Opening thesis

For the past year, the question of whether frontier AI models posed a genuine, near-term threat to enterprise security has been treated as a matter of vendor marketing. Anthropic said Mythos was dangerous. Security teams discounted it because Anthropic is incentivised to say that. This week, that discount expired. Two independent organisations with no stake in the answer evaluated Mythos and arrived at the same conclusion: frontier AI models are now genuinely competent at serious cyber work. The question is no longer whether. It is how fast, how cheap, and what you do about it before open-weights equivalents are generally available in approximately six months.

Who this is for

This briefing is written for security architects, CISOs, and security operations leaders in organisations whose software or infrastructure touches payments, browsers, operating systems, cloud services, healthcare, finance, industrial control systems, or developer tooling. It is also relevant for channel professionals and vendors selling into the security stack who need to understand how the threat landscape has shifted and what that means for buyer conversations happening right now.

The core problem

Vulnerability discovery has always been constrained by the cost and scarcity of expert human time. Finding a 27-year-old bug in OpenBSD requires years of accumulated expertise and significant focused effort. That constraint has historically limited the scale at which serious vulnerability research both offensive and defensive can be conducted. Frontier AI models are in the process of eliminating that constraint. The same capability that allows a defender to scan a codebase for previously unknown vulnerabilities allows an attacker to do the same, at a fraction of the cost and time. The cost asymmetry that has always favoured defenders is shifting.

Key findings

MetricMythos (Anthropic)GPT-5.5 (OpenAI)
Expert cyber task score UK AISI full attack chain benchmark68.6%71.4%
Full attack chain completion (10 attempts)3 completions2 completions
Chain progression on same token budgetFarther than any model testedStrong exceeds prior trend
Notable independent finding27-year-old OpenBSD CVE discoveredReverse-engineering task: 10 min 22 sec / $1.73
Capability strength profileDeep codebase analysis and chain depthSpeed and cost efficiency on defined tasks
Current availabilityRestricted approximately 50 organisationsGenerally available now

Evidence

The two evaluating organisations were XBOW, a dedicated cybersecurity AI research organisation, and the UK AI Security Institute (AISI). Their evaluations were independent of Anthropic and represent the first time outside researchers have publicly confirmed the capability jump at this level.

The AISI ran a full simulated corporate network attack every stage stacked in order of difficulty against multiple models simultaneously on the same token budget. The attack chain tested covered reconnaissance, credential theft, lateral movement, web application exploitation, privilege escalation, command and control persistence, infrastructure compromise, and full network takeover. Models tested alongside Mythos included GPT-5.5, GPT-5.5 Cyber, Opus variants, Codex models, and older baselines.

Mythos winning here is not Mythos beating a weak baseline. It is outrunning an extremely strong model on a task where token spend is a metric that matters.

Nate B. Jones, AI News & Strategy Daily

XBOW found Mythos genuinely excels at source code audits, native code vulnerability discovery, and reverse engineering. They also identified important limitations: the model can be too literal in its interpretation of vulnerability context, may overstate the relevance of findings without proper triage, and requires validation infrastructure to be deployed responsibly.

The cost finding from the GPT-5.5 evaluation is equally significant: a reverse-engineering task that takes a human expert twelve hours was completed by GPT-5.5 in ten minutes and twenty-two seconds at a cost of $1.73. As the cost of finding subtle bugs falls, the number of actors capable of attempting serious exploitation increases exponentially.

Lessons learned

  • Independent confirmation changes the calculus. When only Anthropic said Mythos was capable, it could be discounted. XBOW and AISI have removed that discount. Security teams that were waiting for outside confirmation now have it.
  • The dual-use problem is not hypothetical. Both labs frame these models as tools for defenders. That framing is accurate but incomplete. The same capability that finds a 27-year-old OpenBSD bug for a defender finds it for an attacker. Restricting Mythos access today does not prevent the capability from existing it only determines who has it first.
  • Open-weights parity is approximately six months away. Restricting frontier model access is a temporary measure, not a structural defence. The window to build model-assisted security workflows while access is still restricted is now.
  • The bottleneck has shifted finding bugs is getting cheap, validating them is not. The work that still requires expert humans is validating exploitability, prioritising fixes, coordinating disclosure, reviewing patches, and deciding which systems are critical. Security teams should be building workflows that use AI for discovery and humans for validation.
  • GPT-5.5 is available today and is very capable. Security teams do not need to wait for Mythos access. GPT-5.5 and GPT-5.5 Cyber are generally available and demonstrated 71.4% on the same benchmark. Starting now builds the workflow maturity that will be needed when Mythos-level capability is widely accessible.

Buyer checklist: evaluating AI-assisted security tooling

Evaluation criterionWhat to look forRed flags
Benchmark independenceEvaluations conducted by organisations with no vendor relationshipOnly vendor-produced benchmarks available
Attack chain completenessFull end-to-end chain tested, not isolated capabilityBenchmark tests only isolated steps, not chain completion
Validation requirementsTool requires human validation before findings are escalatedTool presents findings as confirmed vulnerabilities without triage
Cost and speed transparencyCost per task and time-to-completion publishedNo cost or speed benchmarks available
Dual-use disclosureVendor has published responsible use and access control policyNo discussion of offensive capability or access restrictions
Integration with existing workflowFindings can be tracked separately from existing static analysis toolingOutput format incompatible with existing vulnerability management pipeline
Open-weights roadmap awarenessVendor has a stated position on open-weights parity timelineNo acknowledgement of open-weights equivalents arriving

FAQ

Does this mean AI will replace security researchers?

No it means the nature of security research work is changing. AI is becoming highly capable at the discovery phase: finding bugs, identifying patterns in large codebases, and reverse-engineering binaries. The work that remains firmly in the human domain is contextual: understanding the business impact of a finding, assessing real-world exploitability, coordinating responsible disclosure, and making prioritisation decisions under uncertainty. Security teams that integrate AI into discovery workflows free up expert human time for the higher-judgment work that AI cannot yet reliably perform.

What is the difference between Mythos and GPT-5.5 Cyber for security work?

Both models performed at comparable levels on the AISI benchmark, with GPT-5.5 scoring slightly higher in aggregate (71.4% vs 68.6%). The character of their capability differs: Mythos demonstrated deeper chain progression and more sophisticated codebase analysis on complex tasks; GPT-5.5 demonstrated faster and cheaper task completion on well-defined reverse-engineering challenges. GPT-5.5 is generally available now. Mythos access is currently restricted to approximately 50 organisations. For teams starting today, GPT-5.5 and GPT-5.5 Cyber are the practical options.

What is Project Glass Wing and Project Daybreak?

These are the access and deployment programmes through which Anthropic and OpenAI are making their most capable security-relevant models available to defenders. Anthropic's Project Glass Wing restricts Mythos to approximately 50 trusted organisations and critical software partners, with a focus on finding and fixing vulnerabilities before less careful actors access equivalent capability. A proposed expansion to 120 organisations was blocked by the White House. OpenAI's Project Daybreak makes GPT-5.5 and GPT-5.5 Cyber available through trusted partners for defensive workflows including patch validation, threat modelling, and vulnerability triage. It is generally available and actively being rolled out.

How should security teams prepare for open-weights parity in six months?

The six-month estimate for open-weights models reaching Mythos-level capability is an approximation, not a guarantee but the directional trend is clear. Security teams should use the current restricted window to build and validate model-assisted vulnerability discovery workflows, establish baseline metrics for what AI surfaces versus existing static analysis tooling, and develop the human validation processes that will be needed when the capability is widely accessible. Teams that start from zero when open-weights equivalents arrive will be significantly disadvantaged relative to those who have six months of workflow maturity.

Is it safe to use GPT-5.5 on production codebases?

The appropriate risk posture depends on the sensitivity of the codebase and the data governance requirements of the organisation. XBOW's evaluation noted that Mythos and equivalent models require validation infrastructure to be deployed responsibly the model's findings should be treated as candidate vulnerabilities requiring human triage, not confirmed exploitable issues. Organisations in regulated sectors should review their data handling and third-party processing agreements before submitting production code to any external model API.

Conclusion

Anthropic was not exaggerating when it said Mythos would be risky to release without restriction. Independent researchers have now confirmed this. The capability is real. The cost curve is real. The dual-use risk is real.

Security teams have a rare and time-limited opportunity: the most capable models are still restricted. GPT-5.5 is available today at demonstrated capability. The right response is not to wait for Mythos access or for the open-weights moment to arrive. It is to begin building model-assisted security workflows now, measure what AI surfaces against what existing tools miss, and build the human validation capacity that will determine whether the capability is a defence advantage or a liability.

Mythos was not a myth. The window to prepare is now.

Signal.lab tracks AI capability developments and their implications for the IT and cyber security channel. Contributors with expertise in security architecture, threat intelligence, and AI-assisted security tooling are invited to publish structured insights on the network.