Unless you’ve been off the grid for the past few weeks, you’ve probably seen the headlines. Anthropic’s new AI model — Claude Mythos — can find and exploit security vulnerabilities in every major operating system and web browser. Engineers with no formal security training used it to generate complete, working exploits overnight. The UK’s AI Security Institute confirmed it successfully took over a simulated corporate network in three out of ten attempts — the first AI model ever to do so.

The coverage has ranged from measured concern to outright alarm. So what does it actually mean for a healthcare provider, an NDIS organisation, an accounting firm, or an NFP?

The honest answer: less than the headlines suggest, and more than most organisations are prepared for.

What Mythos actually is

Mythos Preview is Anthropic’s most capable AI model to date — a general-purpose large language model that turns out to be remarkably good at computer security tasks. Specifically, it can autonomously scan codebases for vulnerabilities, chain multiple weaknesses together into working exploits, and do all of this at a scale and speed that would take human experts weeks or months to replicate.

To its credit, Anthropic didn’t quietly release it and hope for the best. They restricted access to a vetted group of around 40 technology firms and institutions — Project Glasswing — tasked with using Mythos to find and fix vulnerabilities in critical software before adversaries can get to them. The intent is defensive first.

That’s a meaningful choice. It’s also not a permanent solution.

The part that actually matters

Here’s what the breathless coverage often misses: the vulnerabilities Mythos is finding aren’t new in nature. They’re known classes of software flaws — memory corruption issues, privilege escalation bugs, remote code execution weaknesses — that have existed for years, sometimes decades. The oldest Anthropic has disclosed publicly was a 27-year-old bug in OpenBSD.

These vulnerabilities weren’t secret. They were just unfound, or found and left unpatched.

That’s the real story. Not that AI has invented a new category of threat. But that AI has dramatically compressed the time between a vulnerability existing and someone being able to exploit it. What once required a specialist with months of time now potentially requires a prompt and an overnight run.

The question for every organisation isn’t “how do we defend against Mythos specifically.” It’s the same question it’s always been: are our fundamentals actually in order?

What the UK’s AI Security Institute actually found

Buried in the coverage of Mythos’s capabilities is a detail worth highlighting. The AI Security Institute’s evaluation found that Mythos was effective against systems with weak security posture. Their conclusion was explicit: the model cannot reliably execute autonomous attacks against organisations with well-hardened defences.

Read that again.

The organisations most at risk from AI-assisted attacks are the ones that were already most at risk from human-assisted attacks. Unpatched systems. Weak access controls. No MFA. No logging. No visibility.

If your organisation has solid fundamentals in place, Mythos doesn’t fundamentally change your risk profile. It raises the stakes on getting those fundamentals right, but it doesn’t introduce a new game.

The access gap is a real problem — but not the way it’s being framed

There’s a legitimate concern buried in the Mythos conversation: the organisations with access to powerful defensive AI tools are the large technology firms. Hospitals, disability providers, accounting practices, and NFPs are not in the Project Glasswing consortium.

That gap is real. But the framing — that smaller organisations need access to Mythos to defend themselves — misses the point. The best defence against AI-assisted vulnerability discovery isn’t access to the same AI. It’s not having the vulnerabilities in the first place.

Patched systems. MFA on everything. Restricted admin privileges. Tested backups. These aren’t glamorous. They’re also what works — against human attackers, against automated tools, and against AI models running overnight exploit searches.

What this means practically

If you’re running a healthcare organisation, an NDIS provider, an accounting firm, or an NFP, here’s what Mythos should prompt you to do:

Patch faster. The vulnerabilities Mythos finds are largely ones that patches already exist for, or will exist for shortly. Over 45% of discovered vulnerabilities in large organisations remain unpatched after 12 months. That window is your exposure. Close it.

Take MFA seriously. Not just on email. On everything. Chained vulnerabilities often require an initial foothold — MFA removes a lot of the easy ones.

Know what you’re running. You can’t patch what you don’t know about. Asset visibility — knowing what software is in your environment — is a prerequisite for everything else.

Test your backups. If Mythos-assisted ransomware hits an organisation that can’t recover, the capability gap is the backup strategy, not the AI model.

Get a real assessment. Not a checkbox exercise. An honest look at your environment that tells you where you actually stand.

The bottom line

Mythos is genuinely significant. It represents a step change in the speed and accessibility of vulnerability discovery and exploitation. Organisations that have been coasting on security theatre — the appearance of security without the substance — face a harder environment than they did six months ago.

But the fundamentals haven’t changed. They’ve just become more urgent.

The organisations that are going to struggle aren’t the ones who haven’t heard of Mythos. They’re the ones who have heard of it, written a worried email to their IT team, and then moved on without doing anything different.

Don’t be that organisation.

If you’re not sure where your environment actually stands, that’s the right place to start. Get in touch — we’ll give you an honest picture, not a sales pitch.