Claude Mythos Preview has turned upside down the AI segment. Anthropic’s new model is so powerful that its creators have preferred not to release it publicly. In their official announcement they already made it clear: it is capable of finding security vulnerabilities that seemed almost impossible to findand that has allowed Anthropic to pose a disturbing message: if you want your system to be truly secure, you’re going to need Mythos to guarantee it.
From vibecoding to cybersecurity. This has caused a wave of interest in a model that is no longer good because it programs better: it is good because it makes (theoretically) your application or your service safe from cyberattackers. That is critical especially in these times, and the first ones who are trying to cover their backs are governments and financial institutions. At the moment only a few have access to Mythos, and for example the European Central Bank already preparing contingency plans. Before, AI conquered us with vibecoding. Now he will conquer us by saving our savings.
OpenAI moves not a token… Anthropic’s speech has been so powerful that OpenAI did not want to be left behind. As soon as it launched its latest model, GPT-5.5, a few days agoalready mentioned that it had a variant called GPT-5.5-Cyber specifically intended for cybersecurity analysis. Here the company led by Sam Altman wanted to turn its model into a more accessible option for all types of organizations and companies, and opened a certified access program, something that Anthropic does not seem to have. Altman himself had described the movement as Anthropic as a marketing ploy…and then end up copying that same strategy of fear.
…but two. Not happy with this move, OpenAI launched yesterday afternoon Daybreak. This is not a new AI model that competes with Mythos, but rather a cybersecurity initiative that combines AI models such as GPT-5.5-Cyber with the agent specialized in this area, Codex Security. OpenAI has restricted access in a similar way to how Anthropic has done with Mythos, but does allow you to request a security scan in addition to contacting their sales team.
There are already several organizations with access (Akamai, Cisco, Cloudflare or Oracle, among others), but it is ironic that once again Altman criticized his rival and then copied his ideas not once, but twice. That, after all, is a marketing strategy to sell its AI solutions focusing on cybersecurity.
Google is not going to be less. A report from the Google Threat Intelligence Group (GTIG) further encouraged the matter yesterday. The firm’s cybersecurity experts they stood out how they had managed to first detect and then stop an exploit developed entirely with AI. In this case, Google has not announced any model or initiative that rivals those of its competitors, but it does add to an increasingly frequent message: AI is going to be the next great cybersecurity threat.
The 90-day window does not lose meaning. Some cybersecurity experts are already warning of the implications of this entire phenomenon. Himanshu Anand explained this week how what is starting to make no sense is the well-known 90-day disclosure policy. According to her, when someone discovers a vulnerability in an app, the app’s developer must have a margin of 90 days to create and distribute the patch. As he explained, “When ten researchers who don’t know each other find the same bug in six weeks, and the AI is able to turn that into a working exploit in 30 minutes, who exactly is that 90-day period protecting? Nobody.”
Mythos is not perfect. And while the big players in the segment are gaining positions, Mythos has shown that it is not perfect. The developer of the famous tool curlDaniel Stenberg, also told this week how you were able to use Mythos to analyze your source code. Curl programmed in C, has 176,000 lines of code and 660,000 words, 12% more than the English edition of the novel ‘War and Peace’. This is a hugely mature and very well-managed project, and so it was especially interesting to see if Mythos would manage to find many security flaws.
And it may not be that bad. Anthropic’s model claimed to have found five confirmed security flaws, but after analysis with his team, Stenberg made it clear that it had actually only found one. And one with “low severity” not too dangerous. Of the rest, three were false positives, and the fourth was an unimportant “bug”, not a security flaw. For Stenberg Mythos does not seem much more advanced than other tools of this type that he has used in the past: “this model may be a little better, but even if it is, it is not better to a degree that could have a big impact on code analysis.” Even so, this developer praised the new AI tools for code analysis, which he believes are significantly better than traditional tools for this task.
GIPHY App Key not set. Please check settings