Australia’s largest cybersecurity company has issued an urgent warning about powerful new artificial intelligence tools that can find and exploit software flaws at unprecedented speed and scale, which experts fear could spark the next wave of massive data breaches.
CyberCX told Australian businesses, banks and infrastructure operators on Thursday they have a deadline to strengthen their defenses before technology or copies of it fall into the hands of criminals.
The warning concerns Claude Mythos Preview, an unpublished AI model developed by the American company Anthropic that the company deemed too dangerous to publish. Anthropic has restricted access to about 50 major technology and infrastructure partners, including Microsoft, Google, Apple, Amazon, and JPMorgan Chase, under a program called Project Glasswing.
Mythos has already discovered thousands of previously unknown software flaws, including a 27-year-old bug in the operating systems used in firewalls and Internet routers around the world. One test resulted in 181 valid attacks against the Firefox web browser. Previously published versions could only manage two.
Anthropic product director Angela Jiang said the cyber capability emerged in part as a byproduct of the company’s push into coding and long-term agent work more broadly.
“Those who are good at coding are also good at detecting and chaining together cyber-attacks, especially on different surfaces,” Jiang said. The company “has had the privilege of working with many companies to support critical infrastructure improvements.”
Dimitri Vedeneev, Secure AI Lead at CyberCX, said Mythos is unique in its ability to not only discover long-buried vulnerabilities, but also chain multiple flaws together and suggest ways to exploit them, all from a single prompt.
“Australian organizations should not be waiting for access to Mythos as some kind of silver bullet,” Vedeneev said. “It will not be long before this or similar functionality becomes more widely available and potentially in the hands of cybercriminals.”
Myths have swayed governments around the world. Bank of England Governor Andrew Bailey told the BBC the central bank was considering what the technology would mean for cybercrime, while Canadian Finance Minister François-Philippe Champagne described Mythos as an “unknown unknown” at an International Monetary Fund meeting in Washington. The Trump administration convened executives from major U.S. banks to discuss the risks.
Anthropic expects competing AI companies to release similarly powerful tools within 18 months. OpenAI granted a select group of users access to its proprietary cyber-focused model, GPT-5.4-Cyber. Bloomberg reported last week that a small group of unauthorized users gained access to Mythos through a third party, and Anthropic confirmed it was investigating.
Anthropic on Friday separately announced the release of a public beta version of Claude Security, a defense product that allows enterprise customers to scan their own code for vulnerabilities and generate patches. Hundreds of organizations have used the tool in investigative previews to discover flaws that “existing tools have missed for years,” the report said. Accenture, Deloitte, PwC, BCG, Infosys and more use this product.
An Anthropic spokesperson said the company has begun working with “several major U.S.-based companies” because “the faster we can protect our products, the more security we have globally,” adding that the company looks forward to expanding its cybersecurity partnerships.
Not everyone is convinced that the myth represents a complete break. Juraj Janosik, director of AI at cybersecurity firm ESET, said models that could identify vulnerabilities existed long before Mythos. With the right orchestration, threat actors could “already achieve Mythos-like functionality using publicly available models.”
“Many companies still fail to maintain basic cyber hygiene and are often exploited by leveraging older vulnerabilities that have already been published,” Janosik said. “The development of AI capabilities is a concern, but progress is dwarfed by the overall lack of cyber resilience.”
Manuel Salazar, director of cyber services at Australian company Oro, said the fundamentals had not changed. “Myths change the speed at which weak fundamentals are exposed,” he said. “For mature organizations, AI is a power multiplier, but for less mature organizations, it can accelerate improvements but not ignore the fundamentals.”
Mr Salazar said Australian businesses should have access to the defensive benefits of Mythos-class AI, but not “unlimited access to frontier exploit engines”.
“Australia needs to ensure access to advanced AI technology through agencies such as the Australian Signals Directorate, the Department of Home Affairs and the National Cyber Security Coordinator,” he said. “If we don’t get involved now, we risk falling behind our U.S. peers.”
wall street journal reported Thursday that the White House rejected Anthropic’s proposal to roughly double the number of organizations with access to Mythos, citing security concerns. Relations between the Anthropic administration and Anthropic Inc. have been strained by previous disputes over military uses of the company’s AI, and two court cases are currently underway.
It is unclear whether Australian organizations are participating in Project Glasswing. Anthropic entered into an agreement with the Albanian government and opened a Sydney office earlier this year, but no Australian agency has publicly granted access.
The warning comes against the backdrop of the Optus and Medibank breaches in 2022. Together, the breaches exposed the personal information of millions of customers and reshaped public trust in key institutions. The breach exploited relatively traditional weaknesses, raising concerns that more advanced AI tools such as Mythos could allow attackers to find and exploit flaws in systems previously thought to be secure.
CyberCX is urging Australian organizations to ‘fight AI with AI’ by mapping critical systems, segmenting networks and deploying defensive AI into security functions.
Get news and reviews about technology, gadgets, and games Our technology newsletter. Sign up to receive it every Friday.
David Swan is technology editor at The Age and The Sydney Morning Herald. He was previously technology editor at The Australian Newspapers.Connect via X or Email.
