UPDATE: Mythos Sparked Cyber Hysteria — Experts Say Threat Predates It

When Anthropic's Mythos AI model discovered tens of thousands of zero-day vulnerabilities across every major operating system and web browser, governments, banks, and utility companies entered what some are now calling a cybersecurity "hysteria." But a growing chorus of security researchers is pushing back on the panic with an uncomfortable message: the threat Mythos revealed wasn't created by Mythos. It was already there.

What Mythos Found

To understand the reaction, it helps to understand the scale of what Mythos uncovered. Where an earlier Anthropic model had found roughly 20 vulnerabilities in Firefox, Mythos found nearly 300 — in just that one browser. Across all major software, the total ran into the tens of thousands.

Anthropic vetted the findings carefully. In 89% of 198 manually reviewed vulnerability reports, expert contractors agreed exactly with Mythos's severity assessment. Another 9% were off by just one level. These weren't false positives or theoretical risks. They were real, previously unknown security holes in software that billions of people use every day.

Anthropic rolled out Mythos in a controlled way, limiting initial access to a handful of American companies including Apple, Amazon, JPMorgan Chase, and Palo Alto Networks. It later extended access to more than 40 organizations that build or maintain critical software infrastructure. The idea was to give defenders a head start before this capability becomes more widely available.

The Panic That Followed

Despite the controlled rollout, the revelation that an AI model could find vulnerabilities at this scale and speed set off alarm bells across industries. Banks started reviewing their systems. Utility companies ran emergency audits. Governments initiated accelerated patching programs. The White House moved to draft an executive order for FDA-style vetting of AI models, explicitly citing Mythos as a catalyst.

Anthropic CEO Dario Amodei added urgency to the reaction when he stated that Chinese AI models are "maybe six to 12 months" behind Mythos's cybersecurity capabilities. The implication: the window to fix these vulnerabilities before adversaries could exploit equivalent tools is measured in months, not years.

What Experts Are Actually Saying

Now, as the initial shock fades, security researchers are offering a more nuanced picture. The core argument: the vulnerabilities Mythos found were there before Mythos. And the tools to find them — including earlier, less capable AI models — were already widely available.

Multiple cybersecurity researchers and AI experts told CNBC that the software vulnerabilities Mythos revealed can be found using existing models. The capability isn't new; the scale and speed are. Mythos compressed what might have taken months of manual security research into automated scans that run in hours. But the underlying vulnerabilities existed before any AI touched them.

This reframing matters for how you think about the risk. The question isn't "what new dangers did Mythos create?" It's "how do we fix vulnerabilities that have existed for years, now that we have tools to find them faster than ever?"

Two Ways to Read This

The optimistic reading is that Mythos represents a genuine defensive breakthrough. If AI can find vulnerabilities at this scale for defenders, defenders can now systematically close security gaps that have been quietly exploitable for years. That's a net security improvement — if the fixes happen before attackers develop equivalent tools.

One op-ed in the SF Standard argued this is "the best cybersecurity news we've ever had." The logic: we've been living with these vulnerabilities for years without knowing about them. At least now we can fix them.

The pessimistic reading is that the defensive advantage is temporary and asymmetric. Fixing thousands of vulnerabilities across the global software stack requires cooperation between companies, governments, and open-source maintainers — a slow, messy process. Finding and exploiting those vulnerabilities requires only a capable AI model and bad intent. The attack side scales faster than the defense side.

Anthropic's Project Glasswing — its initiative to coordinate vulnerability disclosure and remediation across critical software infrastructure — is an attempt to navigate this asymmetry. But its success depends on how quickly the broader ecosystem can act.

What This Means Going Forward

The Mythos situation has made one thing undeniably clear: cybersecurity and AI safety are now deeply intertwined. You can no longer evaluate AI capabilities without considering how those capabilities affect the attack surface of the world's digital infrastructure.

For enterprises, the practical takeaway is this: if you haven't done an AI-assisted security audit of your own systems, you're behind. The same models that Mythos used are becoming more accessible. Waiting for vendors to patch vulnerabilities passively is no longer a viable posture.

For policymakers, the Mythos case is shaping the conversation about AI oversight in real time. The White House executive order, the government testing agreements with Google, Microsoft, and xAI, and state-level AI legislation all reflect an emerging consensus that powerful AI capabilities require some form of pre-deployment review — even if the exact model for that review is still being debated.

The hysteria around Mythos may have been disproportionate to what the model actually created. But the security researchers urging calm aren't saying there's nothing to worry about. They're saying the worry should be channeled into urgency around patching, not panic about the AI itself. That's a meaningful distinction — and an actionable one.