The Mythos Shift: What Actually Changes for Defenders
I posted this on X the other day:
The "mythos" shift:
-your "insider threat" is now also an AI agent
-all your threat models should assume 0day/access (truthfully for the past 5 years that should have been the case anyway)
-focus on detection and containment
-everything else stays the same i.e. do basics
For context: the "mythos" I'm referring to is Claude Mythos Preview — the frontier model Anthropic announced on 7 April 2026 and then decided not to release publicly because it was too good at finding and exploiting 0days. Per their own disclosure, Mythos has autonomously identified thousands of zero-day vulnerabilities across every major operating system and every major web browser, built working exploits without human guidance, and found bugs dating back over two decades (a 27-year-old OpenBSD flaw and a 1998-era OpenSSL issue among them).
Anthropic launched Project Glasswing alongside it — a coalition with AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, Palo Alto, NVIDIA, JPMorgan, Broadcom, and the Linux Foundation — specifically to patch things before a comparable model leaks into the wild.
Tweets are short and easy, long-ish form is harder, so i thought to put expound abit more on that.
1. Your "insider threat" is now also an AI agent
insider threat programs were built around a specific archetype: a human employee with legitimate access who either turns malicious or gets compromised. DLP, UEBA, privileged access reviews, background checks, off-boarding hygiene.
That archetype is now incomplete.
An AI agent operating inside your environment — a coding assistant with repo access, a customer service bot with CRM permissions, an MCP-connected agent calling internal APIs, a RAG pipeline reading production data — is functionally an insider. It has:
Legitimate credentials (often scoped too broadly)
Access to sensitive data (often more than any single human employee)
The ability to act autonomously (often at machine speed)
A decision-making process you can't fully audit (prompts, tool calls, context windows)
AI agents will be used to exploit AI agents, and the defensive primitives for that largely don't exist yet…..or atleast i haven’t thought too deeply about that yet.
2. All your threat models should assume 0day/access
For years, mature threat modelling has leaned toward "assume breach" — the zero trust crowd have been banging this drum since 2014. But in practice, most organizations still model from the outside in: "what if an attacker tried to get in through X?" rather than "assume they're already in, what's the blast radius?".
After Mythos, the outside-in model is strategically indefensible. Consider:
Mythos found vulnerabilities dating back 20+ years in widely-deployed software. If a frontier model found them, assume similar models (or a leaked version of this one eventually) will find them too.
minor update: turned out an hour after this post, Bloomberg reported that Mython did have a leak to unauthorised group…oopsie https://x.com/business/status/2046707189922890025?s=20Supply chain compromises already bypass the "breach" concept entirely — axios, xz-utils, Shai-Hulud. You didn't get breached; you installed the breach…..or something like that.
Your threat model must assume the attacker already has some access, somewhere.
3. Focus even more on detection and containment
If you accept points 1 and 2, the defensive emphasis shifts naturally. Prevention still matters, but it stops being the primary KPI because prevention has a structural ceiling that Mythos-class capabilities will keep pushing against.
Agent-driven attacks move at machine speed that human-speed detection pipelines aren’t going to match.
Segmentation, scoped identities, short-lived credentials, egress filtering, and runtime isolation, etc, etc all those are going to be even more important.
4. Everything else stays the same i.e. do basics
This is the part that I think is most important and most likely to be missed when people hear "frontier AI finds 0days"….. basics still matter. Nothing about fundamentals has changed.
MFA everywhere, phishing-resistant where possible — most breaches still start here.
Asset inventory you actually trust — you can't protect what you can't see, and this includes your AI agents and their scopes.
Vulnerability management that's data-driven (see my previous post — CVSS + EPSS + KEV, prioritise properly, stop chasing tails).
Least privilege, enforced and audited — including for service accounts and agent credentials.
Backup and recovery tested regularly — not "we have backups", but "we have restored production from backup within SLA in the last 90 days".
Logging centralised, retained, and queryable — detection depends on it.
Incident response plans that have been exercised — not written once and filed.
The mythos shift isn't "everything is different now"….atleast not in my mind (not yet). It's:
Your insider threat model has to include non-human identities, especially AI agents with real access and real decision authority.
Your threat model has to assume the attacker has access — if it doesn't already, it's not actually a threat model, it's a wishlist and old/er threat models need to be revised
Your defensive KPIs should weight detection and containment higher than prevention — because prevention has a structural ceiling that Mythos-class capabilities will keep pushing against.
I’ve been thinking alot about an old quote from @theGruqg ……or is it Dan Geer……anywhooo:
“Attackers have bosses and budgets too!”
granted attackers budgets just shrunk given the cost of a $20 Claude subscription now does more than what used to cost more money and time back in the day.
But then again, maybe that’s the optimistic defensive view, these models could do even more than OSS-Fuzz did in reducing the number of bugs, exploitable bugs and thus make us “safer”…..i put that in inverted commas because history teaches us that most compromises happen without 0days.
The persimistic view is a risk that AI-assisted development produces codebases that exceed human comprehensibility, scaling bug complexity faster than discovery capability.
Either way, the basics still matter. If anything, a scary new 0day-finding machine is exactly the reason to adhere to known security practices more stringently, not less.
