1. Headline & intro
Mythos, Anthropic’s new AI model, just did something no other public system has managed: work through a 32‑step corporate network intrusion scenario end-to-end. That sounds like the start of a sci‑fi panic story about jobless hackers and fully autonomous cyberattacks. But the UK government’s detailed tests paint a more nuanced picture: Mythos is impressive, yet still brittle, and far from an all‑purpose red‑teamer in a box.
In this piece, we’ll unpack what the UK’s AI Security Institute (AISI) actually found, where the real risk lies, and how this changes the balance between human attackers, defenders, and the fast‑maturing wave of AI “operators.”
2. The news in brief
According to Ars Technica, the UK government’s AI Security Institute has released an early technical evaluation of Anthropic’s Mythos Preview model, focusing on offensive cybersecurity capabilities.
Since 2023, AISI has run large language models through custom Capture the Flag (CTF) challenges. Earlier systems like GPT‑3.5 struggled with even basic tasks. Newer models, including Mythos, Anthropic’s previous Opus and Codex releases, and OpenAI’s GPT‑5.4, now solve the vast majority of easier “Apprentice” challenges, often above 80 percent.
On single cyber tasks, AISI says Mythos performs similarly to these recent frontier models. The difference shows up in multi‑step operations. In a 32‑step simulated corporate data‑exfiltration scenario called “The Last Ones” (TLO), Mythos became the first model to complete the full chain of actions, succeeding in 3 out of 10 runs and averaging 22 steps completed. A previous Claude model averaged 16.
Mythos still failed an even harder seven‑step “Cooling Tower” scenario emulating an attack on power-plant control software. AISI stresses that its ranges lack active defenders and represent deliberately vulnerable systems.
3. Why this matters
The key story here is not that an AI can run some exploits—researchers have been demonstrating that for years. It’s that a general‑purpose language model, accessed through a standard interface, can now plan and execute a long chain of technical actions well enough to compromise a simple corporate environment.
Who benefits? On the offensive side, low‑skilled attackers gain the most. A system that can autonomously navigate 20–30 steps of an intrusion dramatically lowers the barrier to entry. Human operators could focus on target selection, social engineering, and evasion, while delegating much of the technical grind to the model.
Defenders do gain something as well: a clearer empirical view of what current AI systems can and cannot do. AISI’s work is a rare, public, government‑run benchmark that helps separate marketing hype from concrete capabilities. For CISOs, this is gold. The message today: small, poorly defended networks are realistically at risk from semi‑autonomous AI attackers; hardened, well‑monitored environments still impose serious friction.
The losers, at least in the short term, are organizations that have invested minimally in basic hygiene—patching, segmentation, monitoring—while assuming they’re too small to attract sophisticated attackers. AISI’s conclusion that Mythos can already autohack “small, weakly defended enterprise systems where access to a network has been gained” should be a wake‑up call.
The competitive landscape in AI also shifts subtly. Mythos’ standout result is not raw accuracy but orchestration: chaining tools, steps, and reasoning across tens of actions. That’s exactly the capability everyone wants for AI agents that schedule meetings, manage codebases—or run security operations. Cyber offense is simply one of the clearest, scariest demonstrations of that new agentic power.
4. The bigger picture
Mythos slots into a broader trend: language models evolving from chat assistants into autonomous operators that can plan, call tools, and act over long time horizons.
We’ve seen constituent pieces emerging for several years. Microsoft has been pitching Copilot for Security, using LLMs to triage alerts and generate investigation playbooks. Google has shown Sec‑PaLM as a specialized security model. Academic work on automated exploit generation and autonomous penetration testing has been steadily improving. But most of these tools either keep a human tightly in the loop or handle only short sequences.
What AISI’s TLO test highlights is that general models are crossing a threshold where long-horizon planning becomes robust enough to complete complex operations some of the time, even without domain‑specific fine‑tuning.
Historically, every big step in automation has had an offensive and defensive face. Email made communication faster; spam and phishing followed. Cloud made deployment easier; mass misconfiguration and large breach surfaces followed. AI‑driven cyber operations will be no different. For every Mythos‑style offensive demo, there will be a mirrored use case: automated purple‑teaming, continuous control validation, and AI‑augmented SOCs that run 24/7 with inhuman stamina.
Compared to competitors, Anthropic’s decision to limit Mythos’ initial release to a small set of “critical industry partners” signals a risk‑sensitive posture. OpenAI and Google have been moving in a similar direction, adding strict policies around “dual‑use” cybersecurity content and partnering with government agencies on evaluations. The days of shipping ever‑stronger models to the open Internet with only generic usage policies are clearly ending.
Industry‑wide, the Mythos results are an inflection point in perception: fully autonomous cyberattacks are no longer a theoretical research slide. They’re now a messy, partial, but demonstrable capability.
5. The European / regional angle
For Europe, Mythos is both a warning and an opportunity.
On the regulatory side, the EU AI Act will impose obligations on “systemic risk” models—precisely the category into which Mythos is likely to fall. Demonstrated offensive cyber capabilities strengthen the argument that large general‑purpose models need continuous red‑teaming, structured reporting to regulators, and possibly controlled deployment for certain high‑risk use cases.
At the same time, NIS2 and the upcoming Cyber Resilience Act already push European companies to raise their security baseline. AISI’s findings give those rules more urgency: “minimum security” must be defined assuming that adversaries can cheaply summon AI agents to probe every exposed interface, not just human hobbyists.
There is also a strategic autonomy angle. The UK’s AI Security Institute, although outside the EU post‑Brexit, is currently one of the few public bodies globally performing deep technical evaluations of cutting‑edge models. Brussels will face a choice: rely on foreign institutes and vendor self‑assessment, or build its own equivalent capability in cooperation with ENISA and national CSIRTs.
For European SMEs and public bodies—often under‑resourced in cybersecurity—the risk is asymmetric. They are precisely the “small, weakly defended systems” that AISI warns about, yet they also stand to benefit the most from defensive AI that can do basic monitoring, log analysis, and incident response at low cost. The policy challenge will be to ensure access to powerful defensive tools without enabling unchecked offensive use.
6. Looking ahead
Over the next 12–24 months, three technical trajectories will matter more than any single benchmark:
- Planning and memory. If models can reliably maintain coherent plans over hundreds of steps and hours of wall‑clock time, TLO‑style scenarios will move from “3 out of 10 successful runs” to “usually works.” That is where autonomous cyber offense starts looking operational rather than experimental.
- Tool integration. Today’s tests largely constrain models to sandboxed ranges. In the real world, combining LLM planning with exploit frameworks, credential‑stuffing tools, and internet‑wide scanners could multiply impact. The key risk is not raw intelligence but scale and speed.
- Defensive parity. The hopeful scenario is that defenders get better tools faster: AI agents that continuously harden configurations, simulate attacks, and respond within seconds when something looks off.
Policy‑wise, expect more governments to follow the UK in building dedicated AI security labs and publishing standardized test ranges. Insurers and auditors may start asking whether organizations have tested their infrastructure against AI‑driven attackers, not just human red teams.
We should also expect ugly surprises. AISI rightly notes that its ranges lack active defenders and that real systems may be both harder and weirder. The first widely publicized incident involving a largely autonomous AI‑assisted breach—likely against a mid‑size company with weak controls—will trigger a round of overreactions, from calls to pause AI research to demands for intrusive monitoring of model use.
The productive path forward is narrower but clearer: mandatory transparency around high‑risk model evaluations, strong identity and logging around access to powerful systems, and investment in open defensive tooling so that SMEs are not left behind.
7. The bottom line
Mythos doesn’t make human hackers obsolete, but it does mark the moment when large language models start to look like junior penetration testers rather than chatty code assistants. The immediate risk is not Hollywood‑style doomsday attacks on power grids; it’s the quiet, scalable compromise of thousands of small organisations that never thought they were worth a nation‑state’s time.
The real question for the next few years is simple: will we use AI first to automate attack, or to finally automate the boring, under‑resourced parts of defense?
