COMMENTARY: For the past few months, rumors have circulated about a significantly more cybersecurity-capable model from Anthropic, code-named Capybara.On April 7, Anthropic officially released the model, now called Claude Mythos Preview, alongside a system card, an accompanying blog post unpacking its findings, and an initiative consisting of about 40 early-adopter organizations called Project Glasswing.
Here are the top takeaways:Project Glasswing represents Anthropic’s approach to offering access to Claude Mythos to a limited number of companies to give the “good guys” an initial leg up. The participants in Glasswing run or supply much of what we could view as “critical infrastructure.” While some cybersecurity companies are included in the project, it’s their large footprint and the potential of their products being hacked that’s the primary reason for their inclusion.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]A CTO’s perspectiveClaude Mythos represents a watershed moment for the entire software industry. Largescale, AI-driven vulnerability discovery and exploitation are no longer theoretical – they are imminent.Anthropic’s decision to limit access creates a temporary window for defenders. But the underlying capability consists of advances in code understanding and generation, an area where competitive pressure has been intense. Other AI labs will inevitably reach similar levels of performance. When they do, these capabilities will proliferate.While the long-term trajectory points toward more secure software, we’re looking at near-term turbulence. Organizations should assume that much of the software they depend on could become vulnerable faster than their teams can patch. Security pros must respond not with a single control, but multiple perspectives across the environment:Each has limitations. EDR cannot protect what it cannot see, including network infrastructure, IoT, and OT. Logs offer valuable context, particularly for identity, but lack deep visibility into endpoint and network activity.However, NDR observes traffic across critical network boundaries, effectively covering all assets, including infrastructure that other tools miss. Because it operates passively, it’s also significantly harder to detect and subvert.In a world where compromise becomes easier and faster, the ability to observe broadly, correlate quickly, and act decisively will define resilience.What this means for security Network infrastructure will remain a prime target. As a result, NDR will become increasingly critical, particularly in environments where EDR and SIEM lack visibility, such as IoT and OT systems.Security vendors that maintain the integrity of their own infrastructure will benefit in both the short- and long-term. In the near-term, we’ll see our customers better positioned to withstand disruption. Over time, these platforms will become trusted sources of truth in increasingly noisy environments.Detection strategies will also shift. Behavioral detection will outperform signature-based approaches, as software changes more rapidly and exploits become more ephemeral. Systems that rely heavily on static signatures will struggle to keep pace.Network security devices which don’t become compromised will thrive both in the short-term (their customers will survive the chaos) and the long-term (they will represent an invaluable and unimpeachable source of truth).More than ever, behavioral detection will have much more value than signatures. Software will change too rapidly and new vulnerabilities and exploits will get created too quickly and have too short a shelflife for systems that primarily rely on signatures to thrive.The foreseeable futureIt’s unrealistic to think that teams can analyze, patch, and redeploy vulnerable software quickly. Mythos reportedly identified a vulnerability in OpenBSD that persisted for 27 years. Anyone who has attempted to upgrade even a three-year-old operating system or enterprise application understands the operational drag involved. Move too quickly and risk instability; move too slowly and invite compromise.In the near-term, organizations will attempt to shield unpatchable systems—particularly in OT environments and legacy applications—by surrounding them with hardened defensive layers. This “crunchy exterior, soft interior” model may reduce direct exposure, but it’s expensive and operationally complex.Meanwhile, attackers will continue to exploit non-software vectors: social engineering, credential theft, misconfigurations, and overly permissive access controls. A new and poorly understood attack surface will also emerge from the rapid deployment of AI agents.Over a longer horizon – roughly four to seven years – software security will likely stabilize. New software will offer significantly more resilience, and easy-to-exploit vulnerabilities will become rarer. But attackers will shift focus rather than disappear. Other attack surfaces—and entirely new ones—will persist.Oliver Tavakoli, chief technology officer, Vectra AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Here are the top takeaways:
- Mythos Preview demonstrates a step-function improvement over Claude Opus 4.6 in identifying software vulnerabilities and generating working exploits.
- While humans could discover many of these vulnerabilities given sufficient time and resources, a meaningful subset are complex and obscure enough to be practically discoverable only via AI.
- The vulnerabilities identified, and the exploits generated, span every major operating system, all mainstream browsers, and a wide range of open-source software.
- Notably, Anthropic has chosen not to make Claude Mythos Preview broadly available, citing the potentially catastrophic consequences of placing such capabilities in the hands of bad actors. At the same time, the company acknowledges that other frontier models will likely reach similar levels of offensive capability, making containment a temporary measure at best.
- Endpoint: Via an agent such as endpoint detection and response (EDR).
- Logs: They cover identity, use of key services, and activity in the control and management planes.
- Network: Via a series of network sensors leading to network detection and response (NDR).




