Mythos AI: Anthropic Investigates Unauthorised Access Claims

With the capability of Anthropic’s Claude Mythos Preview being no secret, recent news that there may have been “unauthorised access” to the model brings peace to no one. 

“A handful of users in a private online forum gained access to Mythos on the same day that Anthropic first announced a plan to release the model to a limited number of companies for testing purposes,” states a Bloomberg report. 

Mythos – Anthropic’s most powerful model yet – was able to find thousands of vulnerabilities in everyday software and is capable of chaining together these bugs to create complicated attack chains that can compromise these platforms. 

For this reason, the company had kept the model from the public, releasing it only to major industry players as part of a security coalition that aims to secure critical software, named Project Glasswing. 

The companies part of this coalition includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks.

“We're investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments,” Anthropic said in a statement in response to the Bloomberg report. 

While the company notes that there is no evidence of access beyond the “vendor environment,” security concerns of the model in the wrong hands are mounting. 

White house talks and the issue of national security 

After falling out with the US government earlier in the year after disagreements about the military use of AI, Anthropic CEO, Dario Amodei was at the White House last week to discuss “opportunities of collaboration” regarding the responsible use of Mythos. 

Dario spoke to Treasury Secretary Scott Bessent and White House Chief of Staff Susie Wiles discussing how the technology could achieve a balance between "advancing innovation and ensuring safety,” as per a White House statement.

“Anthropic has also been in ongoing discussions with US government officials about Claude Mythos Preview and its offensive and defensive cyber capabilities,” the company blog reads. 

The AI pioneer says that “securing critical infrastructure is a top national security priority for democratic countries – the emergence of these cyber capabilities is another reason why the US and its allies must maintain a decisive lead in AI technology. 

“Governments have an essential role to play in helping maintain that lead and in both assessing and mitigating the national security risks associated with AI models. We are ready to work with local, state and federal representatives to assist in these tasks.”

How is Mythos changing cybersecurity

After Mythos unleashed what is called an “AI vulnerability storm,” CISOs around the world have come together to create Mythos ready security programs for enterprises.

“If your defensive teams aren’t using AI agents, they can’t match the speed of AI-augmented threats regardless of their technical skill,” notes Rob T. Lee, Chief of Research (COR) & Chief AI Officer (CAIO) at SANS Institute. 

The solution Robert notes is to: “Point AI agents at your own code and find the vulnerabilities before attackers do.”

This sentiment of a changed security landscape is widespread within the industry. “It’s already clear that Claude’s Mythos represents a tectonic shift in security,” says Sandeep Johri, CEO of Checkmarx. 

“And, it isn’t the new vulnerabilities it will discover, it’s what will happen to the multitude of ones we already know about. 

“Exploiting those vulnerabilities will become dramatically easier for attackers, making what used to require real skill child’s play. 

“Project Glasswing is an important effort to address this phenomenon. But the barrier from discovery to exploitation is coming down now making a modern agentic application security practice more crucial than ever for enterprises.”

Taking this into account an unauthorised access of Mythos is unwelcome news, as security teams scramble to strengthen AI-native defence – with the potential for destructive cyber attacks amplified if bad attackers get hold of the technology.