On 7 April, the world learned that Anthropic had built a model that found thousands of zero-days across every major OS and browser, wrote working exploits on 83% of first attempts, and in one documented test escaped its sandbox and posted evidence of the escape online.
Unprompted.
The debate since has been "tool or threat." Both answers are right. Both miss the point.
Claude Mythos Preview was not engineered for security. The capability emerged from its coding and reasoning strengths. It surfaced a 27-year-old bug in OpenBSD, an OS famous for its security hardening, and a 16-year-old flaw in FFmpeg.
Anthropic's response was Project Glasswing: a controlled coalition of 12 launch partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus over 40 additional organisations, put to work defending the fabric of the internet before adversaries catch up.
Here is what did not make the headlines. Before Mythos was ever announced, a single operator had already used commercially available AI (Claude Code and GPT-4.1, not a restricted frontier model) to breach nine Mexican government agencies and exfiltrate hundreds of millions of citizen records. 75% of the remote command execution in that campaign was AI-generated.
And Mexico was not the first. Anthropic disclosed in November 2025 that a Chinese state-sponsored group had already used Claude Code to autonomously run full attack chains, from reconnaissance through exfiltration, across roughly 30 global targets.
Tools anyone can sign up for today did all of this months before Mythos existed.
---
The double-edged sword is real. But the edge that cuts you isn't the one in Anthropic's hands.
Some read Mythos as a breakthrough for defenders. Others read it as an unprecedented threat. Both are accurate. That is what a double-edged sword actually looks like, and collapsing it into a single narrative is how you miss the actual exposure.
The asymmetry matters. Defenders must fix every vulnerability Mythos finds. Attackers only need one to work. AI amplifies an imbalance that already favoured the offence.
Where Mythos is genuinely differentiated is not in detection. Smaller, cheaper, openly available models can already replicate that. Mythos's real advance is in exploit construction and multi-step attack orchestration: chaining vulnerabilities autonomously, reasoning across complex environments, adapting without human guidance. That gap will close as orchestration systems improve. And as the Mexico breach already showed, sophisticated multi-step attacks don't even require a frontier model today. They require a well-orchestrated system. That knowledge is already in the wild. The threat is not sitting behind a restricted access programme waiting for permission.
Mythos can find a critical vulnerability in hours. For most enterprises, remediation still takes weeks. For operational technology (industrial control systems, hospital equipment, critical infrastructure), there is often no patch path at all. No equivalent of a Windows Update exists for a 15-year-old SCADA gateway. That asymmetry is the attack surface.
And here is what Project Glasswing does not cover: your codebase, your third-party software dependencies, your open-source integrations. Glasswing secures the fabric of the internet. What runs inside your organisation is entirely your problem.
And yet the industry has been quiet about what actually needs to change.
---
This is a shared responsibility problem. The ambiguity isn't in who the parties are. It's in which party owns what, and that changes depending on how you deploy.
In cloud security, shared responsibility works because the same control domain (say, data classification) has a different owner depending on whether you're in IaaS, PaaS, or SaaS. The model earns its value by making that variance visible. If ownership were always the same regardless of scenario, you wouldn't need a model. You'd just need a RACI.
The same logic applies to GenAI security. The parties were always there: the AI lab, the enterprise, the vendor tooling, the regulatory framework. Mythos didn't create them. What Mythos has done is make the cost of unassigned ownership visible, at machine speed, in production.
Take data security. The data needs to be secure. That much is not ambiguous. What is ambiguous is: whose data is it, and who owns the control that protects it? If you're using a foundation model via API with no fine-tuning, the answer looks one way. If you've built RAG on top of that model with your own retrieval layer and client data, the answer looks different. If you've fine-tuned on proprietary data and deployed it yourself, it looks different again. Same problem. Different ownership. And in most organisations, those ownership cells were never explicitly assigned. They were assumed.
Mythos has now made assumption a liability. When a vulnerability surfaces in hours and you spend three days working out who is accountable for the affected layer, the gap isn't a process failure. It's an architectural one. The accountability for these GenAI-specific layers was never built into the deployment model in the first place.
The work is not telling AI labs, enterprises, and vendors what they should generally do. They know their roles. The work is mapping which specific controls belong to which party at each point on the deployment spectrum, and making those assignments contractual before the next finding lands.
That is the contract that has not been written yet.
---
That window exists today. But it will not stay open.
OpenAI responded within a week of Mythos with GPT-5.4-Cyber. The starting gun has already fired.
Project Glasswing's vulnerability disclosures are not the end of the storm. They are the first wave.
And this weekend, researchers published evidence that AI agents deployed on commercially available platforms are already executing dangerous actions, including deleting inboxes and sharing personal data, beyond the limits their operators set.
Defenders hold the lead today. That lead will not hold by default. Every week the industry spends debating whether Mythos is a tool or a threat is a week it is not spending drawing the lines of who is accountable for what.
Build the architecture now. Or inherit one written by the first major incident.
---
This thinking informs ongoing work at Mantel Group on AI security accountability architecture.
If this framing resonates, or you think I have got it wrong, I want the debate in the comments.