AI Security Institute Warns: Strengthen Cyber Basics After Mythos Preview Test

The AI Security Institute (AISI) has issued a clear warning to organizations worldwide: reinforce your cybersecurity fundamentals now. This call comes after the institute conducted rigorous evaluations of Anthropic’s latest model, Claude Mythos Preview. The model made headlines last week when Anthropic claimed it had identified thousands of zero-day vulnerabilities spanning decades. As a result, the company launched Project Glasswing, allowing select tech vendors to use the model to locate and patch these flaws. Although Anthropic pledged not to release Mythos Preview publicly, concerns persist that threat actors may eventually gain access.

What the AI Security Institute Found in Its Tests

The UK-based AI Security Institute conducted controlled evaluations of Mythos Preview and described it as “a step up over previous frontier models in a landscape where cyber performance was already rapidly improving.” In these tests, when explicitly directed and given network access, the model demonstrated the ability to execute multi-stage attacks on vulnerable networks. It could autonomously discover and exploit vulnerabilities—tasks that would typically take human professionals days to complete.

However, the results were not without caveats. The AISI built a “32-step corporate network attack simulation,” running from reconnaissance to full network takeover. Human experts would need around 20 hours to finish this operation. Mythos Preview succeeded in only three out of ten attempts, completing an average of 22 out of 32 steps. Yet, the institute noted that with more inference compute, its performance could improve significantly.

Limitations of the Testing Environment

The AISI also highlighted that its testing environment differs from real-world conditions in important ways. “Mythos Preview’s success on one cyber range indicates it is at least capable of autonomously attacking small, weakly defended, and vulnerable enterprise systems where network access has been gained,” the institute explained. However, it added that these ranges lack security features often present in real environments, such as active defenders and defensive tooling. There are also no penalties for actions that would trigger security alerts in a live setting.

Therefore, the AISI stated it “cannot say for sure” whether Mythos Preview could successfully attack well-defended systems. Moving forward, the institute plans to simulate hardened environments with endpoint detection and real-time incident response to close these knowledge gaps.

Why Cybersecurity Basics Matter Now More Than Ever

In light of these findings, the AI Security Institute urged security teams to improve baseline protection to mitigate potential attacks using Mythos. “Our testing shows that Mythos Preview can exploit systems with weak security posture, and it is likely that more models with these capabilities will be developed,” the institute concluded. This underscores the importance of cybersecurity basics, such as regular application of security updates, robust access controls, proper security configuration, and comprehensive logging.

Building on this, the AISI also suggested that organizations consider using AI to deliver “game-changing improvements in defense.” A joint blog from the AISI and the National Cyber Security Centre (NCSC), published on March 30, outlined how AI can help reduce the attack surface through machine-speed system scans, identify misconfigurations and vulnerabilities, test exploitability, and map complex attack paths. Additionally, AI can enhance threat detection by triaging alerts, making sense of patterns from diverse logs, and writing summary reports for analysts. It can also automate response actions, such as blocking traffic flows, quarantining suspicious processes, and revoking user access.

Practical Steps for Organizations

So, what should organizations do now? First, prioritize the fundamentals: patch systems regularly, enforce strong access controls, and maintain detailed logs. Second, explore how AI tools can augment your security operations. For example, using AI for automated vulnerability scanning can free up human analysts for more complex tasks. Third, stay informed about emerging AI capabilities and their implications for cybersecurity. The AISI’s work serves as a critical reminder that as AI models become more powerful, both attackers and defenders will gain new tools.

For more insights, check out our guide on AI security best practices for enterprises and learn about zero-day vulnerability management strategies. Finally, read the NCSC’s latest AI security guidance to align with government recommendations.

The Bottom Line on AI and Cyber Defense

The AI Security Institute’s evaluation of Mythos Preview is a wake-up call. While the model’s current success rate is limited, its capabilities are evolving. Organizations cannot afford to wait for the perfect defense. Instead, they must strengthen their cybersecurity posture today. By combining solid fundamentals with intelligent AI tools, businesses can better prepare for the threats of tomorrow. The message from the AISI is clear: the time to act is now.