The AI That Can Hack Anything. What Your Organization Should Do About It.

Anthropic just announced something that every security leader needs to understand. 

Their new AI model, Mythos Preview, was used to scan major operating systems and browsers for software vulnerabilities. It found thousands of them. Decades-old bugs that no human had caught. And in some cases, it did not just find the vulnerability. It built a working exploit on its own. 

Anthropic is not releasing Mythos to the public. They are quietly making it available to a limited group of major tech companies and security researchers through a program called Project Glasswing. That is the right call. But it does not mean the rest of us get to look away. 

The Gap Is the Problem 

The thing that matters most about Mythos is not the AI itself. It is what it reveals about the state of vulnerability management. 

We have always known there were more bugs in software than anyone could find or fix. Mythos just made that gap visible in a way that is impossible to ignore. If AI can discover vulnerabilities at this scale and speed, the question is no longer whether your software has flaws. It is whether your organization can fix them before someone else finds them first. 

And the honest answer for most organizations right now is no. Patching backlogs are real. Vendors sit on known vulnerabilities for months. The tools and teams responsible for fixing bugs are not built to move at the speed AI can discover them. 

This is the conversation our team digs into in the latest episode of Cyberside Chats, with LMG founder Sherri Davidoff and Director of Penetration Testing Tom Pohl. 

What to Do Right Now 

Your organization does not need access to Mythos Preview to start preparing. Here is what security leaders should be doing today. 

• Reduce your internet exposure. If a system does not need to be publicly accessible, take it off the internet. Put it behind a firewall, a VPN, or restricted access controls. The smaller your attack surface, the less there is to exploit. 

• Vet your vendors. Ask your software vendors how they detect vulnerabilities, how fast they generate patches, and how they push those fixes to customers. Vendor risk is now a direct extension of your own risk. If they are slow, you are exposed. 

• Budget for ongoing maintenance. Software is not done when it is deployed. Custom applications need regular security testing, continuous patching, and developer time to fix what gets found. Treat it like the living system it is. 

• Segment your network. Assume attackers will get in. The goal is to stop them from moving around once they are there. Separate critical systems, limit privileged account access, and control how your systems communicate with each other. 

Watch the Full Episode 

Sherri Davidoff and Tom Pohl cover all of this in depth in the latest Cyberside Chats. They walk through what Project Glasswing actually means for your organization, why the patching gap is about to get wider, and what the best-prepared security teams are doing differently right now.