Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

April 22, 2026

Mythos: The End of Human Speed Security

On April 7, 2026, Anthropic, the company behind the widely adopted large language model (LLM) Claude, announced a new model, Mythos. This was no ordinary launch however, it was an announcement that will usher in a sea change in how cybersecurity is handled at all organizations. While Anthropic initially withheld Mythos from public release due to its unprecedented capabilities, the model is currently being leveraged by a strategic cohort of technology leaders (Project Glasswing) to patch discovered vulnerabilities in their software. 

Mythos wasn’t designed to be a cyber security focused LLM, but in Anthropic’s testing, it proved to be extraordinary at identifying vulnerabilities and leveraging those vulnerabilities to accomplish assigned tasks. For example, when confronted with a task requiring unauthorized document access, Mythos independently identified structural vulnerabilities in the systems it was allowed to access and chained those vulnerabilities to bypass security boundaries. Anthropic reported that Mythos found vulnerabilities in every major operating system and web browser; some of these vulnerabilities had persisted undetected for decades. These are new vulnerabilities, on some of the most tested software around the world. What used to take people years to develop, Mythos was able to do in a few hours. 

With the model held back by Anthropic for now, and made available to the foundational tech companies that underpin much of the internet and modern computing, the world will soon see a flurry of patches and updates coming for their infrastructure in the short term. However, these capabilities will soon be achieved by many more model providers, even open source model providers, bringing these tools to the hands of anyone who can run them. 

While the initial focus is defensive, the strategic implications cannot be overstated. When security research and offensive security teams operate at the speed of machines and models like Mythos, our traditional security methodologies and procedures become speedbumps rather than the defenses we thought they would be. A radical rethink in our stance toward risk as it relates to patching frequency, AI use at our organizations, and governance and policy are required.

A Call to Action for Leadership

Realizing this model will cause massive disruption in current security practices, a coalition including the Cloud Security Alliance, SANS, OWASP, [un]prompted, and the wider security community released “The AI Vulnerability Storm: Building a Mythos ready security program” on April 16, a guideline for CISO’s on how to tackle these changes in the near term and build toward the future. The framework provides common sense objectives for security leaders to help prepare for this change.  It is recommended that all leadership, board members, as well as security teams, read this document to prepare for the  organizational effort that will be required to operate in the era of machine speed cyber adversaries. When the timeframe from vulnerability discovery and development of a working exploit collapses from two months to 20 minutes, how can organizations be prepared?

“AI models have been discovering vulnerabilities and creating exploits for over a year. Mythos accelerates this significantly, but the capability predates it. What changes is the speed, scale, and the reduction in skill required to execute complex attacks, democratizing capabilities that were previously expensive and skill-intensive.

Non-frontier, open-weight models can already achieve much of this at an accessible cost. Frontier models like Mythos are the acceleration, not the starting gun. Each patch also becomes an exploit blueprint, as AI accelerates patch-diffing and reverse engineering of fixes.” – “The AI Vulnerability Storm: Building a Mythos ready security program”

To prepare for this new reality, organizations should prioritize the following:

  • Anticipate the “patch storm”: Acknowledge and plan for a patch storm coming that your organization has likely never seen before. Not 1 zero day in 1 application, but 50 across 50 different applications. Right now Mythos is private, but speculation is that by summer the work from the companies and open source software that have access to Mythos will result in a flood of patches across critical applications in use at your organization today.
    • Prepare your teams and your organization for the potential disruption.
    • Assess if your current patch management policy (often 30+ days) satisfies the “reasonable security” standards of the NAIC Model Law or NYDFS Part 500 in a world where exploits are developed in minutes.
  • Analyze the vulnerability landscape
    • Launch a comprehensive discovery and analysis of the systems, code, and third party vendors and understand what software, dependencies, and open source repositories are in use to ensure there is a clear map of the vulnerability landscape.
    • Identify processes to ensure new systems introduced into the organization are automatically added to the vulnerability catalogue.
  • Deploy AI-augmented controls
    • Ensure real-time discovery for any new systems introduced by third-party adjusters or regional offices.
    • Evaluate your SIEM/SOAR capabilities. In a machine-speed environment, human-in-the-loop validation for system isolation is a liability.
    • Implement automated containment protocols that can trigger immediately upon detecting anomalous lateral movement, bypassing the need for manual approval during off-hours.
  • Educate the Board on “Machine-Speed” Risk
    • Ensure the Board of Directors understands that the risk landscape has shifted from a “linear” threat model to an “exponential” one.
    • Secure budget for the technological infrastructure (AI-driven defensive tools) required to support these changes.

At Johnson Lambert, we are actively iterating on these defensive strategies and implementing them organization wide. We recognize the complexity of this transition and are prepared to help your organization adapt. Using the methodology and models provided by the CSA, OWASP and others, we can help guide your organization through this seismic shift. Please reach out to your engagement partner or our advisory services leadership team to discuss how we can assist you in securing your future in this new landscape.

David Fuge

David Fuge

Chief Innovation Officer

View Bio
Kim Mobley

Kim Mobley

Partner

View Bio

Questions?

Our team recognizes the complexity of this transition and are prepared to help your organization adapt.

Contact Us

AI Governance and Cybersecurity Services

Learn More

Related Insights

Mythos: The End of Human Speed Security

On April 7, 2026, Anthropic, the company behind the widely adopted large language model (LLM) Claude, announced a new model, Mythos. This was no ordinary launch however, it was an announcement that will usher in a sea change in how cybersecurity is handled at all organizations. While Anthropic initially withheld Mythos from public release due to its unprecedented capabilities, the model is currently being leveraged by a strategic cohort of technology leaders (Project Glasswing) to patch discovered vulnerabilities in their software. 

Mythos wasn’t designed to be a cyber security focused LLM, but in Anthropic’s testing, it proved to be extraordinary at identifying vulnerabilities and leveraging those vulnerabilities to accomplish assigned tasks. For example, when confronted with a task requiring unauthorized document access, Mythos independently identified structural vulnerabilities in the systems it was allowed to access and chained those vulnerabilities to bypass security boundaries. Anthropic reported that Mythos found vulnerabilities in every major operating system and web browser; some of these vulnerabilities had persisted undetected for decades. These are new vulnerabilities, on some of the most tested software around the world. What used to take people years to develop, Mythos was able to do in a few hours. 

With the model held back by Anthropic for now, and made available to the foundational tech companies that underpin much of the internet and modern computing, the world will soon see a flurry of patches and updates coming for their infrastructure in the short term. However, these capabilities will soon be achieved by many more model providers, even open source model providers, bringing these tools to the hands of anyone who can run them. 

While the initial focus is defensive, the strategic implications cannot be overstated. When security research and offensive security teams operate at the speed of machines and models like Mythos, our traditional security methodologies and procedures become speedbumps rather than the defenses we thought they would be. A radical rethink in our stance toward risk as it relates to patching frequency, AI use at our organizations, and governance and policy are required.

A Call to Action for Leadership

Realizing this model will cause massive disruption in current security practices, a coalition including the Cloud Security Alliance, SANS, OWASP, [un]prompted, and the wider security community released “The AI Vulnerability Storm: Building a Mythos ready security program” on April 16, a guideline for CISO’s on how to tackle these changes in the near term and build toward the future. The framework provides common sense objectives for security leaders to help prepare for this change.  It is recommended that all leadership, board members, as well as security teams, read this document to prepare for the  organizational effort that will be required to operate in the era of machine speed cyber adversaries. When the timeframe from vulnerability discovery and development of a working exploit collapses from two months to 20 minutes, how can organizations be prepared?

“AI models have been discovering vulnerabilities and creating exploits for over a year. Mythos accelerates this significantly, but the capability predates it. What changes is the speed, scale, and the reduction in skill required to execute complex attacks, democratizing capabilities that were previously expensive and skill-intensive.

Non-frontier, open-weight models can already achieve much of this at an accessible cost. Frontier models like Mythos are the acceleration, not the starting gun. Each patch also becomes an exploit blueprint, as AI accelerates patch-diffing and reverse engineering of fixes.” – “The AI Vulnerability Storm: Building a Mythos ready security program”

To prepare for this new reality, organizations should prioritize the following:

  • Anticipate the “patch storm”: Acknowledge and plan for a patch storm coming that your organization has likely never seen before. Not 1 zero day in 1 application, but 50 across 50 different applications. Right now Mythos is private, but speculation is that by summer the work from the companies and open source software that have access to Mythos will result in a flood of patches across critical applications in use at your organization today.
    • Prepare your teams and your organization for the potential disruption.
    • Assess if your current patch management policy (often 30+ days) satisfies the “reasonable security” standards of the NAIC Model Law or NYDFS Part 500 in a world where exploits are developed in minutes.
  • Analyze the vulnerability landscape
    • Launch a comprehensive discovery and analysis of the systems, code, and third party vendors and understand what software, dependencies, and open source repositories are in use to ensure there is a clear map of the vulnerability landscape.
    • Identify processes to ensure new systems introduced into the organization are automatically added to the vulnerability catalogue.
  • Deploy AI-augmented controls
    • Ensure real-time discovery for any new systems introduced by third-party adjusters or regional offices.
    • Evaluate your SIEM/SOAR capabilities. In a machine-speed environment, human-in-the-loop validation for system isolation is a liability.
    • Implement automated containment protocols that can trigger immediately upon detecting anomalous lateral movement, bypassing the need for manual approval during off-hours.
  • Educate the Board on “Machine-Speed” Risk
    • Ensure the Board of Directors understands that the risk landscape has shifted from a “linear” threat model to an “exponential” one.
    • Secure budget for the technological infrastructure (AI-driven defensive tools) required to support these changes.

At Johnson Lambert, we are actively iterating on these defensive strategies and implementing them organization wide. We recognize the complexity of this transition and are prepared to help your organization adapt. Using the methodology and models provided by the CSA, OWASP and others, we can help guide your organization through this seismic shift. Please reach out to your engagement partner or our advisory services leadership team to discuss how we can assist you in securing your future in this new landscape.

David Fuge

David Fuge

Chief Innovation Officer

Kim Mobley

Kim Mobley

Partner