What Claude Mythos Actually Did to AISI's Network Simulation (and What It Didn't)

Last week the UK AI Security Institute published its evaluation of Claude Mythos Preview, and it got a lot of breathless coverage. That coverage got some things right and glossed over some important detail.

The concrete result: Mythos became the first AI model to complete AISI's "The Last Ones" (TLO) cyber range, a 32-step simulation spanning initial network reconnaissance through to full corporate network takeover. AISI estimates it takes a human expert around 20 hours. Mythos completed it in 3 of 10 attempts and averaged 22 of the 32 steps across all runs. Claude Opus 4.6, the next-best model, averaged 16 steps and never reached the final milestone. On expert-level capture-the-flag tasks, which no model could pass before April 2025, Mythos scored 73%.

That's the news. Now let's talk about what the researchers actually said about it, because this is where most of the coverage went wrong.

Mythos had a running start

AISI was unusually direct in stating that their test environment had no active defenders, no endpoint detection, and no penalty for triggering security alerts. Mythos was given initial network access, meaning that the simulation measured what happens after a threat is already inside, not how an attacker gets in.

The researchers' conclusion was specific:

Mythos Preview's success on one cyber range indicates that it is at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained.

"Small, weakly defended, vulnerable, and already breached" is the actual result. That's meaningfully different from "Mythos can autonomously pwn your organization." The researchers said explicitly they cannot say whether Mythos would be able to attack well-defended systems. That caveat is real, not boilerplate.

So here's the question worth sitting with: how many organizations in the actual threat landscape fit that description?

What constitutes "well-defended"

The instinct when reading "weakly defended systems" is to assume the description applies to someone else. It's worth being concrete about what "well-defended" actually requires in practice, because a lot of organizations think they're closer to it than they are.

Well-defended means active defenders: someone watching alerts in something approaching real time, not a weekly review of a dashboard nobody checks. It means EDR deployed and actually tuned, not installed and forgotten. It means logging comprehensive enough to surface lateral movement (cough) across hosts, not just perimeter events. Well-defended means MFA everywhere, not just on email. It means patching discipline measured in days for critical CVEs, not the "we'll get to it in the next sprint (or the next one)" cadence that most organizations actually run. And it means intentional network segmentation that contains blast radius once access is gained, rather than a flat network where a foothold in the dev environment is a foothold in production.

Most Series A and Series B SaaS companies don't have all of this, nor do most SMBs. A significant number of mid-market organizations with small security teams don't either. The gap between "we have a SOC 2 in progress" and "we have active defenders and mature EDR" is large, and a lot of organizations are somewhere in the middle of it.

The initial access problem isn't as big a hill to climb as it sounds. It's 2026 and phishing still works. Credential stuffing against systems without MFA still works. Misconfigured S3 buckets, exposed RDP, leaked API keys in public repos: the list marches on into the distance. The AISI range started with network access already granted, but getting that initial foothold in a real organization is not the hard part of the attack. What Mythos changes is what happens next. The 32-step chain that required a skilled human operator willing to spend 20 patient hours on a single, well-known target can now run autonomously, at whatever scale the compute budget permits.

That's the reframe that actually matters: not "can Mythos breach a hardened enterprise" (AISI explicitly said they can't answer that), but "can Mythos systematically work through every lightly-monitored, under-patched, credential-reusing organization in a target list without getting bored." The answer to that question is a resounding "Yes - at a cost."

The part nobody wants to say out loud

Anthropic's response to Mythos was to keep it out of general release and funnel it through Project Glasswing - a controlled program giving roughly 50 organizations, including AWS, Microsoft, Apple, Cisco, CrowdStrike, and JPMorganChase, early access for defensive security work, backed by up to $100 million in usage credits. The pitch is that defenders get a head start but the assumption is that once they see what Mythos can do, they'll be compelled to onboard it long-term.

It's worth being precise about who that head start goes to. The Project Glasswing partners are among the most sophisticated, best-resourced security organizations in the world. They're also already running active defenders, comprehensive EDR, and mature logging - the exact controls that make the TLO result less applicable to them. The organizations most exposed to the "weakly defended" risk profile are not in Project Glasswing, and will only get their hands on technology like it at the same time as attackers do.

That's not a criticism of the decision. Controlled release for defensive purposes is more responsible than general release. Anthropic using Mythos to find and fix thousands of zero-days in widely deployed software - including a much-reported 27-year-old bug in OpenBSD - is genuinely useful for everyone once those patches ship. The decision makes sense.

But here's the problem AISI flagged in one sentence that deserves a lot more attention than it's getting:

It is likely that more models with these capabilities will be developed.

AISI's own tracking shows a new frontier cyber-capable model has shipped roughly once a month since August 2025. Project Glasswing gives the world's best-resourced defenders a few weeks of advantage on a capability that will be widely available - including to people not running it for defensive purposes - within months. The window of asymmetry runs in the wrong direction: the organizations that most need this capability to find their own vulnerabilities are the last ones to get it, and they'll receive it at roughly the same time as the attackers targeting them.

That's a structural problem with no clean solution. Restricting frontier models to controlled programs buys time but not parity. The smaller software vendors, the lightly-resourced security teams, the organizations that are three controls short of "well-defended" - they don't get a Glasswing. They get the capability when it's generally available, which is the same moment the threat actors targeting them get it too. It's a bloodbath in the making.

What to actually do with this

AISI's practical recommendation is cybersecurity basics - patching, access controls, hardened configuration, comprehensive logging - with a pointer to the NCSC Cyber Essentials scheme. This is the right answer, but it's the answer organizations have been hearing for a decade without acting on it.

The three conditions that made TLO work aren't abstract evaluation design choices. They map directly to gaps you can check for in your own environment.

"No active defenders in the simulation" sounds like kid gloves, but it also sounds a lot like "Our SOC has gaps overnight and on some weekends." If your coverage model assumes human attackers who eat and sleep, you're not calibrated for autonomous multi-step lateral movement that operates at the speed of lobsters.

"No penalty for triggering alerts" could look like incomplete log coverage, or detection thresholds that are set too high to reduce noise to reasonable levels.

In the simulation Mythos could trip every wire in the range without consequence. What about in your environment? Are you able to ingest alerts on lateral movement between hosts, and not just perimeter events? Is your logging comprehensive enough to surface it?

AISI gave Mythos a foothold by providing initial network access. But initial access in a real organization is not the hard part. The question isn't whether Mythos could get in on its own; it's what happens after it does, after it discovers a similar lack of layered defenses and a high-trust model that's no longer suited to the realities of today's threat model.

For now, the TLO result is more bounded than the headlines suggested, and still concrete enough to be useful - if you read the caveats as a checklist rather than a disclaimer.