“Tools like this lower the barrier to offensive capability”
Richard Ford, CTO, Integrity360
The claims around Mythos are huge, with thousands of vulnerabilities identified, including issues that have existed for decades. However, much of this is self-reported, with limited independent verification so far. That’s not to say they are completely unfounded – we just don’t know.
Even so, the direction of travel is clear. Tools like this lower the barrier to offensive capability. Attackers no longer need deep expertise if AI can automate large parts of discovery and testing, which puts organisations with weak security posture directly in the firing line.
It is also important to look at how these results were achieved. Anthropic’s own system card shows that this level of performance relied on uncensored models, extended compute, and heavy resampling.
In other words, this is not yet a real-world scenario. The highest-risk behaviours appear under tightly controlled conditions, with safeguards removed and significant cost involved. That creates a gap between what is being demonstrated and what is currently scalable for most attackers, although well-funded groups could still close that gap over time.
There are also practical constraints. One widely cited example, the discovery of a 27-year-old vulnerability, reportedly cost around $20,000. That underlines two realities. First, this capability is not cheap. Second, context matters. That vulnerability existed in an open source environment without a formal bug bounty, so we must ask the question; with less incentive did it get the same sustained scrutiny of a commercial platform?
If this capability does prove out at scale, the impact is not straightforward. Organisations already struggle to prioritise and patch vulnerabilities. Increasing the volume of findings could increase exposure in the short term, not reduce it, and give attackers more opportunities to exploit. At the same time, it will put pressure on existing models. Bug bounty programmes and human-led testing rely on expertise and time. AI will start to reshape that, although areas like business logic will still depend on human understanding.
The bigger issue is preparedness. Most organisations are not set up to deal with continuous, high-volume vulnerability discovery. Those embedding security into DevSecOps workflows will be better placed to keep pace. Those that are not will fall behind, and they will be the easiest targets as these capabilities become more widely available.
Doug Woodburn is editor of IT Channel Oxygen
