The conversation around Anthropic’s Mythos Preview, a new Frontier AI system, has escalated quickly. It has created a fundamental shift in cybersecurity and cyber risk at large. But amid all the noise and ambiguity, there are practical ways to manage this new risk.
Background: Mythos in a Nutshell
Mythos autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser, can chain together multi-step attacks, and generates working exploits without human guidance. Anthropic chose not to release it publicly – deeming it too dangerous. Instead, they launched “Project Glasswing”, a program in which they granted preliminary access to a small group of organizations managing critical digital infrastructure. The goal? Let the major players address issues in their applications before threat actors can use Mythos to find and exploit those vulnerabilities.
How has industry responded to Mythos Preview?
Reaction to Mythos has been swift. The Canadian Centre for Cyber Security (CCCS), the Cloud Security Alliance (CSA), and the UK’s AI Security Institute (AISI) have all arrived at the same conclusion: this represents a structural shift in how offense and defence operate. Sure enough, the headlines in the days after the Mythos announcement have borne this out:
- OpenAI announced GPT-5.4-Cyber within days of the Mythos Preview announcement – a model purpose-built for cyber operations. Other players are moving fast as well, and not all of them will be as conservative about public release.
- An unidentified group allegedly accessed Mythos through a third-party vendor/contractor environment, likely abusing legitimate access and using some educated guesswork to find where the model was hosted. The LLM that Anthropic thought was too risky for public release has already fallen into unauthorized hands.
- Mozilla (not part of Project Glasswing) announced Mythos discovered 271 new vulnerabilities in their latest Firefox browser. This signals the kind of volumes that could be found in virtually every major application, browser, and operating system.
Mythos is playing out in real time, even faster than many observers expected. This is why a wait-and-see posture carries real risk. For CISOs, this creates a challenging situation: high-impact developments, incomplete information, and pressure to respond quickly while still navigating all the hype and uncertainty.
How do you respond to Frontier AI?
No one has all the answers right now. What matters is how you interpret the risk, communicate internally, and take measured steps forward. What’s clear is that the window between vulnerability disclosure and weaponization is collapsing. While the software vendors work through their systems, it’s critical to get your own house in order as well.
The controls that matter most are not exotic. We’ve put together a prioritized plan covering the critical fundamentals and priority controls you need to strengthen your security posture – fast:
Phase 1: Critical
- Multi-factor Authentication (MFA) – stop automated credential abuse at massive AI-driven scale
- Patch Management – close exploitable gaps before rapid weaponization occurs
- IRP Development/Review & Tabletop Exercises – prepare teams to respond to multiple concurrent incidents
- External Surface Mapping – inventory and protect assets, eliminate unnecessary exposure
Phase 2: Important
- SIEM & Logging – correlate fast-moving attacks across diverse signals and systems
- Backups – rebuild systems from reliable, trusted archives after compromise
- Network Segmentation – limit lateral movement in highly automated intrusions
- Zero Trust – continuously verify access to prevent implicit trust exploitation
ISA Cybersecurity has also built a structured, prioritized list of steps to assess your current posture, stress-test your defences, and close the gaps that matter most.
Action Plan:
- Vulnerability Management – identify and prioritize key risk areas
- IRP Development/Review & Tabletop Exercises – prepare to manage multiple simultaneous incidents
- Critical System Health Checks – assess your firewall, cloud, VM, IAM, EDR, SIEM rulebases, logging, and email security systems
- Risk Management Program Review – expert assessment of your program against industry standards and frameworks
- Red/Purple Team & PentAGI Simulations – test your incident detection and response capabilities
- Crown Jewels Assessments – crown jewels inventory, TRA, and supply chain analysis
Having these fundamentals in place and addressing your areas of exposure will make you more resilient than most in the face of unpredictable threats presented by Mythos and other Frontier AI models.
As Andrew Buckles, EVP Services at ISA Cybersecurity, explains: “Mythos has changed the cyber risk equation. Threats will rise as bad actors gain speed and scale. Vulnerabilities have spiked as Mythos explores and exposes system weaknesses. And the impact of attack has risen with the potential for multiple, orchestrated, automated attacks on targets. The primary lever organizations can manage is their controls – that’s where the focus needs to be right now.”
The organizations that navigate this well won’t necessarily be those with the largest security budgets. They’ll be the ones that are assessing their exposure honestly, prioritizing the right controls, and treating this moment as a foundation to build from.
We’re Here to Help
ISA Cybersecurity is here to help Canadian organizations keep pace with Frontier AI – contact us today to learn more.
Additional Resources
- ISA Cybersecurity – Andrew Buckles shares his perspective on Frontier AI
- Anthropic – Project Glasswing
- Canadian Centre for Cyber Security – Frontier AI Guidance
- Cloud Security Alliance – The AI Vulnerability Storm: Building a Mythos-Ready Security Program
- AI Security Institute – Our Evaluation of Claude Mythos Preview’s Cyber Capabilities
- OpenAI – GPT-5.4-Cyber: Scaling Trusted Access for Cyber Defence
