The UK's AI Security Institute tested Anthropic's Claude Mythos Preview — a cybersecurity model so powerful Anthropic won't release it publicly — and found it succeeds at 73% of expert-level capture-the-flag challenges that no AI could solve before April 2025. But in "The Last Ones," a 32-step corporate network simulation requiring 20 hours of human expert time, Mythos succeeded only 3 out of 10 times. The model can discover zero-day vulnerabilities and execute multi-stage attacks autonomously, capabilities that prompted Anthropic to restrict access to 40 organizations through Project Glasswing instead of public release.
This represents a capability threshold crossing that's been brewing since 2023, when the best models "could barely complete beginner-level cyber tasks." Now we have an AI that can do in automated fashion what takes human professionals days — but only in controlled environments without active defenders or real-world hardening. The leaked documents from March (accidentally exposed through a CMS misconfiguration) reveal Anthropic's own researchers warned of "attacks that far outpace the efforts of defenders," causing cybersecurity stocks to drop 4-7%.
The AISI evaluation reveals crucial limitations the initial leak didn't capture: Mythos works in sterile lab conditions but struggles against real defenses. Three successful network compromises out of ten attempts, in an environment with "no active defenders, no defensive tooling, no consequences for tripping alerts," suggests we're still far from autonomous AI hackers. The model excels at finding vulnerabilities but can't reliably chain complex operations across defended networks.
For developers, this means AI-assisted security auditing is becoming reality while AI-powered attacks remain mostly theoretical. The 30% success rate against simplified networks should worry security teams, but the 70% failure rate suggests human expertise remains irreplaceable for sophisticated operations." "tags": ["cybersecurity", "claude", "anthropic", "vulnerabilities