AI-enabled cyberattacks have moved from theory to day-to-day reality, and that changes the risk profile for the entire business.

Several data points highlight the shift:

• 87% of global organizations experienced an AI-powered cyberattack in the past year (SoSafe, Cybercrime Trends 2025).
• The FBI’s IC3 received more than 1 million complaints in 2025, with reported losses of $21 billion, up 26% year over year.
• The average cost of a data breach is now $4.4 million globally and $10.22 million in the US (IBM).
• Companies currently spend only about 0.69% of revenue on cybersecurity on average (IANS Research), and many will need to increase spending by up to 2x current levels to catch up.

Models like Claude Mythos don’t create new vulnerabilities; they expose the ones that already exist at machine speed. Work that used to take specialist teams weeks can now be done in hours. That means:

• Legacy systems, especially in energy, utilities, manufacturing, water, and transportation, are now realistic targets, even if they’re decades old and hard to patch.
• The old logic of “this vulnerability is hard to exploit, so the risk is acceptable” no longer holds. AI has collapsed the cost and effort of sophisticated attacks.
• Regulators are raising expectations through frameworks like NIS2 in Europe and SEC cybersecurity disclosure rules in the US, making cyber oversight a governance issue, not just an IT concern.

For leadership, the implication is clear:

• Cybersecurity is now a business risk of the highest order, on par with financial, operational, and regulatory risk.
• Underinvestment is typically the result of board and executive choices, not technical constraints.
• Ownership must sit with the CEO and the board, with clear accountability, funding, and regular reporting on cyber maturity and exposure.

In practice, this means elevating cybersecurity into core strategy discussions, aligning budgets with the new threat level, and treating AI-enabled attacks as a structural shift in the risk landscape, not a passing technology trend.

Claude Mythos is a frontier AI model developed by Anthropic, positioned above the Claude Opus tier and released only through a vetted partner program called Project Glasswing. It was designed as an “ultimate developer” for complex software engineering, not as a hacking tool—but its capabilities have direct cybersecurity implications.

Four aspects of Mythos are particularly relevant for security leaders:

1. Deep code understanding
   Mythos can understand the intent of code and find hidden flaws from simple instructions. It can also reconstruct source code from deployed software to uncover exploitable weaknesses.
2. Attack chaining
   It can chain multiple small vulnerabilities into a single, high-impact attack that a human might miss.
3. Autonomous network operations
   Once inside a network, Mythos can map systems, move laterally, and build custom tools to extract data—potentially within hours.
4. Agentic, tool-using architecture
   Key innovations include:
   • Infinite context window: It can ingest and reason across an entire codebase or system at once.
   • Recursive self-correction: It automatically tests, adjusts, and retries until it finds a working approach.
   • Native system tool integration: It can launch debuggers and interact directly with systems, acting as an active agent, not just a reasoning engine.
   • Agentic scaffolding: It forms hypotheses, launches containers, and executes code autonomously.

Anthropic’s own research using Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and browser, including flaws that had survived decades of human review and millions of automated tests.

However, Mythos itself is not the core problem:

• Other models, such as OpenAI’s GPT-5.4-Cyber and Google’s Big Sleep, already offer comparable capabilities.
• Adversaries—nation-states, criminal groups, rogue actors—can be expected to develop or access similar tools.
• The cost and expertise required to launch sophisticated attacks will continue to fall.

Independent testing by the UK Government’s AI Security Institute found that Mythos cannot reliably execute autonomous attacks against organizations with well-hardened defenses. That’s an important signal: the most effective response is not chasing every new AI model, but getting the fundamentals right:

• Robust access controls and identity management
• Network segmentation and zero trust architecture
• Automated patching and vulnerability management
• Behavior-based anomaly detection

In short, Claude Mythos matters because it illustrates what AI can already do for both attackers and defenders. It should prompt organizations to reimagine their security posture for an era where AI can rapidly find and exploit weaknesses that used to be considered low probability risks.

Responding effectively to AI-enabled threats requires both strategic leadership decisions and tactical security improvements. Three priorities stand out.

1. Stand up an AI threat war room

Create a dedicated, cross-functional team focused on AI-driven threats. Its mandate should be to:

• Use AI defensively to scan for vulnerabilities, probe your own systems, and monitor for anomalous behavior—before attackers do.
• Bring together existing internal talent in AI and cybersecurity, rather than relying solely on new hires.
• Operate as a permanent capability, not a short-term project.

2. Strengthen foundational cybersecurity capabilities

Most organizations have underinvested for years; many will need to increase cybersecurity spending by up to 2x current levels, while typical plans of about 10% annual increases are not keeping pace with the threat.

Key fundamentals to prioritize:

• Automated patching: Move away from slow, manual processes. AI is compressing the time between vulnerability discovery and weaponization to near zero.
• Zero trust architecture: Continuously verify every user, device, and system, regardless of location, to limit attacker movement once inside.
• Anomaly detection: Focus on unusual behavior patterns, not just known signatures, to catch AI-driven attacks that don’t match historical profiles.
• Modern identity controls: Implement phishing-resistant multifactor authentication, which can prevent over 99% of identity-based attacks, and address legacy systems that cannot support modern standards.
• Environmental hardening: Use segmentation, least privilege, and rapid detection/response to limit damage when (not if) an attacker gets in.
• Supply chain security: Evaluate suppliers and partners for their AI-specific cyber posture, since attackers increasingly use third parties as an entry point.

3. Address OT and prepare for quantum risk

Two areas need special attention:

• Operational technology (OT): In sectors like energy, utilities, manufacturing, water, and transportation, many industrial control systems are decades old and hard or impossible to patch. Here, focus on:
  • Strict network segmentation between IT and OT
  • OT-specific anomaly detection
  • Minimizing any Internet-facing exposure
• Post-quantum readiness: Quantum computing will undermine many current encryption methods. Organizations should aim to be quantum-ready by 2030, with a clear risk assessment and roadmap for migrating to quantum-safe cryptography.

Across all of this, the most important shift is leadership ownership. Cybersecurity can no longer be delegated as a purely technical concern. Boards and executive teams need to:

• Revisit risk assumptions that were based on high attacker effort.
• Align budgets with the new threat environment, not historical norms.
• Embed cyber maturity targets and regular health checks into core business planning.

This combination of governance, investment, and technical depth of defense is what allows organizations to withstand AI-enabled attacks and stay ahead of the next wave of risk.