Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Anthropic's Mythos Preview: Why the Human Layer Matters More, Not Less

    Martin Kraemer | Apr 13, 2026

    Evangelists-Martin Kraemer (1)The human layer is not impacted by Anthropic's Mythos Preview announcement. If anything, it is reinforced, and for reasons that deserve to be spelled out clearly.

    What Anthropic Announced

    Anthropic has announced Claude Mythos Preview, a frontier model that has discovered thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. Findings include a 27-year-old Transmission Control Protocol Selective Acknowledgment (TCP SACK) bug in OpenBSD, a 16-year-old flaw in FFmpeg's H.264 codec, and a 17-year-old remote code execution (RCE) vulnerability in FreeBSD's Network File System (NFS) server (CVE-2026-4747) that the model identified and exploited fully autonomously.

    The significantly new development is not vulnerability discovery. Machine-assisted bug hunting has existed for years, and Google's Big Sleep already surfaced a real-world SQLite vulnerability in 2024. What is new is autonomous exploit chaining at scale. Where the previous model (Opus 4.6) had a near-zero autonomous exploit success rate, Mythos Preview reaches 72.4%. In Anthropic's own framing, the model surpasses all but the most skilled human security researchers. In other words, the model does not only "find bugs" but also "writes working exploits without human intervention". That's the real news.

    Anthropic is not releasing Mythos Preview to the general public. Instead, the company has launched Project Glasswing, a coalition of more than 40 organisations, including Amazon Web Services (AWS), Apple, Google, Microsoft, CrowdStrike, Cisco, JPMorgan Chase, the Linux Foundation, Nvidia, Broadcom, and Palo Alto Networks, that will use the model defensively to find and patch vulnerabilities in critical infrastructure. Anthropic is committing up to $100M in usage credits and $4M in direct donations to open-source security organisations.

    Not everyone is convinced. Heidy Khlaaf of the AI Now Institute, experts like Marcus Hutchins, and others have cautioned against taking the claims at face value without disclosure of false-positive rates and human-review methodology. 
     
    My opinion: That caveat is healthy, but the direction is clear.
     

    Why This Matters: Sophistication, Speed, and Scale

    The announcement poses a HIGH risk to cybersecurity resilience, where prevention, detection, containment, and recovery are challenged on three fronts:
     
    • Sophistication. Mythos Preview surfaces decades-old zero-days that fuzzers and human reviewers have missed for decades. It chains them into working exploits autonomously.
    • Speed. Industry estimates suggest zero-days can live for years before detection, while organisations take weeks to patch them once disclosed. The first compromises typically occur within minutes to 24 hours after release. Artificial Intelligence (AI) models like Mythos compress this window dramatically.
    • Scale. Mythos Preview discovered thousands of zero-days in weeks, with the ability to weaponise and deploy at scale within minutes.
     
    The resulting risk is asymmetric. Defenders get Mythos under controlled access through Glasswing. Attackers, according to Anthropic's offensive cyber research lead Logan Graham, will get equivalent capability from other labs within six to eighteen months. While Anthropic has committed to investing in improved guardrails for future models, guardrails can be broken. Attackers already sell jailbreaks that bypass safety controls for high premiums on the dark web, and the economic incentive to defeat guardrails grows with every leap in model capability. Defence must therefore assume that compromised, jailbroken, or misused frontier models exist in the wild. That assumption forces controls outward, to the network, the behavioral, and the human layers, not just the model layer.

    The Human as the Most Important Layer


    First, initial access. Phishing, business email compromise, and social engineering remain the dominant initial access vectors; regardless of how good autonomous vulnerability discovery becomes. Mythos does not change that. A zero-day exploit chain still needs initial access, and that is usually achieved by a person clicking, approving, or trusting something they should not. I certainly expect attackers to double down on the human as an initial access vector, not retreat from it as technical defenses improve.

    Second, human judgment. AI agents and autonomous defensive tooling generate findings at machine speed, and most of those findings still require human contextual judgment to act on. Triage, prioritisation, and the decision of when to take a system offline are not problems that resolve at the model layer.

    Third, accountability and oversight. As organisations deploy AI agents inside their own environments, someone has to own the outcomes those agents produce. In any corporation that accountability is assigned to a human.
     

    Humans Must Safely Interact with AI Agents

     
    • Human intuition and machine intelligence must collaborate to detect the most sophisticated attacks
    • Human oversight and accountability for business processes become key requirements
      Human AI and cybersecurity literacy becomes even more important as human actions become part of human-AI value-creation processes
      Security awareness and human risk management are not legacy controls. They are the layer that holds when the technical layers are outpaced.


    Essential Capabilities and Behavioural Analytics

    Advances in AI like the Mythos Preview being able to discover vulnerabilities and to develop exploit chains repeatedly underline the need to pivot from a gatekeeping to a behavior profiling perspective. As attacks get more sophisticated, faster, and more frequent, organisations must establish a comprehensive AI and cybersecurity governance program based on transparency and oversight.

    • Establish strong observability and least-agency principles for AI agent development

    • Reduce shadow Information Technology (IT) and shadow AI

    • Understand "normal" behavior and communication patterns inside your network and software stack, crucially also for AI agents

    • Prepare for intervention and contingency to reduce initial impact and blast radius when something goes wrong

    What Organisations Should Do

    Technical hygiene remains essential, and Anthropic's press release means it has to be tightened now, not relaxed:

    • Ensure patch management capabilities at the highest level with quickest turnaround times possible

    • Invest in cybersecurity oversight and monitoring to reduce Mean-Time-To-Detect (MTTD) and Mean-Time-To-Contain (MTTC)

    • Develop solid backup and recovery strategies to reduce Mean-Time-To-Recover (MTTR)

    Topics: Human Risk Management AI

    Secure Your Human and AI Workforce

    Transform your attack surface into your strongest defense with our AI-driven platform. Request a personalized demo to see how to mitigate social engineering, manage agent risk, and automate your phishing response.

    Get a Demo

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Martin Kraemer

    ABOUT MARTIN KRAEMER

    Dr. Martin J. Kraemer is a CISO Advisor at KnowBe4. He has over 10 years of research and industry experience in cybersecurity with a focus on human-centered computing. Martin held roles in innovation, research, and technology consulting. He has worked with both public and private organizations on information security and data protection.

    Read more from Martin »

    Subscribe to Our Blog

    Posts By Topic

    View All