AI Security Institute Urges Best Practices After Mythos T

The emergence of new AI models with advanced capabilities is reshaping the cybersecurity landscape. Following its evaluation of Anthropic’s Claude Mythos Preview, the UK’s AI Security Institute (AISI) has issued guidance for organizations. The institute’s assessment confirms the model represents a significant step forward in autonomous cyber operations, capable of executing complex, multi-stage network attacks that would typically require days of human effort. This advancement underscores a pressing need for robust defensive postures.

Last week, Anthropic announced that its latest model had identified thousands of historical zero-day vulnerabilities. The company subsequently launched Project Glasswing, an initiative allowing participating technology vendors to use Mythos Preview to discover and remediate these flaws. While Anthropic has committed to not releasing the model publicly, concerns persist that such powerful tools could eventually be acquired by malicious actors.

In controlled tests, the AISI observed Mythos Preview successfully carrying out attacks on vulnerable networks when explicitly directed and provided with network access. The institute constructed a detailed 32-step corporate network attack simulation, a process designed to take human professionals approximately 20 hours. The AI model solved the full simulation in only three out of ten attempts, completing an average of 22 steps across all trials. The AISI noted that performance could potentially improve with greater inference compute power.

However, the institute’s report includes crucial caveats. Their testing environment, or cyber range, differs substantially from real-world corporate networks. The simulated systems lacked active human defenders, defensive security tooling, and any penalties for actions that would normally trigger security alerts. Consequently, the AISI stated it cannot definitively conclude whether Mythos Preview could successfully compromise a well-defended system. The model’s current proficiency indicates it can autonomously attack small, weakly protected enterprise networks where initial access has been obtained. Future AISI evaluations aim to address these gaps by simulating environments with endpoint detection and response (EDR) and real-time incident response capabilities.

In light of these findings, the AISI’s primary recommendation is a renewed focus on cybersecurity fundamentals. The institute stresses that models like Mythos Preview can exploit systems with a poor security posture, and more models with similar capabilities are likely on the horizon. Essential practices include the regular and prompt application of security updates, enforcing robust access controls, maintaining secure configurations, and implementing comprehensive logging for visibility.

Simultaneously, the AISI encourages organizations to explore how artificial intelligence can be leveraged defensively. In a joint blog published with the National Cyber Security Centre (NCSC) on March 30, the agencies outlined how AI can deliver game-changing improvements in defense. These include automating threat detection, accelerating incident response, and managing the overwhelming volume of security alerts, thereby helping human teams focus on strategic tasks. The dual approach of strengthening core security hygiene while adopting AI-powered tools is presented as the most effective strategy for mitigating risks posed by increasingly sophisticated offensive AI.