Mythos and Today’s Threat Landscape

Mythos and Today’s Threat Landscape: Why This Is Bigger Than WormGPT

For years, most cybersecurity teams have viewed AI in attacks through a fairly narrow lens. They understood that attackers would use it to write better phishing emails, improve malware obfuscation, automate reconnaissance, and increase the speed of common attacks. Defenders would do the same on their side. The result would be faster offense and faster defense, but defenders would as always be slightly behind the ball of surprise, budgets, and change control.

That assumption no longer holds.

The Claude Mythos Preview has changed the conversation because it represents something fundamentally different from the criminal AI tools security teams are already dealing with. This is not another phishing assistant or malware-writing chatbot. It is a model capable of autonomous vulnerability discovery, exploit path development, and complex attack chaining at a level previously reserved for elite human researchers working over weeks or months. According to Anthropic, Mythos identified thousands of previously unknown high-severity vulnerabilities across major operating systems and browsers, including bugs that had remained publicly unknown for decades. There is always the possibility that nation state and elite hackers were coveting some of them, but not thousands.

That is not an incremental improvement in criminal capability, it is a structural shift.

What Attackers Are Using Today

The AI tools most commonly associated with cybercrime today are not quite Mythos-level systems. They are mostly assistive tools built to make existing criminal workflows faster and cheaper. However, this understates a progressive shift toward more advanced, agentic/autonomous AI capabilities that go well beyond simple assistance. There are tools that are independent of Mythos, edging into Mythos’s power territory.  High-capability systems like Anthropic’s restricted Claude Mythos model, excels at autonomous vulnerability discovery, exploit chaining, and multi-stage attacks and others are using high-end autonomous tools but it is far rarer and often state-sponsored or in proofs-of-concept.

Everyday crimes (phishing, scams) of course dominate reports and yes, they use cheap GenAI wrappers and freely available tools with significant success.

Examples include WormGPT, FraudGPT, SpamGPT, and similar underground models built from modified open-source large language models. These tools are typically stripped of safety controls and sold through subscription-based dark web channels. Their primary use cases are straightforward.

• They generate phishing campaigns faster.
• They write business email compromise messages that sound more convincing.
• They help build malware scripts and ransomware notes.
• They assist with credential theft campaigns and scam infrastructure.
• They improve social engineering by helping attackers create believable impersonation attempts.

These tools matter because they reduce ramp up and user friction. They make lower-skill attackers with fewer technical resources more capable and allow higher-volume campaigns to run with much less effort. But they are still largely assistive. They help humans execute attacks. They are not on the level of Mythos, independently discovering novel zero-day vulnerabilities across operating systems and chaining exploits for full compromise.

That distinction matters a lot.

Mythos Is Not WormGPT at Scale

It would be easy to think of Mythos as simply a better version of these underground tools but that would be an error

WormGPT for example, helps an attacker write a phishing email.

Mythos would greatly improve an attacker’s ability to discover a previously unknown flaw inside a target system quickly. Once it finds a vulnerability, Mythos, develops the method to exploit the system and then does the work of executing the compromise.

This is a massive game changer for attackers and defenders alike.

Mythos demonstrates advanced agentic reasoning. It can scan massive codebases, identify subtle logic flaws, test exploit paths, and generate working exploit chains with minimal human supervision. In controlled testing, it successfully chained vulnerabilities into full system compromise and achieved expert-level offensive cybersecurity performance that no previous public AI system had reached. The UK AI Safety Institute reported success in expert-level hacking tasks 73 percent of the time.

The challenge is no longer only malicious code generation. It is the industrialization and rapid expediting of vulnerability discovery itself.

Why This Changes the Defensive Equation

Security teams have always lived with operational asymmetry and defending both the known and unknowns to the degree they can. Attackers only need one workable path. Defenders need broad visibility, hyper responsive defenses and consistent controls across the entire environment. They must address the latest known critical vulnerability, while seeking budget, shepherding it through change control, interoperability, testing, compliance and all before an exploit arrives on the field and into the hands of determined cybercriminals.

Mythos and other advancing tools make that imbalance much worse.

• Discovery becomes abundant, and threats are incessant.
• Remediation remains slow, tedious, costly and exhausting.
• Time windows for defenders to remediate shrink.
• Unclosed holes and the odds of exploitation increase rapidly.
• An attacker using traditional methods could spend weeks or months researching an exploit path. A Mythos-class model can compress that work into hours or days and within the not-to-distant future, minutes. Meanwhile, the defender still needs to manage budget, staffing and risk.

We are watching a rapidly growing gap between attackers and defenders as the remediation time widows and traditional defenses collapse on defenders.

The remediation and recovery cycle does not.

This is especially dangerous for organizations running legacy infrastructure, operational technology, industrial control systems, and environments where downtime is expensive or patching is operationally difficult or impossible. Banks, manufacturers, utilities, healthcare systems, and government environments are particularly exposed because they often rely on older systems that were never designed for this pace of vulnerability discovery. They are also burdened with change of approvals, integrity checks, and recertification of systems.

Why Project Glasswing Matters

If you wondered whether Mythos is a threat to the technical and security community, Mythos’ near panicked lockdown by Anthropic should reduce your doubt. Now of course some of the dramatic action could be a branding ploy. The release notes and details that got out through leaks, on the other hand, tell a strong tale of a future where cyber security is more difficult than ever and those with the time, money and staff to defend themselves will be far fewer.

Due to the leaks and overwhelming concern about what would happen if Mythos was released on the world without controls, it is in many ways being treated like a mass destruction weapons program.

Instead of public release, Anthropic created Project Glasswing, a tightly restricted program that provides Mythos access to roughly 50 trusted organizations for defensive purposes only. The stated goal is simple, find and fix the most dangerous vulnerabilities before adversaries do, either through Mythos public access or leveraging similar capabilities. This is not all marketing theater. It is an obvious recognition that powerful offensive-capable AI can create global insecurity and instability if released without significant restraint. We are of the opinion that this only delays the inevitable.  The problem, of course, is that controlled access does not stop competitors, state actors, or eventual and predictable proliferation.

It only buys us all time.

Do Hackers Have Mythos Today

Proliferation is not publicly confirmed today. But not unlike the British having the enigma machine to decrypt German communications during World War II, it is not at all likely an adversary will announce to their enemies when they do have similar capabilities.

There is no verified evidence that cybercriminal groups currently are using a true Mythos-equivalent model capable of autonomous large-scale zero-day discovery and exploit chaining. Today’s criminal AI remains largely assistive rather than frontier-level autonomous. However, April 21 to 22 of 2026, A small private group is reported to have gained access via a third-party vendor/contractor breach shortly after Mythos’ announcement. They have reportedly used the model for purposes other than cyber.

No matter how we slice it, the timeline to breakout or equivalency is going to be short.

Some AI experts point to a 6 to 18 month window before comparable capabilities become more widely available through competing labs, state-sponsored access, theft, reverse engineering, or eventual open-source derivatives. Anthropic itself has effectively stated that it will not be long before similar capabilities spread beyond controlled access.

That means organizations are not looking at a distant future problem.

We must act as if we are in the breakout window now.

What Security Leaders Should Do

The right response is never panic or despair. It is awareness, readiness and resilience.

Organizations should start by recognizing that traditional assumptions around vulnerability management may already be outdated. If AI can accelerate vulnerability discovery faster than your traditional remediation processes can respond, the priority shift to hyper vigilant early awareness, detection and radically faster execution.

That means:

• Improving asset visibility across infrastructure, dependencies, and shadow IT.
• Reducing blast radius through zero trust, tighter segmentation, least privilege controls, and phishing-resistant MFA.
• Adopting AI-assisted defensive workflows, attack path discovery, code review, vulnerability triage, and post patch validation.
• Developing, implementing and testing backup, disaster recovery, and restoration processes under realistic pressures and verifying immutability.
• Rehearsing executive decision-making and technical delivery planning for multiple simultaneous high-severity incidents.

This is what a Mythos-ready security program looks like.

How Alvaka Helps

At Alvaka, we work with organizations that cannot afford to be slow, blind, or reactive as the threat landscape changes.

That includes managed visibility, vulnerability management, ransomware recovery, backup and disaster restoration through DRworx, and immediate access to experienced support teams when timing matters most.

As AI changes the speed and scale of cyber risk, businesses need more than awareness. They need stronger fundamentals, faster decisions, consistent vulnerability management and resilience and the budget and executive sponsorship that holds under pressure.

Frequently Asked Questions