AI model Claude Mythos sends shockwaves through cybersecurity landscape

The launch of Claude Mythos is sending shockwaves through the cybersecurity world. According to AI security expert Nanne van ’t Klooster of Rewire, the arrival of Claude Mythos marks the beginning of an arms race between autonomous AI agents – one that humans can no longer keep up with.

Last week, Anthropic released the Claude Mythos model. It delivers significant advances in reasoning, programming and more. However, the company has deliberately chosen not to make it immediately available to the general public. Instead, access has been restricted to a consortium of technology companies through an initiative known as ‘Project Glasswing’.

The reason is clear: in a short period of time, Claude Mythos has identified thousands of critical security vulnerabilities in operating systems and web browsers, including flaws that had gone undetected for as long as 27 years.

“Before Anthropic releases this model more broadly, major organisations such as Apple, Amazon Web Services, Google, Microsoft and NVIDIA are being given the opportunity to strengthen their security,” says Van ’t Klooster, principal consultant at Rewire. “These organisations will use Claude Mythos to identify and remediate vulnerabilities in critical software.”

Cybersecurity agents

According to Van ’t Klooster, the developments surrounding Claude Mythos signal a fundamental shift in the cybersecurity landscape. Where human experts once carried out penetration testing, ethical hacking, and vulnerability detection and remediation, it is now possible to deploy AI agents that continuously scan systems for weaknesses around the clock.

“The evolution of AI agents into fully fledged cybersecurity agents will fundamentally reshape the cyber landscape. Organisations will soon be able to deploy their own agents that constantly search for emerging threats and vulnerabilities.”

Where a human attacker is limited by knowledge and time, an AI agent can systematically explore every available pathway to uncover weaknesses. “We are already seeing agents that independently write code to gradually expand their own access rights and gain additional privileges,” Van ’t Klooster explains. “This often happens unnoticed, as these agents are highly creative in executing evasive manoeuvres in real time.”

Agents and humans

Van ’t Klooster advocates for a structured approach in which organisations build both offensive and defensive AI teams – teams that continuously challenge one another. At the same time, he warns of a critical pitfall: “If no one understands how your own security system works anymore, you become extremely vulnerable. Keeping humans involved remains essential.”

He also describes the situation around Claude Mythos as a wake-up call for the growing number of organisations experimenting with their own AI agents. “In many pilot projects, the focus is primarily on potential ROI, while security considerations are still too often overlooked. The question is no longer if your organisation will be targeted, but when – and whether you will be ready.”