The buzz around AI model Mythos and its power to outsmart cybersecurity defenses is alarming companies and vendors already struggling to fend off existing threats.
The slow-walked release of Mythos from Anthropic PBC—combined with OpenAI’s new model that can quickly spot software vulnerabilities—risks disrupting how cybersecurity firms operate and how companies approach their defensive capabilities.
Together, their promised capabilities threaten businesses that are operating with tight cyber budgets, exposed weaknesses, and AI-enabled defenses already lagging behind attackers’ capabilities. Even before Mythos, companies were battling increasingly sophisticated AI-powered phishing and deepfake campaigns.
“Hopefully this whole announcement has made others think about how to use AI and to use it starting now,” said Ellen Boehm, senior vice president of strategy and AI innovation at Keyfactor, a digital security company. “If we don’t use it, the attackers will,” she said. Boehm added that defenders need to get better at using such tools to bolster security teams, “because that is what’s being used to attack us.”
Still, little is known about these models and it’s challenging to separate hype from reality. Anthropic only offered access to a select group of vetted companies over concerns the tool may end up in the wrong hands. Top Trump officials quickly summoned Wall Street leaders to urge them to prepare for the new types of cyber threats ahead.
Anthropic described Mythos’s capabilities in an online post, saying that engineers with no formal security training asked the model to find vulnerabilities in a remote system and woke up the next day to find a complete toolkit to break into it.
The arrival of these new models means the cybersecurity industry is entering a profound transition period and so are their customers, said Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency. Models like Mythos make it much harder for boards and CEOs to think that AI strategy and cyber strategy are separate conversations, she said.
“Cyber and AI are inextricably linked,” Easterly said. “You can’t have effective cyber capabilities without AI, and you can’t have AI be the engine of innovation and economic prosperity and national security unless these capabilities are built and designed to be secure.”
Need for Speed
Defenders need to deploy AI-enabled cyber defenses just as quickly as attackers leverage the new capabilities.
Mythos is “a good example of the kind of tool that defenders have to adopt as quickly as possible,” said Justin Herring, partner at Mayer Brown and former cyber official at the New York Department of Financial Services. “I know they’re limiting the circulation of this, which is probably a good thing. But you don’t want to be the organization that falls behind when you’re dealing with attackers that can exploit the fact that you’ve fallen behind at scale and at speed.”
About 85% of senior security leaders using AI in cybersecurity say their current cyber budget is insufficient to meet AI-enabled threats, according to a March 2026 EY survey. Only about 9% of cyber executives say they’re dedicating at least 25% of their cybersecurity budget to AI solutions.
“What will it do to cyber budgets? My guess is it’s going to make them go up because people are going to think about, ‘What do I need to buy, deploy, and invest in order to deal with this new threat vector?’” said Andrew Rubin, founder of Illumio, a cybersecurity company.
Weak Links
AI’s potential to spot gaps in software would still leave cyber teams with the same challenges they’ve been facing for the last few years: fix weaknesses as quickly as possible.
“Even if Mythos is able to find and suggest patches, it requires the entity who’s been notified to then deploy those responsibly,” said Chinmayi Sharma, associate professor at Fordham Law School focusing her research on cyber and AI. “I’m not saying that there’s rampant disregard for security, but it’s pretty non-controversial to say that in the public and private sector there just hasn’t been the attention towards security that many would want.”
As the latest models compress the time it takes to infiltrate defenses, teams will have to shift away from periodic testing or patching.
Most importantly, companies have to “continually invest in cybersecurity,” Morgan Adamski, US cyber, data, and tech risk leader at
A New Era
The new models could also scramble how cybersecurity vendors operate.
“It’s a threat to firms whose business model really depends on scarcity and manual labor and slow assessments,” Easterly, now a CEO with RSAC, said. “But it’s a major opportunity for companies that can help customers operationalize AI at defender speed.”
As vendors pivot to adapt to companies’ needs, chief information security officers (or CISOs) will be tasked with finding the right investments.
“It’s very, very important for CISOs and leaders responsible for governance to stay on top of these developments and to incorporate these tools as rapidly as they become available on the defensive side,” Mayer Brown’s Herring said.
Internally, CISOs are also pulled in different directions as they attempt to keep track of business units’ own use of AI—whether it’s a financial officer or human resources representative that wants to use new AI tools for their own business needs, said Geoff Hancock, chief information security officer & CEO at PurpleSec, a cyber company.
There are other ways CISOs will have to prepare because breaches are now inevitable, Rubin of Illumio said.
“You better prioritize resilience,” he said, “because recovering from one is going to be as or more important than preventing all of them, which we’ve clearly proven we cannot do.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.