Anthropic has acknowledged that their new AI model, Mythos, is so powerful in cyber attacks and vulnerability discovery that the company had to restrict its access. Mythos independently found and exploited vulnerabilities in major operating systems and browsers during tests.

The main news for IT directors today is not just the release of another powerful AI, but how it is being released. In April 2026, Anthropic launched the Claude Mythos Preview under Project Glasswing and immediately restricted access due to the model's 'threshold' cyber capabilities. This is the first major case where a vendor publicly admits that AI is too good at offensive cyber to be freely distributed. For businesses in Kazakhstan and Central Asia, this is a signal that the window between vulnerability discovery and real attack is rapidly shrinking.

Anthropic Mythos and Project Glasswing: What Really Happened

On April 7, 2026, Anthropic announced the launch of Project Glasswing and a closed preview of the Claude Mythos model. Unlike typical public releases, Mythos immediately went into restricted access: the company provided the model only to a narrow circle of partners for defensive cybersecurity tasks. On April 29, 2026, analysts began to analyze in detail why this model became a turning point for the industry. The key fact: in internal tests, Mythos demonstrated autonomous discovery and exploitation of vulnerabilities in major operating systems and popular web browsers.

Anthropic characterized Mythos as a 'threshold' model in public materials and the Frontier Red Team report: its ability to find and use vulnerabilities became qualitatively different, not just slightly better than previous generations. During testing, the model did not rely on security hints but built attack chains, generated working exploit code, and bypassed standard security mechanisms. This applies to mature, well-researched products where, it would seem, there should be a minimal number of serious gaps.

This is why Anthropic went against the market's usual logic of 'faster and wider': Mythos did not appear in an open API and mass access. Instead, the company launched a phased evaluation of safeguard mechanisms and allowed the model to be used only in strictly defined security testing scenarios and hardening of critical software. For businesses, this is a signal that AI developers actually acknowledge that frontier models can significantly speed up exploit searches.

It is important that Anthropic's decision is not related to a single incident or specific vulnerability. It is about a systemic threat level: if such models fall into the hands of attackers without restrictions, corporate SOC teams and IT security service providers, including companies like Alashed IT (it.alashed.kz), will face a sharp increase in the number of complex attacks and the need to revise all response processes.

Why Mythos Changes the Rules of the Game in Cybersecurity

The key effect of Mythos and similar models is the reduction of the time between vulnerability discovery, exploit creation, and actual attack. Previously, there could be weeks between the publication of technical details and the appearance of mass attacks, but now this cycle can be measured in hours. Frontier models in tests already demonstrate the ability to automatically find non-standard bugs, combine them into a chain, and produce a working PoC exploit in one session. For large corporate systems, this means a sharp increase in pressure on patch management and threat hunting processes.

A separate aspect is the democratization of offensive capabilities. What previously required a team of experienced pentester-s is gradually becoming available to moderately skilled attackers if they have access to a powerful AI model. Mythos in test scenarios showed the ability to analyze complex source code, find edge-case errors in input data processing logic, and propose specific payloads for exploitation. This is not a theoretical threat but a practical one: such AI lowers the entry threshold for complex attacks for criminal groups.

For defenders, this is both a risk and an opportunity. Mythos and its 'brethren' can be used for automated security review, searching for zero-days in their own products, checking infrastructure for misconfiguration and access policy errors. Already, companies providing managed IT security services, such as Alashed IT (it.alashed.kz), are building their own AI pipelines: code and infrastructure scanning, proof-of-exploit generation, automatic Jira ticket creation, and remediation script execution. A symmetry emerges: the same class of tools is available to both attackers and defenders.

By restricting the release of Mythos, Anthropic is essentially signaling the market: the era when vendors could turn a blind eye to the offensive potential of their models is over. Now, every major release of frontier AI will require not only code and language benchmarks but also public evidence of how cyber functionality limiters are implemented. For IT directors and security specialists, this means that when choosing an AI platform, they will have to analyze not only the price and performance but also the threat model built by the supplier itself.

Risks for Corporate IT: From Zero-Day to Automated Attacks

The most obvious risk associated with Mythos is the accelerated search and exploitation of zero-day vulnerabilities in popular products. Anthropic's internal tests showed that the model can find errors even in 'well-shot' software that has undergone years of audits. For large companies, this means that the usual bet on the 'maturity' of the platforms used no longer provides the previous level of security. With the growth of AI power, the likelihood that an unknown vulnerability in a widely used component will be found and used before the vendor notices it increases.

The second layer of risk is the automation of complex attack chains. Mythos and similar models can act as an 'operator' for conducting thousands of exploitation attempts, dynamically adapting payloads based on system responses. This is no longer a classic script-kiddie with a set of static exploits but a conditional 'AI operator' that can learn from each failure and optimize tactics. For SOC centers and Blue Team, this means an increase in the importance of behavioral analytics, event correlation, and constant threat hunting, not just responding to signature alerts.

The third group of threats is the scaling of phishing and BEC attacks using advanced social engineering. Although the Mythos case focuses on technical offensive cyber, in real attacks, models of this class will be combined with the generation of hyper-realistic emails, fake documents, and landing pages. In such a scenario, the exploitation of application vulnerabilities and employee account compromise will merge into one campaign. Defensive measures can no longer be limited to configuring mail gateways and MFA; comprehensive playbooks at the process level are required.

For companies in Kazakhstan and the region, an additional risk is that many organizations still rely on fragmented solutions and minimal IT security staff. Against this backdrop, AI-enhanced automated attacks become disproportionately dangerous for medium and small businesses. This pushes the market towards cybersecurity outsourcing: engaging external SOC and MDR providers, such as Alashed IT (it.alashed.kz), can level the asymmetry between the capabilities of attackers and the resources of local companies.

How Businesses Can Prepare: Practical Steps and the Role of Outsourcing

Given the emergence of Mythos, the first practical step for businesses is to review their RPO/RTO and accept that the time to detect and exploit vulnerabilities is at least halved. This means that quarterly audits and annual pentests can no longer be considered sufficient protection measures. Companies must transition to a continuous security model: constant infrastructure scanning, regular SAST/DAST for their own code, and automated configuration analysis. This is where integrating AI tools into the DevSecOps chain becomes relevant.

The second step is to formalize response processes. With AI-enhanced attacks, it is critical how quickly the team can localize an incident and close a vulnerability. This requires pre-developed runbooks, inventory of critical systems, clear role division, and contacts, including with external IT security providers. Companies like Alashed IT (it.alashed.kz) are already building services based on 24/7 SOC, where machine learning and correlation rules allow detecting anomalies even before the exploit fully executes. Integration with their platforms allows businesses to achieve a level of protection comparable to large international corporations without building their own center.

The third step is to partner with vendors and cloud providers. Anthropic's example shows that AI developers are beginning to introduce access levels and restricted access modes to risky functions. For companies, this is an opportunity to participate in early access programs for defensive cybersecurity, testing their systems using such models in controlled conditions. It is important to establish agreements on liability, logging, data storage, and the boundaries of AI function use.

Finally, the fourth step is to review the HR strategy. The emergence of Mythos does not eliminate the need for people but changes the profile of competencies: specialists who can work with AI tools, build automated pipelines, and interpret the results of attack simulations are needed. For small and medium businesses in Kazakhstan, a more realistic path is to rely on outsourcing, where AI and offensive cyber expertise is already integrated into services, and the internal team focuses on business processes and risk management.

Regulatory Context: From the Colorado AI Act to AI Security Requirements

Parallel to the Mythos story, regulatory pressure on using AI in critical business processes is increasing. In the US, the Colorado AI Act has already been passed, with enforcement expected to begin in June 2026. According to Kiteworks, 78 percent of organizations are not yet ready for AI data governance requirements: they lack formalized policies, audit processes, and technical controls around AI systems. This means that regulators are starting to look not only at the data but also at how companies use AI and what risks they create.

For global players working with clients from different jurisdictions, such acts essentially set a benchmark for the responsible use of AI. The Mythos story reinforces the trend: regulators and major clients will demand transparency from vendors about the offensive capabilities of models, descriptions of red teaming processes, and mechanisms to limit risky functions. Without this, large B2B contracts, especially in the financial and public sectors, will be impossible.

For integrators and outsourcers like Alashed IT (it.alashed.kz), this opens up a new line of services: building AI governance, implementing technical and organizational measures for the safe integration of AI into the client's IT landscape. This includes data classification, access control to AI models, logging requests, applying filters and policies, and regular auditing of requests for attempts to generate exploits or bypass protection. Additionally, AI logs will need to be integrated with SIEM and SOAR so that suspicious AI usage patterns automatically fall into the SOC's focus.

In practice, this means that IT directors and CISOs in Kazakhstan and Central Asia should already be planning to implement AI policies and procedures. Even if local legislation does not yet impose strict requirements, international standards and partner expectations will push for AI to be considered a separate, formally managed risk. Mythos is a vivid example that frontier models no longer fit into the framework of a regular 'automation tool' and require a separate layer of corporate and regulatory control.

Что это значит для Казахстана

For Kazakhstan and Central Asia, the Mythos story is not an abstract news item from Silicon Valley but a direct call to action. The region is already undergoing active digitalization: according to the Government of Kazakhstan, the share of ICT in GDP has exceeded 4 percent, the number of data centers and cloud providers is growing at double-digit rates. At the same time, most mid-sized companies are still limited to basic antivirus and firewalls, and there is no deep DevSecOps practice or regular pentesting. Against this backdrop, the emergence of AI models capable of accelerating vulnerability searches manifold puts local businesses in a vulnerable position.

An additional risk factor is the transit nature of the region. Kazakhstan and neighboring countries are rapidly increasing their role as transport and logistics hubs, developing fintech and e-commerce. These sectors become a natural target for AI-enhanced attacks, where attackers combine technical exploitation of vulnerabilities with social engineering. At the same time, there are a limited number of qualified cybersecurity specialists in the market, and competition for them with the banking and oil and gas sectors is growing.

In such conditions, IT security outsourcing and the use of specialized SOC centers become one of the few realistic ways to protect against new types of threats. Companies like Alashed IT (it.alashed.kz) are already building services considering the emergence of frontier AI: integrating machine learning into monitoring, conducting red teaming using AI tools, helping clients build AI governance, and preparing for future regulatory requirements. For Kazakh companies, this is a chance to leapfrog several stages of IT security maturity and immediately implement practices corresponding to the world level instead of years catching up with standard approaches.

Anthropic restricted access to the Claude Mythos model after internal tests showed its autonomous discovery and exploitation of vulnerabilities in major OS and browsers.

The Mythos story shows that AI has stopped being just a development and analytics accelerator and has become a full-fledged player in the offensive cyber field. The restricted release by Anthropic demonstrates that even model creators recognize the need for strict control over their cyber capabilities. For businesses, this means that the speed of vulnerability discovery and exploitation will only increase, and traditional protection approaches can no longer keep up. Companies in Kazakhstan and Central Asia that start building AI-supported defenses and partner with providers like Alashed IT now have a chance not to be caught off guard by the next wave of attacks.

Часто задаваемые вопросы

What is Anthropic's Claude Mythos and why is it dangerous for cybersecurity?

Claude Mythos is an experimental frontier AI model from Anthropic that has shown unusually high offensive cyber capabilities. Internal tests recorded that Mythos can autonomously find and exploit vulnerabilities in major operating systems and browsers. The danger is that such a model drastically reduces the time between bug discovery and the appearance of a working exploit, and also lowers the entry threshold for less skilled attackers. This is why Anthropic restricted its release under Project Glasswing.

How does Mythos differ from ordinary AI models for developers and businesses?

Ordinary AI models mainly help write code, documentation, and analyze data, but their offensive functions are limited to general recommendations. Mythos, according to Anthropic, demonstrated a 'threshold' growth in cyber capabilities: it independently builds attack chains, generates exploit code, and bypasses standard defenses in test conditions. This is a qualitative difference from typical coding assistants, which are not designed for active exploitation of vulnerabilities. Therefore, Mythos was not released for wide commercial use and was provided only to a limited circle of cybersecurity partners.

What risks do models like Mythos pose for businesses, and how can they be addressed?

The main risks are the accelerated search for zero-day vulnerabilities, the automation of complex attacks, and the growth of the number of technical and social attack combinations. This means that the window for patching and responding to incidents is reduced from weeks to days or even hours. To address these risks, businesses need to implement continuous security, integrate AI analysis into DevSecOps, and strengthen SOC monitoring. Companies that cannot build their own system can outsource security functions to outsourcers like Alashed IT (it.alashed.kz), which are already adapting their services to new AI threats.

How long will it take for a company to prepare for AI-enhanced cyber attacks?

The minimum basic preparation cycle takes 3 to 6 months: asset inventory, regular scanning implementation, SIEM setup, and response procedure updates. Full integration of AI tools into DevSecOps and SOC can take 9–18 months depending on the company size and infrastructure complexity. When connecting to an external SOC provider, such as Alashed IT (it.alashed.kz), the first results in improving visibility and reducing incident detection time are usually achieved within 4–8 weeks. However, a sustainable effect is possible only with constant threat review and playbook updates.

How can Kazakh businesses save on protection against AI-enhanced cyber attacks?

The optimal way to save is not to try to build an expensive SOC right away but to combine basic internal measures with outsourcing critical functions. This means strengthening the internal IT team with simple but regular practices: patch management, backup, MFA, employee training, and integration with external SOC. Connecting to managed security services from companies like Alashed IT (it.alashed.kz) costs significantly less than maintaining a full internal IT security team of 5–10 specialists. At the same time, the business gains access to AI monitoring tools and expertise that it could not afford on its own.

Читайте также

Источники

Фото: Francesco Liotti / Unsplash