Anthropic Mythos and OpenAI GPT-5.5-Cyber raise the AI cybersecurity stakes

The most concrete way to read the Mythos jump is to put the two Mozilla collaborations side by side. In 2025, Anthropic's Claude Opus 4.6 helped Mozilla close 22 security-sensitive bugs in Firefox 148. Six months later, Mythos Preview helped close 271 vulnerabilities in Firefox 150 — an order-of-magnitude move on the same target, with the same defender, in the same harness. Anthropic's own red-team note pushes the contrast harder on the offensive side: where Opus 4.6 had near-zero success producing working Firefox exploits, Mythos 'developed working exploits 181 times.' Mozilla's CTO Bobby Holley sums up the lived experience as 'Defenders finally have a chance to win, decisively,' while still cautioning that none of the bugs were beyond an elite human researcher's reach.

What changed is not really the class of bug being found, but the unit economics of finding them. AISI's independent evaluation puts numbers on this: Mythos solves expert-level CTF tasks 73% of the time — tasks AISI says no model could complete before April 2025 — and is the first model to fully solve a simulated network takeover (TLO) range, succeeding in 3 of 10 attempts and averaging 22 of 32 attack steps. That is the inflection. A capability that previously required either months of expert human labor or an orchestrated, brittle pipeline of older models has compressed into a single prompt-and-tool-loop run. Reports referenced by Fox News claim Mythos surfaced over 2,000 previously unknown software vulnerabilities in roughly seven weeks. Whether all of those are 'critical' is a separate fight — the most-upvoted r/Anthropic critique points out that Anthropic only manually verified under 200 of them — but even the verified subset reframes vulnerability research from artisanal craft to industrial throughput.

Project Glasswing is the part of this story most likely to outlive the news cycle. Anthropic is not selling Mythos. It is gifting up to $100M in usage credits, plus $4M in donations to open-source security organisations, to a coalition that reads like the asset register of US digital infrastructure: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Anthropic restricted Mythos to internal scanning by these partners and explicitly stated it does 'not plan to make Mythos Preview generally available.' That is a radical departure from the standard frontier-model launch playbook, and it directly couples Anthropic's commercial brand to the patch posture of half the Fortune 100.

The pricing of that gift only makes sense in light of Dario Amodei's stated 6-12 month 'moment of danger' window before Chinese and other peer models match Mythos's cyber capability. Anthropic is essentially fronting the inference bill for defenders to race ahead of attackers during that window. Jamie Dimon's framing — 'very heightened risk' but workable inside a year for JPMorgan's own apps — is the customer-side version of the same calculus. The implicit ask is enormous: trust Anthropic to choose which sectors get this advantage first. Bruce Schneier puts the governance discomfort into words by warning that Anthropic is 'unilaterally deciding which critical infrastructure gets defended first.' There is no public oversight of the Glasswing membership list, no obligation to share findings outside the coalition, and no statutory definition of what 'vetted partner' even means.

If Mythos's containment is meant to be the safety story, the containment is already visibly fraying. Within roughly two weeks of the announcement, Fortune reported that an unauthorized group had located the model by guessing its hosting URL based on Anthropic's predictable model-naming conventions — a story that found a large audience on r/technology and dominated the day's tech-news framing. The irony is not subtle: a model whose entire premise is 'too dangerous to release' was breached on the URL layer before its capabilities ever needed to be probed. That single incident reframes the threat model. The exclusivity is not really about model weights; it is about access discipline at the perimeter of a coalition with thousands of human members.

The technical case for exclusivity is on shakier ground. Vidoc Security Lab reproduced multiple Mythos findings using the publicly available Claude Opus 4.6 and GPT-5.4, concluding that 'public models can already achieve much the same results' and that the strategic moat is operationalisation, not raw model access. The most-upvoted r/Anthropic critique amplifies this with a more pointed claim — that small open-weights models, one as small as 3.6B parameters at $0.11 per million tokens, recovered Mythos's flagship FreeBSD finding when given the relevant code. OpenAI then completed the picture by launching GPT-5.5-Cyber on May 7 in limited preview for vetted teams, and explicitly characterising it as 'not intended to significantly increase cyber capability beyond GPT-5.5' but tuned to be more permissive on security tasks. Read together: the capability is broadly available, the harness and the policy posture are the actual product, and Anthropic's exclusivity window is measured in days, not the 6-12 months Amodei staked out.

Beyond the marketing fight, the operational implication is what gets lost. The SANS Institute's framing on the social conversation, attributed to Rob T. Lee, is the bluntest version on the record: 'The window between discovery and weaponization has collapsed into hours.' If even a fraction of that is true for the public-model tier — and Vidoc's reproduction work suggests it is — then the assumed cadence of monthly or quarterly patch cycles becomes a structural liability. Practitioner threads on Reddit converge on the same prediction in less measured language. Defensive teams that depend on a multi-week triage-to-deploy pipeline are budgeting for a threat surface that no longer exists in that form.

What actually changes for a CISO in the next two quarters is less about buying Mythos access and more about restructuring around a faster loop. Mozilla's lesson is instructive: the 271-bug Firefox 150 was possible because Mozilla had already invested, since February 2026, in a continuous AI-assisted scanning workflow tied to a release train that could absorb a single huge security batch. Most enterprises do not have that absorption capacity. AISI's calibration — that Mythos's real-world reach against well-defended enterprises remains unproven — should not be read as 'no need to prepare,' but as 'the attack surface that benefits most from this is your sloppy long-tail of internal apps and dependencies, not your hardened perimeter.' The bank story underlines this. The Treasury-Fed emergency meeting and Dimon's 'one year for our own apps' timeline both implicitly concede that the long tail of internal financial software is where the next 12 months actually play out.