended toward precautionary action. Practitioners emphasize operational realities: discovery, validation and remediation workflows; computing and harness requirements; and the ongoing efficacy of non-AI techniques used by skilled adversaries.
For now, Mythos has sharpened attention on where organizational capacity is weakest - the ability to process and act on large volumes of newly discovered vulnerabilities. Those gaps, rather than simple access to a given model, may prove the more pressing near-term security challenge.
Reporting for this piece relied on interviews and statements provided by cybersecurity practitioners, industry executives involved in early access to the model, and public comments from government and company spokespeople referenced above.