Anthropic and Claude Mythos escalate threat: AI makes cyberattacks accessible to novices

Anthropic unveiled Claude Mythos Preview in April 2026, intensifying the conversation about how AI is transforming cybersecurity. The industry's greatest fear is no longer that models find bugs, but that people without deep technical training will be able to search for and exploit them.

From Competition to Concern

Back in August 2025, at the DARPA AI Cyber Challenge competition in Las Vegas, teams tested systems for automatic vulnerability detection across 54 million lines of real code. The tools found not only artificially planted errors, but genuine bugs that the organizers had not intended to showcase. This is a significant shift: even before the buzz around Mythos, it became clear that AI can already find vulnerabilities at a scale that would take humans or even ordinary research teams much longer.

Now the market fears not automation itself, but its democratization. Previously, so-called script kiddies took ready-made scripts from the internet and ran other people's exploits, often without understanding how they worked. With AI models at this level, the scheme changes: instead of copying old tools, one can ask the system in a dialogue to examine new code, suggest an attack chain, and refine the exploit for a specific target.

For low-skilled attackers, this is no longer an acceleration, but almost an entirely new class of capabilities.

Attacks Have Become Cheaper

What experts worry about most is not Claude Mythos itself, but the sharp drop in attack cost in a broad sense—in time, effort, and required qualification. Researchers say that searching for a serious vulnerability in an unfamiliar codebase used to take weeks or months, but now it takes hours. Tim Becker, one of the AIxCC finalists from Theori, states directly: with minimal hints, and sometimes without any at all, AI is already capable of finding zero-days in widely used software.

"The barrier to entry for searching for bugs in a million-line

codebase is now much lower than before."

Because of this, it becomes worthwhile to attack even systems that previously seemed too niche or too expensive to research. If the effort is almost free, attackers can search for weaknesses in rare configurations, internal corporate software, or services used by a single specific company. Moreover, models can quickly iterate through variants, combine already known error patterns, and write working exploit templates on the fly. Anthropic is trying to contain the risk: access to Mythos is restricted, and Claude Opus 4.7 has been enhanced with protection against malicious cyber requests. But no one guarantees that other developers will be equally cautious.

The Main Problem—Patches

For companies, the main risk now looks not like a "vulnerability apocalypse," but like a "patch apocalypse." If models find thousands of problems faster than teams can check and fix them, the bottleneck becomes not discovery, but response. Experts recommend preparing a Mythos-ready plan now: segment networks, establish order in identity and access management, transition to memory-safe approaches where possible, and reduce dependence on weak authentication. The fewer defensive layers a company has today, the more painful the next wave of vulnerability reports will be.

• Network and service segmentation
• Strict control of identity and access
• Safer code and architecture
• Phishing-resistant authentication and rapid updates

There is another unpleasant effect: the window between vulnerability disclosure and exploit availability is rapidly closing. As soon as a patch is released, attackers can examine it, understand what was fixed, and search for unpatched systems. Therefore, prioritization becomes almost as difficult a task as the fix itself.

A critical vulnerability in an internal service is not always more dangerous than a less serious error on the external perimeter. And managing this stream requires people: threat analysts, incident responders, and engineers who know the codebase deeply enough to fix not just quickly, but without new problems in the future. The example of the Xint tool from Theori is telling.

According to the company, it found all the bugs that Mythos discovered in the same codebases and added 12 more zero-days not included in Anthropic's initial announcement. But fixing what is found is much harder than finding it. A good patch requires context: you need to understand whether it will break functionality, degrade code maintenance, or create new holes.

For open source, this is especially challenging because small teams and individual maintainers can be overwhelmed by a stream of tickets that they cannot handle at the same speed that AI generates findings.

What This Means

AI is already changing offensive security faster than companies can restructure their defense processes. In 2026, winners will not be those with the most scanners, but those who can quickly prioritize risks, release updates, and build safer software from the start. Otherwise, even attackers without serious training will gain access to tools that were previously available only to skilled researchers and advanced groups.