Anthropic's claims about finding vulnerabilities through Mythos disputed by cybersecurity industry

Around Anthropic Mythos, not only interest but also skepticism is rapidly forming: the model being discussed for its ability to find dangerous cyber vulnerabilities may not be as unique as it appears in public discourse. If the results of Aisle's internal tests are correct, the high-profile case that caused alarm among government agencies and major organizations is being replicated on far cheaper open-source models. The discussion was prompted by claims that Mythos can identify software defects and vulnerabilities at a level that prompted government agencies and institutional customers to take risks from such a tool more seriously.

The very fact that the model is tested by only a limited set of companies only increases the tension: when access to the system is closed, the market is forced to rely not on a broad benchmark but on individual demonstrations and developer assessments. This is where key criticism was voiced by Jaya Balu, COO and CISO of cybersecurity company Aisle. According to her, in internal tests the team was able to reproduce the same result that Anthropic cited using inexpensive open-source models.

In other words, this may not be about an unattainable technological leap of one closed system, but about a task that more accessible tools can already solve with proper configuration, sufficient context, and well-formulated prompts. For buyers and regulators, the distinction here is enormous. One thing is a rare model with tightly controlled access that shows unusual results in a closed loop.

Another is a situation where comparable effects are demonstrated by cheaper systems available for internal deployment or work with open code. In the first case, the emphasis is on restricting access to a specific product. In the second case, it is on the fact that organizations will have to review their protection processes, code review, and internal testing as part of a new norm.

There is also another important layer to this story: the question of trust in sensational claims at an early stage of testing. While the model undergoes testing by a limited circle of companies, the public market sees only the top of the picture—an individual case, an impressive formulation, and the reaction to it. But for a real assessment, comparable scenarios, repeatable results, and an understanding of the conditions under which the model found a specific vulnerability are needed.

Without this, it is easy to confuse an impressive demonstration with a sustainable advantage. For the cybersecurity industry, this is a fundamental moment. If Mythos's uniqueness is overstated, the assessment of the threat also changes.

Concerns about such models are built on two premises: they accelerate the search for vulnerabilities and lower the barrier to entry for attackers. But if the same effect is achievable through the open-source ecosystem, the discussion should shift from a specific company to a broader fact: these capabilities are probably already distributed across the market and not tied to one vendor. On the other hand, this does not necessarily weaken the concern—rather, it makes it more practical.

For government agencies, corporations, and developers, the question is now not only about how strong one flagship AI is, but also about how quickly similar functions spread to low-budget and widely available models. Closed access to Mythos could have created an impression of exclusive danger. Aisle's statement points to a different scenario: the ability to find bugs, useful to defenders and equally risky in the hands of attackers, is already becoming widespread.

The main conclusion is that the dispute around Anthropic Mythos is a dispute not only about the quality of one model, but also about how the market measures AI uniqueness in cybersecurity. If cheap open-source solutions truly find the same vulnerabilities, Anthropic's competitive advantage looks less dramatic, and the discussion itself transitions from the realm of sensation to verification, comparative testing, and access control for such tools.