In just a few years, Anthropic transformed from a safety-focused AI startup into one of the most consequential companies in cybersecurity. It’s in large part due to Mythos, its AI model that, according to reports, is capable of outstripping all but the most skilled humans at identifying and exploiting software vulnerabilities.
Anthropic initially gave about 50 companies and organizations access to Mythos, one of those being Microsoft—a company with an ignominious record of cybersecurity incidents and breaches. With Mythos’ ability to find vulnerabilities, create exploits, and breach systems in a matter of hours, it is one of the most significant developments in the history of computer security.
Described by Anthropic as “by far the most powerful AI model we’ve ever developed,” Mythos is a general-purpose large language model that doubles as a cybersecurity tool. Anthropic says Mythos can identify and exploit critical vulnerabilities across every major operating system and web browser—compressing what once took teams of expert researchers weeks or months into a matter of minutes, and surfacing long-buried flaws that have eluded detection for decades. The latter point is what is so concerning, in that Mythos can expose systems long assumed to be secure.
Mythos may have been the first model to achieve this level of performance, but it won’t be the last. Already, OpenAI’s GPT-5.5 has comparable levels of performance, and it is only a matter of time before widely-available open models–such as those produced by Chinese firms Alibaba and DeepSeek–are there too.
These developments led the White House to issue an executive order this week requiring federal agencies to create a process for AI developers to voluntarily submit certain advanced models to the government for evaluation prior to their public release.
But, aside from systems generally considered secure today, what does this mean for systems that have routinely proven to be insecure? This is where Microsoft comes into play.
Since 2003, Microsoft has published tens of thousands of seemingly never ending vulnerabilities discovered in its products on “Patch Tuesdays.” This year alone, Microsoft has already reported 477 vulnerabilities; investigative reporting has exposed major security concerns in Microsoft’s government cloud environment; and threat actors were caught impersonating SharePoint notifications to target executives across at least 20 industry verticals.
Microsoft promised almost exactly two years ago that security would be its top priority “above all else.” (This promise came in response to a 2023 attack by Chinese hackers that compromised senior U.S. government officials’ email accounts and was found to be the result of a “cascade of Microsoft’s avoidable errors.”)
Since then, around 400 organizations, including multiple U.S. federal and state agencies, fell victim to a Chinese cyberattack that exploited a known vulnerability in Microsoft’s SharePoint server software, and the Department of Veterans Affairs reported it was among those impacted by Russian state-sponsored hackers’ breach of Microsoft’s government cloud environment.
With this spotty security history as a backdrop, Microsoft now apparently has plans to incorporate Mythos directly into its Security Development Lifecycle to help identify vulnerabilities and develop fixes. There is no telling what Mythos will uncover–but it won’t be good. Microsoft’s cloud platform, Azure, is fundamentally built on the same core code and legacy technologies as Microsoft’s decades-old on-premises software. This is in contrast with the other major cloud players, like Amazon Web Services (AWS) and Google Cloud, which were architected from the ground up as cloud-native platforms, designed with modern security principles built in from day one. Microsoft’s approach effectively retrofits what should be advanced, more capable cloud technology onto insecure legacy code—rendering its cloud no more secure than the original on-premises software.
It’s nice to hope that Microsoft will get things right this time by leveraging Mythos’ considerable capabilities in its own products, providing at least a modicum of protection against rising AI security threats. The actual outcome, however, may end up being more like the Greek meaning of “mythos” itself – a fairytale.
