A few days ago, the Mythos and Project Glasswing announcements got multiple industries mind-blown. I’ve seen multiple posts from people that never cared about security worried about it. Some are scared with the data from Anthropic, some just took a step back and thought about how insecure Technology is. Companies in the security space are also reacting to this. Some people say that Cybersecurity has been solved or is dead, but it’s not. So what’s different now?

Previous models could already uncover 0days, but we can assume they were not as good as Mythos. Claude code and similar CLIs that can easily connect to MCP tools, the terminal, and be provided with skills or instructions could already allow anyone to build their own hackbots. Anthropic probably noticed that Technology is evolving so fast, that they realized that Security needs to keep up. Otherwise, the Network will probably become so unstable that it can be destroyed or replaced with another one (Nexus book is a good read). At the same time, this kind of power can be centralized or decentralized. Major companies or governments controlling and using it means dystopia. On the other hand, if anyone can hack anything with a prompt, then decentralization can lead to chaos (See the Narrow Path, Tristan Harris - video). The AI industry knows this and Anthropic is also probably trying to get a balance between both. Finding critical 0days before the general public can find and exploit them.

Project Glasswing is focused on the most critical software infrastructure and software: operating systems, FFmpeg, browsers, etc. Previous models were already capable of assisting on finding 0days in browsers (See dawgyg X profile for the last months). So they are trying to find 0days in low-level critical software while we continuously test the attack surface of any organization. So Project Glasswing focuses on software that has been reviewed and audited a lot of times. The real threat may be an obscure vendor with production database access or a legacy integration that nobody understands or wants to touch (See Shlomie's post).

So, the real threat isn't in the software everyone is watching, it's in everything nobody is. Approaches that include both breadth and depth and mimic a real attacker even without source code access are more necessary than ever. While Project Glasswing focuses mostly on analyzing source code, when software goes live and connects to other components, different vulnerabilities happen. Those exposed services will still be there, vulnerable to a CVE from 2020.

On the other hand, deploying frontier models at enterprise scale requires orchestration, safety, and continuous operation that goes beyond API access. It’s true that anyone can just go to Claude code these days and say: “Do a full pentest of this app and generate a report”. It’s here and it’s true. But the gap between model output and enterprise-level security operations, including but not limited to trusted and validated findings, prioritization, compliance and accountability, is where I believe the next generation of security platforms will be built.

Security will continue to be all about trust. Production environments need proper guardrails that ensure offensive testing stays in scope. Today, that means infrastructure around the models, not the models alone.

So what does this all mean to the Security Industry, will Mythos change anything? The technology didn't change that much, but the narrative and market perception did, which created urgency. Now that everyone is more and more concerned about “AI can hack anything”, modern solutions are needed. Small companies will probably just build some internal solution, but big ones can’t scale AI pentesting to their entire infrastructure.

AI models like Mythos are very good at going deep in one target. Anthropic just validated that the agentic component will keep getting better. What happens when the models are so good? I think human judgement can be very valuable and combining humans and AI can bring new findings and chains. I’ve seen it happening multiple times. Here’s a cool video that got me thinking a few weeks ago.

Anthropic just gave a red pill to everyone. They just increased the urgency for every enterprise to improve their security. 100% security is mathematically impossible, the attacker just needs one open window, and this asymmetry doesn’t disappear with better AI, it’s just faster.