Unreleased AI Model Could Enable Basement Hackers to Launch Nation-State Cyberattacks

Dave Plummer said Anthropic's unreleased Mythos AI model could allow individual actors to achieve cyberattacks previously only possible for nation-states by finding critical software vulnerabilities faster than humans can patch them.

The AI company developed Mythos but did not release it publicly, instead creating a gated program called Project Glass Wing for major organizations. Anthropic said Mythos can surpass all but the most skilled humans at finding and exploiting software vulnerabilities, with the model having already discovered thousands of serious flaws in every major operating system and web browser.

"The risk is that one rogue actor could quickly do in their mom's basement what the entire North Korean cyber arms team has been trying to do for years," Plummer said.

Multiple governments and financial institutions have taken urgent action in response to Mythos's capabilities. Treasury Secretary Scott Basson and Fed Chair Jerome Powell have met with bank CEOs, the European Central Bank is preparing questions for banks, and the White House is planning guarded access for federal agencies.

The UK's AI security institute found Mythos succeeded on expert-level capture the flag tasks 73% of the time and completed a 32-step corporate network attack simulation end-to-end in 3 of 10 attempts. However, the same evaluation noted their testing environment lacked active defenders and defensive tooling, so they cannot confirm Mythos could autonomously attack well-defended real-world systems.

Plummer argued the core concern is not that Mythos itself will destroy the internet, but that software may be broken faster than it can be repaired, with offense moving at machine speed while defense moves at corporate speed. He said the danger is that high-end cyber security capabilities become accessible to less skilled actors. "The danger is that high-end cyber security starts to diffuse downward," Plummer said.

Mythos is a general purpose frontier model that has become exceptionally good at cybersecurity as a side effect of improvements in coding, reasoning, autonomy, and long-horizon tasks. The same capabilities that make it effective at finding vulnerabilities could potentially be applied to other domains requiring complex problem-solving.

Plummer contended that fundamental changes to software architecture may be necessary to address the new threat landscape. "The answer is to stop building environments that can be broken by one clever exploit chain," he said.

Anthropic is already testing safeguards in the more widely available Opus 4.7 model. The company said it is working toward broader release of Mythos-class models in the future.