AI Just Got a Lot Better at Breaking Into Things

Written By Elijah Szasz
 
 

The Rules Just Changed

An AI model just found thousands of unknown security vulnerabilities - bugs that had survived years of human review and millions of automated tests - across every major operating system and web browser.

It did most of that work on its own.

The model is called Claude Mythos Preview, and it's so capable that Anthropic decided not to release it to the public. That's a sentence worth sitting with. A company built an AI they were too nervous to ship.

The window between a vulnerability being discovered and being exploited has collapsed. What once took months now happens in minutes.

That changes what you need to do this week.

What Mythos Actually Is

Mythos Preview is Anthropic's newest frontier model - the company behind Claude, one of the most widely used AI assistants in business today.

The model wasn't built to be a hacking tool. Anthropic's team made clear they didn't explicitly train Mythos to have these capabilities. They emerged.

That's the part that should catch your attention. Nobody designed this. The capability just showed up.

Instead of a public release, Anthropic is giving access to companies like Microsoft, Nvidia, and Cisco through an initiative called Project Glasswing. The goal is to use the model to find and patch vulnerabilities before bad actors can exploit them. Anthropic is committing over $100 million in usage credits to more than 50 tech organizations for this purpose.

The defensive play is smart. But here's the problem: the same capability that lets defenders find holes also tells you what attackers will eventually be able to do - with models they build themselves, or models they steal access to.

What This Means for Your Organization

You don't need to understand kernel memory exploits to understand the stakes here.

What you need to understand is this: the old assumption was that hacking required rare, expensive expertise. A small number of skilled people in the world could find and weaponize software vulnerabilities.

That cost, that effort, and that level of expertise required have all dropped dramatically.

The barrier is gone. Which means the threat surface for every organization - yours included - just got bigger.

This isn't about Mythos specifically. It's about what it signals. Models with these capabilities will keep coming. Some will be controlled. Some won't. The question for you isn't whether the threat is real. It's whether your organization's basic defenses are solid enough to matter.

At SPARK6, we've been having this conversation with clients for months. The teams that feel exposed right now aren't the ones with weak tech stacks. They're the ones with weak habits. Reused passwords. No second factor on email. Old accounts nobody thought to close.

The sophisticated threat starts where your hygiene ends.

Five Things To Check This Week

These aren't advanced. They're the basics that still get skipped.

  1. Turn on two-factor authentication (2FA) everywhere it's available. This means email, Slack, your CRM, your cloud storage - everything. 2FA adds a second verification step beyond your password, so a stolen password alone isn't enough to get in.

  2. Use a password manager. Tools like 1Password, Bitwarden, or Dashlane generate and store complex, unique passwords for every account. If you're still reusing passwords, you're one breach away from a cascade.

  3. Audit your ghost accounts. Think about every SaaS tool your team has ever used. Offboarded employees with active logins are a common entry point. Review access and kill accounts that shouldn't exist.

  4. Get your email on a modern security standard. SPF, DKIM, and DMARC are protocols that help verify your email isn't being spoofed. Your IT team or email provider can check this in minutes. If they haven't, ask.

  5. Train your team on phishing - again. AI makes phishing emails dramatically more convincing. The grammar errors that used to give them away are gone. People need a refresher on how to spot social engineering.

None of these require a new budget line. They require someone to own them.

The Bigger Frame

AI is getting better at offense faster than most organizations are getting better at defense.

That's not a reason to panic. It's a reason to stop treating security as an IT problem and start treating it as a leadership problem.

The organizations that will be fine are the ones with strong fundamentals - not the ones waiting for a perfect solution. There isn't one. There's only less exposure or more.

Which side of that line is your team on?

Want help applying this to your product or strategy? We’re ready when you are → Let's get started.

Elijah Szasz https://www.linkedin.com/in/elijahszasz/
Next

The Skill You're Quietly Losing to AI