Mythos: The AI hacker that scared its own makers

Let us start with what really happened, because in the world of AI, the truth often gets buried under too much noise and excitement. Earlier this month, Anthropic, one of the leading AI companies in the world, announced a new model named Mythos. But then it did something very rare in this industry, where companies usually compete to launch their products as fast as possible. It decided not to release Mythos at all.
The reason was not the usual talk about "AI safety" that we hear in conferences. It was something far more serious. According to Anthropic, Mythos can find hidden weaknesses in software. These weaknesses are called zero-days, meaning flaws that nobody else knows about yet, not even the company that built the software. Once Mythos finds these flaws, it can use them to break into systems, and it can even combine many small attacks together to take complete control. We are talking about operating systems like Windows, web browsers like Chrome, and the digital systems that run our daily life.
Also Read: Onions, folklore and failed scientific temper
The scary part is that Mythos does not need a human to guide it. It works on its own. It writes its own code, slowly gains higher access, and plans every step by itself. Imagine a burglar who can enter any building, notice every weak lock, open every door, and empty every safe, all without anyone telling him what to do. That is the kind of capability we are dealing with.
This jump did not happen overnight. A few months ago, Anthropic's older models were okay at finding software bugs, but they were quite poor at actually using those bugs to attack a system. In tests, the older versions could rarely turn a weakness into a real working hack. But Mythos has crossed that line clearly. In testing, it created real, working attacks many times.
The UK AI Security Institute also tested Mythos independently. The model solved many tough cybersecurity problems that normally need expert humans. More importantly, it showed something new, which is the ability to carry out multi-step attacks. This means it can find a weakness, plan the next move, adjust based on what it sees, and keep going deeper, just like a skilled human hacker, but much faster.
In one simulated company attack, Mythos completed every step needed to take over the entire network, something that would normally take a team of experts several hours.
Explainer: What India's new FDI norms mean for foreign investors
To handle this carefully, Anthropic started something called Project Glasswing. It gave limited access to around 40 organisations, mostly large American tech companies, so they could find weaknesses in their own software and fix them early. The UK government also got access for testing. Banks started taking notice. Governments began holding meetings. The mood quickly shifted from curiosity to genuine worry.
And then the thing everyone feared started happening. Reports came out that Mythos was being accessed by a small group on a private online forum, even though it was never officially released. It was not a full leak, but it was enough to raise the big question. If such a powerful model exists, can it really be kept locked up?
This matters because "control" has become the main safety approach in AI today. Don't release the model, limit access, work only with trusted partners. It sounds smart, but it depends on a level of control that may not really exist in the real world.
Mythos does not invent a brand new danger. It takes an old danger and makes it much bigger. Hacking has always needed skill, time and patience. That difficulty was a natural barrier protecting all of us. Mythos lowers that barrier sharply.
Cybersecurity has always been unfair, because defenders must protect everything, while attackers only need one open door. If finding that door becomes cheap and fast, the balance tilts towards the attackers.
There is a positive side too. When used for defence, Mythos is powerful. Mozilla tested it on Firefox browser and found many more weaknesses than before, all of which were then fixed. That is the strange irony. The same ability that protects can also destroy.
There are already signs that similar systems are being built elsewhere, including by some Chinese companies. Smaller and cheaper models are also starting to copy these abilities. So Mythos may not be a one-time event. It may be a sign of where the whole field is going.
Governments are slowly catching up. In India, regulators are meeting banks and financial institutions and asking them to stay alert. Anthropic believes that in the long run, AI will make systems safer because flaws will be fixed faster. That may be true. But the in-between period, where technology runs ahead and rules lag behind, is exactly where the real risk lives.
The author is a Defence, Aerospace & Geopolitical Analyst