Skip to main content
TechnologyApr 15, 2026· 5 min read

Claude Mythos and the Tests That Debunk (Only) Half of the Alarmism: What It Can Truly Do

It still takes a human being to seriously defend a corporate network from Claude Mythos Preview. The report published by the UK AI Security Institute (AISI) states this explicitly based on concrete data. The Anthropic model announced on April 7, 2026, is objectively a leap compared to everything that has come before in cybersecurity, but there is a clear boundary between what it can really do and what has been narrated in recent weeks. For now, at least.

The Last Ones: The Simulation No AI Has Ever Completed

The main test is called "The Last Ones" (TLO): a simulation of an attack on a corporate network articulated in 32 distinct steps, from initial reconnaissance to total network compromise. Human experts take about 20 hours to complete it. Claude Mythos Preview is the first model to complete it from start to finish, achieving this in 3 out of 10 attempts. On average, the model reached 22 out of 32 steps. The comparison with previous models is stark: Claude Opus 4.6, the best so far, stopped at an average of 16 steps, highlighting a non-marginal difference in capacity.

Source: AISI

On the expert-level Capture the Flag (CTF) challenges, Mythos Preview solves 73% of the challenges. Before April 2025, no LLM completed even one. This is an almost vertical rate of improvement, with AISI systematically tracking it since 2023, gradually adapting the difficulty of its tests as models progressed in capability.

The Real Limits of Mythos

AISI dedicates a specific section to what its tests do not measure. The simulation ranges did not include active defenders, endpoint detection tools, or penalties for triggering security alerts. Environments, in other words, that are more fragile than any corporate infrastructure configured to reasonable standards. "We cannot assert with certainty that Mythos Preview would be able to attack well-defended systems," conclude the researchers. This is a statement that downscales the perceived capacity of Mythos to breach the defenses of any known security system or to dismantle robust systems in a matter of hours.

According to AISI's analyses, none of the tests conducted support such claims. What AISI can effectively assert is that the model is "at least capable" of compromising small and poorly defended corporate networks, effectively highlighting a real and documented threat, but with a precise perimeter. Against infrastructures with active defenses, real-time monitoring, and incident response, the picture remains open and, at the moment, unmeasured.

The model also failed the "Cooling Tower" test, focused on operational technology (OT) systems: it got stuck in the IT section of the exercise. AISI specifies that this does not necessarily imply that Mythos is weak in the OT domain, but it underscores the limits of autonomy in complex, multi-domain scenarios. It should be noted that the tests were conducted with a budget of 100 million inference tokens, and AISI observes that performance continued to improve up to that limit: with greater compute resources, results might be better.

The American Front: Easterly, Joyce, Inglis, and Defensive Asymmetry

Alongside the AISI report, a document has been released in the United States signed by the Cloud Security Alliance, SANS Institute, and OWASP, with contributions from some of the most authoritative figures in American cybersecurity: Jen Easterly, former director of CISA, Rob Joyce, former cyber lead at the White House and NSA, and Chris Inglis, former National Cyber Director. Among the other participants are Heather Adkins (CISO of Google) and Katie Moussouris (CEO of Luta Security).

The document builds its analysis around the concept of defensive asymmetry: tools like Mythos lower the cost and the technical level needed to identify and exploit vulnerabilities, while defenders remain bound by patch cycles, bureaucratic approval processes, and complex supply chains. "The cost for discovering exploits is decreasing, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required state-level resources are becoming more widely accessible," write the co-primary authors. This is an objective and pragmatic analysis of where the competitive advantage lies in the coming months, with a tone that aligns exactly with that of AISI and bases concerns on proof and evidence, without resorting to hyperbole.

Casey Ellis, CTO of Bugcrowd, added an even more concrete detail: Mythos and similar tools "live in places where we stopped looking ten years ago" like forgotten firmware, routers from now-defunct manufacturers, vulnerabilities buried in accumulated technical debt. Thus, it should be reframed: AI (at this moment) does not invent new attack vectors, it simply accelerates the exploitation of what already exists, at a speed no defensive team can keep up with manually.

Project Glasswing: Decade-Old Bugs and Controlled Access

As we know, Anthropic did not release Mythos Preview to the public. Instead, it launched Project Glasswing, a program that gives controlled access to the model to about 40 selected organizations managing critical software infrastructures: AWS, Google, Microsoft, Apple, NVIDIA, CrowdStrike, Cisco, JPMorgan Chase, Palo Alto Networks, and the Linux Foundation. The stated aim is to identify and fix vulnerabilities in widely used software before models with comparable capabilities reach broader distributions.

The already known results are hard to ignore: thousands of high-severity vulnerabilities found in common operating systems and browsers, including a bug in OpenBSD that remained dormant for 27 years and a flaw in FFmpeg that is 16 years old. Anthropic claims to have found problems in every major operating system and every major browser, a statement still under verification by independent vendors, but partially corroborated by project partners. Glasswing partners have 90 days before Anthropic publishes broader recommendations: a real competitive advantage in terms of strengthening defenses.

What Changes in Practice

Both AISI and the American report converge on a practical recommendation that sounds almost trivial: go back to basics. Timely security updates, robust access controls, extensive logging, tighter patching windows. Mythos' ability to autonomously write exploits for known vulnerabilities (n-day) means, as highlighted before, that the window between disclosure and weaponization is drastically reduced. This implies that patching cycles will have to adjust accordingly, with auto-updates enabled wherever possible and updates for dependencies with CVEs treated as urgent, not as ordinary maintenance.

AISI has announced that upcoming tests will include ranges with active defenses, real-time monitoring, and simulated incident response to measure how far Mythos' autonomy truly reaches when it meets a responsive network. This is an indication that British researchers consider current tests already surpassed by the model's capabilities and that the next generation of assessments will need to raise the bar significantly.