After Claude Mythos Preview: Defending at machine speed in the agentic attacker era

Every few years, something happens that makes it impossible to keep pretending the old way of doing cybersecurity still works. Claude Mythos Preview has been that something lately.

On April 7, 2026, Anthropic announced Claude Mythos Preview, a limited-access preview AI model (Anthropic, 2026). According to the frontier AI safety and research company, it had become extraordinarily good at finding and exploiting software vulnerabilities as its reasoning, coding, and autonomy improved.

Not merely in toy benchmarks, but in controlled research workflows against real-world software. Anthropic reported that Mythos Preview could identify and exploit vulnerabilities in every major operating system and web browser when directed to do so, often without a human security researcher guiding it step by step.

The industry noticed. Security teams suddenly have to explain to executives what this means for their organizations. We are here to help make that explanation clear, drawing on the industry-wide strategy briefing, The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program.

What can Claude Mythos Preview do?

According to Anthropic, Mythos Preview found, among other things:

• A 27-year-old denial-of-service vulnerability in OpenBSD
• A 16-year-old memory-safety bug in FFmpeg’s H.264 codec
• A 17-year-old remote code execution vulnerability in FreeBSD’s NFS server, and built a working exploit that granted unauthenticated root access, with no human involvement after the initial prompt
• A web browser exploit that chained four vulnerabilities together and escaped both the renderer and OS sandboxes

Anthropic also said that, at the time of publication, over 99% of the vulnerabilities Mythos had found had not yet been patched.

Where Claude Opus 4.6 managed to build working Firefox exploits twice out of several hundred attempts, Anthropic reported that Mythos Preview succeeded 181 times. Anthropic also said that engineers with no formal security training asked the model to find remote code execution vulnerabilities overnight and woke up to a complete, working exploit.

In a separate N-day Linux privilege-escalation exercise, Anthropic reported that Mythos could turn public identifiers, such as a CVE identifier and a git commit hash, into functional exploits. One chained exploit pipeline took under a day and cost under $2,000.

The company also noted that the disclosed N-day examples required the NET_ADMIN capability, a non-default configuration disabled on most hardened machines.

Did Claude Mythos start the offensive AI era?

None of what Anthropic said Mythos Preview could do was entirely new. The tendency to use artificial intelligence at an elevated level for both ethical and unethical hacking had been evident for well over a year before the Mythos AI.

• March 2025: The AI penetration testing platform Equixly reported severe weaknesses in popular MCP server implementations, including command injection, arbitrary file read, and SSRF.
• August 2025: Google’s Big Sleep project found 20 previously unknown vulnerabilities in open-source software, including FFmpeg and ImageMagick, with human experts reviewing the findings before they were reported.
• November 2025: A Chinese state-sponsored group used Claude Code to run largely AI-orchestrated attack chains — reconnaissance through data theft — against roughly 30 targets globally.
• January 2026: Equixly revealed that its AI agent had identified CVE-2026-0773, a critical zero-day vulnerability caused by unsafe cloudpickle deserialization in AI infrastructure.
• February 2026: Sysdig documented an AI-assisted intrusion that got admin-level access in under 10 minutes, including an 8-minute sequence from credential theft to successful Lambda execution.

Clearly, Claude Mythos Preview did not start this trend. But it made the shift impossible to ignore.

These and similar events highlighted a vast gap between AI-fueled vulnerability discovery and exploitation on one side and human-led validation and remediation on the other. The Zero Day Clock shows that, in parallel with AI developments, mean TTE (time-to-exploit) crossed the one-day threshold in 2026 and is projected to cross the one-hour threshold in the same year.

Traditional penetration testing was already struggling to keep up when the gap was months wide. With time-to-exploit potentially collapsing to the one-hour threshold, it simply cannot remain the only or primary validation mechanism.

Human-led pentesting still matters from a compliance perspective. But you must move toward COST (continuous offensive security testing) to be able to validate, prioritize, and remediate at machine speed in the agentic AI era.

Why APIs and web applications are the epicenter of AI-powered attackers

Today, most business logic runs through APIs. APIs are:

• Exposed by design
• Often documented or discoverable
• Machine-testable

These traits make them one of the lowest-friction paths for exploiting business workflows. A single flaw in a payment flow, entitlement check, authentication path, or data-access API can expose high-value systems and sensitive data directly.

The scale of exposure is rising, as shown by the following stats:

• API-related requests account for more than half of dynamic traffic seen by Cloudflare, and the company says that share continues to grow over time (Cloudflare, 2025).
• API-first adoption reached 82% in 2025, with 25% of organizations now being fully API-first (Postman, 2025).
• Shadow APIs remain an obstacle to security visibility: Thales says organizations have 10–20% more active APIs than they know about.
• Imperva (2025) recorded 40,000+ API incidents across more than 4,000 monitored customer environments in the first half of 2025, averaging more than 220 per day.
• Kong expects API attacks to grow by 548% by 2030.

Traditional security cadence is breaking

Point-in-time security testing does not work against attackers that run continuously. Many organizations now ship production changes far more often than they run security validation in the form of adversarial testing.

Annual penetration tests capture only a snapshot of a system that’s constantly changing. That leaves most production changes without offensive validation between assessments. And the exposure window between deployment and assessment has become immense.

Patch management faces a similar pressure. For instance, Linux kernel security reporting has surged. LWN reported that the kernel security list had grown from roughly two to three reports per week two years earlier, to about ten per week over the previous year, and then to five to ten per day by early 2026.

Perimeter defenses and endpoint detection were built around assumptions that no longer fully hold: attackers who take time, make mistakes, generate noise, and operate on human timescales.

Autonomous and AI-assisted attackers do not fit this model. As cited earlier, Sysdig documented an AI-assisted AWS intrusion in which the actor gained administrative privileges in minutes.

The simple point is this: the controls have not changed sufficiently, but the threat has.

A new defense doctrine: Mirror the attacker

Defeating a continuous attacker requires a continuous defense. Three pillars — always-on visibility, always-on attack-path reasoning, and always-on offensive validation — form the foundation of this defense.

Continuous threat exposure management (CTEM)

CTEM is the framework that holds the doctrine together. It promotes a five-stage loop — scope, discover, prioritize, validate, mobilize — that runs on a recurring cadence:

1. Scope identifies the key assets and the business processes that rely on them.
2. Discovery lists the potential attack points, including shadow AI and APIs.
3. Prioritization ranks risks based on how easily attackers can exploit them and their impact on the business, rather than relying on CVSS scores.
4. Validation checks whether attackers can access a risk, then helps you decide where to allocate resources to fix the most urgent security issues.
5. Mobilization wraps up the process: you fix issues, retest them, and track how long it takes to fix them as a key performance indicator for the business, not just a technical detail.

Updated for the AI-attacker era, CTEM gives security programs the operating loop they’ve been missing all along.

Attack surface management (ASM)

ASM is the visibility layer that feeds everything else and is essential for security validation. It must:

• Cover the full external perimeter, including domains, subdomains, ports, certificates, and leaked credentials.
• Maintain a live inventory across all environments, like documented, shadow, and zombie endpoints.
• Extend to third-party and supply-chain security risks, such as integrations and open-source components.
• Map internal lateral paths, like service accounts and east-west API calls, and find misconfigurations reachable after an initial breach.

Equixly: AI-native continuous offensive security testing

Staying ahead of an autonomous attacker, or at least keeping pace with it, has become an indispensable validation mechanism for enterprises.

Equixly provides continuous AI penetration testing, integrated directly into CI/CD pipelines and issue trackers. Its agents test:

• Business logic
• BOLA (Broken Object Level Authorization) and all the other vulnerabilities from the OWASP Top 10 API Security Risks
• API-based web applications
• Generative AI applications and LLMs exposed via APIs
• MCP implementations hinging on APIs

Crucially, it allows you to prioritize security vulnerabilities based on proven exploitability. It demonstrates the path from exposure to impact and offers a specific remediation guideline, so your organization can fix security risks with real-life business impact.

In short, Equixly is built for the Mythos-era reality: continuous, AI-native offensive validation that reasons through real attack paths and helps defenders keep pace with agentic attackers.

90-day CTEM and COST program for API-first architectures

This program enables a full security transformation in four steps, each with inherent value for your overall security posture.

1. Set a baseline by day 14. Identify your most critical APIs and web applications. Scan your external attack surface to find all exposed and unknown endpoints. Use Equixly to run your first automated security test, mapping broken authorization paths, business logic flaws, and other common API vulnerabilities. Define MTTR and exposure KPIs.
2. Integrate by day 30. Integrate Equixly into your CI/CD pipeline and wire its findings into your ticketing system. Kick off your first CTEM cycle and publish the first exposure dashboard.
3. Expand by day 60. Expand ASM to internal lateral paths and begin testing third-party software and supply chains. Retire legacy security controls that you’ve found have a low value. Tabletop a Mythos-style intrusion.
4. Operate by day 90. Report exposure KPIs and MTTR trends to the board. Enforce remediation SLAs based on exploitability. Establish a weekly CTEM cadence and a quarterly external validation review.

What CISOs should do now

Operationally, the path is clear. Strategically, in line with Cloud Security Alliance (2026, p. 6-7), a few additional directives stand out:

• If there’s one point you need to extract from this article, it’s that the same AI capabilities driving the threat can fuel a powerful cyber defense. So, start a VulnOps practice that takes advantage of AI developments, and put AI agents to work across offensive security, GRC, incident response, and security operations, not just code.
• Update your risk posture accordingly before the board asks you to. Run tabletop exercises to simulate multiple incidents happening at the same time during the same week. That’s no longer a worst-case scenario — it’s a reality you should be ready for.
• Prepare for a whole different kind of pressure. The number of vulnerability disclosures is about to increase dramatically. Act now to adjust your priorities, implement automation before the surge, and secure extra staff and budget before burnout becomes an issue.
• Do not try to defend alone. Attackers work together in groups. Connect with your sector’s Information Sharing and Analysis Centers (ISACs), Computer Emergency Response Teams (CERTs), and standards organizations to share threat intelligence and coordinate your response. The quick response strategies you use in your internal validation program should also apply to joint defense efforts.

Conclusion

Claude Mythos Preview did not start the agentic attacker era. However, it made its implications impossible to ignore for anyone. A tool like that can be scary in the hands of a script kiddie. Can you imagine the consequences and fallout when a knowledgeable and well-organized threat actor uses it?

Defenders must keep pace with the speed of agentic AI attacks and be ready to respond appropriately. For API-first organizations, that means moving beyond annual validation to adopt continuous exposure management, continuous offensive security testing, and exploitability-based remediation.

The goal is no longer simply to find vulnerabilities. It is to prove which ones matter, fix them fast, and keep validating as your environment changes.

Stop fighting AI with human timelines.
Book a demo to see machine-speed defense in action.

FAQs

Does the Claude Mythos Preview announcement mean every organization needs to panic?

Mythos Preview is only available to Project Glasswing partners, which reduces the risk from this model. However, its features are already being shared through open weight models and commercial tools. That means it’s better to prepare now than to rush later.

Our APIs go through change management. Does that mean we are already validating them continuously?

Change management controls whether a change ships; it does not test whether an attacker can exploit it once it does, which is what continuous offensive security testing is for.

How does Equixly’s security testing differ from running DAST scans on every deployment?

DAST scanners look for known security weaknesses one at a time. Equixly’s AI works differently by connecting requests in multi-step processes. It checks business logic and assesses whether an attacker can access a sensitive asset via your specific controls. Instead of just listing issues as DAST does, Equixly provides a report showing confirmed ways a breach could happen.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.

Gavin Sutton

Head of Marketing

Gavin is marketing leader with more than a decade of experience in the cybersecurity industry helping startups and scale ups grow internationally. He has a passion for working with disruptive technology companies who can reshape the security landscape with their innovative solutions.