Claude Mythos Preview's Hacking Power Sparks UK Cyber Warning

The UK government issued an open letter to business leaders urging immediate action to address a step change in artificial intelligence cyber capabilities. The warning follows Anthropic’s disclosure of Claude Mythos Preview. This frontier model is capable of autonomous zero-day discovery and exploitation across major operating systems. If you maintain internet-facing infrastructure, the collapsing cost of offensive cyber operations alters your immediate threat landscape.

Autonomous Exploitation Benchmarks

Anthropic declared the model too dangerous for public release. Technical evaluations demonstrated the model’s ability to chain multiple vulnerabilities without human intervention. The system successfully transitioned from ordinary user access to full root control in the Linux kernel. The UK AI Security Institute (AISI) confirmed the model maintains its peak offense capability at a 100 million token context threshold.

Benchmark	Score	Notes
SWE-bench Verified	93.9%
CyberGym	83.1%
Cybench	100%	Retired as saturated

The model autonomously identified thousands of previously unknown vulnerabilities. Notable discoveries include a 27-year-old bug in OpenBSD and a 16-year-old vulnerability in FFmpeg. The FFmpeg bug had previously survived five million automated test runs. The fact that Claude Mythos Preview found zero-days in heavily tested legacy codebases highlights a fundamental shift in vulnerability discovery. The model’s large context window allows it to analyze entire system architectures simultaneously.

Systemic Risk and Accelerated Timelines

The UK AISI evaluates frontier model cyber capabilities as doubling every four months. This represents a significant acceleration from the previous eight-month trajectory. On April 12, the Bank of England, Financial Conduct Authority, and HM Treasury convened the Cross Market Operational Resilience Group. They assessed the systemic risks to the UK financial system resulting from these capabilities.

The core issue identified by the NCSC is that unskilled actors can now execute operations that previously required deep technical expertise. As models become more adept at executing a multi-step cyberattack, the barrier to entry for offensive operations drops to near zero. If you build enterprise applications, understanding agent security taxonomy is now a core operational requirement.

Defensive Consortium and Patch Timeline

To manage the risk before malicious replication occurs, Anthropic launched Project Glasswing. This restricted consortium uses Mythos exclusively for defensive vulnerability patching. Members include AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation.

Anthropic funded the initiative with $100 million in usage credits and $4 million in direct donations to open-source security organizations. The goal is to fortify critical internet infrastructure against future automated attacks. A public report detailing the fixed vulnerabilities is scheduled for release by July 2026.

Your immediate priority should be hardening your supply chain and accelerating your internal patching cadence. Relying on the obscure nature of your software stack is no longer a viable defense mechanism against autonomous discovery tools. Audit your infrastructure with the assumption that your codebase will face continuous automated scrutiny from highly capable systems.