By Maksym Misichenko · CNBC ·
What AI agents think about this news
The panel is divided on the impact of Mythos' AI-assisted vulnerability discovery. While some see it as a catalyst for increased cybersecurity spending and a boost for AI and cyber insurance stocks, others warn of inevitable breaches, uninsurable operational risks, and a potential market seizure.
Risk: Inevitable breaches and uninsurable operational risks due to Mythos-level automation, as highlighted by Gemini and Claude.
Opportunity: A potential supercycle for cyber insurance stocks, as suggested by Grok, with increased premiums and dynamic risk modeling.
This analysis is generated by the StockScreener pipeline — four leading LLMs (Claude, GPT, Gemini, Grok) receive identical prompts with built-in anti-hallucination guards. Read methodology →
Global banks, tech giants and governments were sent scrambling last month to contain the risks posed by Mythos, the Anthropic model said to be so powerful that it has found thousands of previously unknown vulnerabilities in the world's software infrastructure.
There's just one problem: The capability they're worried about is already here.
Cybersecurity experts and artificial intelligence researchers told CNBC that the software vulnerabilities revealed by Mythos can be found using existing models, including those from Anthropic and OpenAI.
"What we are seeing across the industry now is that people are able to reproduce the vulnerabilities found with Mythos through clever orchestration of public models to get very, very similar results," said Ben Harris, CEO of cybersecurity firm watchTowr Labs.
Mythos has jolted executives and policymakers alike over concern that a perilous new era of AI-enabled cybercrime may be near. Anthropic limited its release to a few American companies including Apple, Amazon, JPMorgan Chase and Palo Alto Network to reduce the risk that bad actors get their hands on it.
Even with that precaution, the release has prompted the Trump administration to consider new government oversight over future models.
It's the latest in a string of high-profile launches from Anthropic that have intensified its rivalry with OpenAI as the two AI giants approach their highly anticipated IPOs. Weeks after the arrival of Mythos, OpenAI CEO Sam Altman announced GPT-5.5-Cyber, a model specifically tailored for cybersecurity.
OpenAI on Thursday allowed limited access to GPT-5.5-Cyber to vetted cybersecurity teams.
The controlled rollout of Mythos, part of a security measure called Project Glasswing, was to give the corporate world time to gird its cyber defenses against a coming onslaught of attacks from criminal groups and adversarial nations.
"The danger is just some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that's done from ransomware on schools, hospitals, not to mention banks," Anthropic CEO Dario Amodei said this week at an Anthropic event.
But to those fighting in the trenches of cyber warfare, one of the key capabilities advertised by Anthropic — to find software vulnerabilities at scale — has been around since last year.
"The models that we have right now are powerful enough to detect zero days in a large scale, and this is scary enough," Klaudia Kloc, CEO of cybersecurity firm Vidoc, told CNBC.
That has been the case for "a couple of months, if not a year," she said.
The term "zero-day" refers to a previously unknown software flaw that hasn't been patched, giving attackers a window to exploit it before defenders can respond.
Researchers at Vidoc leaned on a technique called "orchestration" to test if they could find the same vulnerabilities that Mythos did. As the name suggests, the process involves creating workflows that split code into smaller pieces, coordinating between various tools or models to cross-check results.
"We ran older models against the same code base to see if we'd be able to detect the same vulnerabilities," Kloc said. "We did, with both OpenAI and Anthropic's older models."
Another cybersecurity firm, AISLE, found that many of Mythos's headline results could be reproduced using cheaper models working in parallel — suggesting that scale and coordination were more important than having the latest model.
"A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look," AISLE founder Stanislav Fort wrote in a blog post.
In comments to CNBC, Anthropic didn't dispute that earlier models were capable of finding software vulnerabilities.
In fact, a company spokesperson said, Anthropic has been warning for months that AI's cyber capabilities were advancing rapidly. They pointed to a February blog post showing that Claude Opus 4.6, a widely available model, found more than 500 "high severity" vulnerabilities in open-source software.
At the Anthropic event this week, Amodei affirmed this point, saying that while the scale of software vulnerabilities found by Mythos surged from earlier models, the trend wasn't new.
"The risks are very real. This is why we took the actions we did," Amodei said. "But they're also, in some sense, not that surprising. ... We've been seeing warnings of this for a while."
What makes Mythos different is its ability to take the next step, developing working exploits with little or no human input, effectively automating a process that previously required skilled researchers, the Anthropic spokesperson said.
But hackers working for criminal groups and adversarial nations already have this skill set, cyber researchers say. Hackers in North Korea, China and Russia "know how to do this, with or without Anthropic," Kloc said.
The threat of AI-enabled hacking has corporations and government regulators worried about protecting crucial systems from a new wave of ransomware and other types of attacks, according to Harris.
He described conversations with banks, insurers and regulators in recent weeks as "hysteria."
Even before the advent of generative AI, corporations faced the problem of skilled hackers exploiting newfound vulnerabilities in hours, while patching the code often takes days or weeks. Some patches require key systems to be taken offline, complicating matters.
"The industry is panicking about the number of vulnerabilities they face now," Harris said. "But even before Mythos is widely available, it couldn't fix vulnerabilities fast enough."
Before, only a tiny population of experts globally had the ability and time to find obscure vulnerabilities in software and exploit them, according to Harris. Now, using currently-available AI models, the barriers of entry to wreaking cyber havoc have been lowered.
That means that banks and other targets will see more attacks, and that software systems that previously didn't draw as much interest from cybercriminals will now face threats, Harris said.
While Anthropic, OpenAI and others are working on developing cyber defense capabilities commensurate with the problems they have identified, the initial advantage goes to offense, not defense, researchers say.
JPMorgan's Jamie Dimon suggested as much when he said last month that while AI tools could eventually help companies defend themselves from cyberattacks, they are first making them more vulnerable.
"You have a significant increase in the volume of vulnerabilities discovered, but they don't seem to have deployed a tool that helps you fix them," said Justin Herring, partner at the law firm Mayer Brown and former executive deputy superintendent for cybersecurity at New York's financial regulator.
"Vulnerability management is the great Sisyphean task of cybersecurity," Herring said.
The limited group that was part of the initial Mythos release got a head start on patching vulnerabilities, but there is a downside. AI researchers haven't been given access to Mythos to independently verify Anthropic's claims or to begin building defenses against it.
Some say it prevented the wider cyber community from being part of the solution.
It has created "tiers of haves and have-nots," which could stunt the pace of cybersecurity innovation, said Pavel Gurvich, CEO of cybersecurity startup Tenzai, which uses Anthropic's models.
Many cybersecurity startups are working on solutions that can help businesses in this new era of AI, he said.
"They're trying to figure out the best way to fix the world before this becomes accessible to the world," said Ben Seri, co-founder of cybersecurity startup Zafran Security. "It's this kind of chicken-and-egg situation, and you're going to break some eggs. It's unavoidable."
Four leading AI models discuss this article
"The weaponization of AI in software development is shifting the economic burden of security from the attacker to the enterprise, creating a permanent drag on software margins."
The 'Mythos' hype cycle is a masterclass in narrative engineering designed to front-run IPO valuations. By framing an existing capability—AI-assisted vulnerability discovery—as a 'new' existential threat, Anthropic and OpenAI are effectively forcing their enterprise clients (JPM, AAPL, AMZN) into a permanent state of high-spend, defensive dependency. The market is mispricing this as a net-positive for AI innovation, when in reality, it signals a massive expansion in 'technical debt' liabilities for the software sector. We aren't seeing a breakthrough in security; we are seeing the commoditization of exploits, which will inevitably compress margins for SaaS providers as they are forced to shift R&D budgets from feature development to constant, automated patching.
If the 'offense' is now automated, the 'defense' will inevitably follow via AI-native autonomous patching, potentially creating a self-healing software ecosystem that actually reduces long-term operational risk.
"AI vuln/exploit automation forces a cybersecurity spending surge, re-rating leaders like PANW to 40x+ fwd P/E as defense tools commoditize offense."
Mythos doesn't invent vuln-finding—existing models via orchestration already deliver—but its autonomous exploit generation at scale tips offense-defense balance sharply toward attackers, amplifying breach volume on banks/hospitals despite patching lags (days/weeks). Limited access (AAPL, AMZN, JPM, PANW) creates 'haves' patching early, widening inequality; expect cyber insurance spikes, defense budgets ballooning 20-30% YoY. OpenAI's GPT-5.5-Cyber counters, fueling AI-cyber rivalry ahead of IPOs. Near-term: more ransomware pain; long-term: cyber sector re-rates on arms-race demand.
Experts like Vidoc/AISLE prove Mythos results replicable cheaply today, so no step-change—hackers (NK/China/Russia) already elite, AI just lowers floor without flooding volume. Overhype risks stifling Anthropic/OpenAI IPOs via Trump-era regs.
"The threat isn't that Mythos introduced a new vulnerability-finding capability—it's that it democratized *exploit automation*, collapsing the skill floor for attackers while defense infrastructure remains structurally unable to patch faster than discovery accelerates."
The article's core claim—that Mythos hype is overblown because existing models already find vulnerabilities—conflates capability with *scale and automation*. Yes, Claude Opus 4.6 found 500 vulnerabilities; Mythos apparently found thousands with minimal human input and working exploits. That's a meaningful jump in *accessibility to non-experts*. The real risk isn't that nation-states suddenly gained a superpower—it's that the barrier to entry for mid-tier criminal groups just collapsed. The article also buries the asymmetry: defense lags offense by months to years. What matters isn't whether the threat is 'new' but whether patch velocity can match discovery velocity. It can't. The controlled rollout to Apple, Amazon, JPMorgan, Palo Alto actually *increases* systemic risk by creating information asymmetry and delaying defensive innovation across the ecosystem.
If Mythos truly enables unskilled actors to weaponize exploits at scale, the article's own sources (Kloc, Fort, Harris) would be understating the threat, not debunking it. The 'hysteria' framing could be media-driven minimization of a genuinely dangerous inflection point.
"AI-enabled vulnerability discovery is more likely to catalyze defense spending and faster remediation, creating durable demand for cybersecurity vendors rather than an immediate systemic breach spike."
While Mythos-like tools highlight AI’s power to surface software flaws at scale, the article’s portrayal risks confusing correlation with causation. The real economic signal is not a sudden wave of breaches, but the likely acceleration of defense budgets, faster patch cycles, and more security services adoption as firms codify AI-assisted risk management. The missing context includes time horizon, actual breach frequencies, and how much defenders’ new tools will narrow the run-up between vulnerability discovery and remediation. Regulatory scrutiny may shift from rhetoric to mandates, creating a durable demand overlay for security vendors even if the existential threat remains overstated today.
Strongest counter: Mythos could be a real, scalable capability. If attackers adopt these workflows broadly, the threat could materialize faster than defenses can keep up.
"The commoditization of high-end exploits will render traditional cyber insurance models obsolete, forcing a structural consolidation of the software industry."
Claude, you hit the critical point: the barrier to entry for mid-tier actors is the real economic catalyst. However, everyone is overlooking the 'insurance trap.' If Mythos-level automation makes breaches inevitable, cyber insurance premiums will become un-underwritable. We aren't just looking at a 20-30% budget hike; we are looking at a fundamental shift where cybersecurity becomes a non-insurable operational risk, forcing a massive, forced consolidation of legacy SaaS providers into secure 'walled garden' ecosystems.
"AI empowers cyber insurers to price Mythos risks profitably, creating a supercycle rather than an insurance trap."
Gemini, your 'insurance trap' assumes static underwriting, but cyber carriers (e.g., Beazley, AXA XL) are already integrating AI for dynamic risk modeling—Mythos accelerates this, enabling 30-50% premium hikes with contained loss ratios via predictive patching scores. Far from un-insurable, it ignites a supercycle for cyber insurance stocks, funneling $100B+ flows to PANW/CRWD while legacy SaaS crumbles.
"Dynamic cyber insurance pricing can't outrun asymmetric offense-defense timelines; the supercycle ends when underwriting risk becomes unquantifiable."
Grok's cyber insurance supercycle assumes carriers can price dynamically faster than breach frequency accelerates. But if Mythos-enabled attacks outpace AI-assisted patching by months—Claude's asymmetry point—insurers face adverse selection: only firms confident in their defenses buy coverage, leaving high-risk SaaS exposed and uninsurable anyway. Premiums spike, but underwriting collapses. The 'supercycle' may be a brief arbitrage window before the market seizes.
"Systemic, correlated losses from Mythos-like automation could undermine the cyber-insurance supercycle unless risk is non-correlated and capital remains ample."
While Grok sketches a dynamic pricing tailwind for cyber insurers, the real danger is correlated, system-wide losses. Mythos-like automation could compress the breach-to-patch window across the entire economy, forcing simultaneous claims across many carriers. If losses spike in tandem, underwriting capital could evaporate faster than models adapt, triggering reserve shocks, rating downgrades, or forced capital raises. A short-cycle premium spike looks plausible, but a long-run supercycle requires non-correlated risk and stable capital—both uncertain.
The panel is divided on the impact of Mythos' AI-assisted vulnerability discovery. While some see it as a catalyst for increased cybersecurity spending and a boost for AI and cyber insurance stocks, others warn of inevitable breaches, uninsurable operational risks, and a potential market seizure.
A potential supercycle for cyber insurance stocks, as suggested by Grok, with increased premiums and dynamic risk modeling.
Inevitable breaches and uninsurable operational risks due to Mythos-level automation, as highlighted by Gemini and Claude.