The National Cyber Security Centre (NCSC) is advising organisations to expect accelerated cybersecurity vulnerability disclosures over the coming months, as Anthropic’s new Mythos Preview cybersecurity model is applied at scale.

This may place additional pressure on patch management processes, particularly for organisations running legacy systems or end-of-life software where remediation options may be limited.

The Claude Mythos Preview is a general-purpose, unreleased frontier model that can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

Mythos has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.

The model is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser, when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are 10 or 20 years old. The oldest that has been identified by the model to date a now-patched 27-year-old bug in OpenBSD, an operating system known primarily for its security.

The model has not been released to the general public. It is currently available only to a restricted consortium of major technology companies under Anthropic’s Project Glasswing initiative, which is focused exclusively on defensive security work.

Project Glasswing brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. 

Access has also been granted to a group of over 40 additional organisations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems.

Anthropic is committing up to $100 million in usage credits for Mythos Preview across these efforts, as well as $4 million in direct donations to open-source security organisations.

In a statement, the NCSC said it has reviewed the published technical material and “the capabilities described by Anthropic appear to represent a significant change in the way hardware and software vulnerabilities are identified and patched”. 

“These new capabilities are in the hands of major technology vendors who are using them to identify and patch vulnerabilities in the hardware and software that underpins critical infrastructure worldwide,” according to the statement.

“Organisations should expect accelerated vulnerability disclosure over coming months as these tools are applied at scale. This may place additional pressure on patch management processes, particularly for organisations running legacy systems or end-of-life software where remediation options may be limited. Now is the time to review asset inventories, prioritise patching discipline, and assess exposure to unsupported components,” the NCSC said.

The NCSC also supported Anthropic’s decision to restrict the release of the model and to work collaboratively with industry partners. 

“The NCSC would encourage all frontier AI developers to adopt similar practices, widening the availability to trusted global industry and government cybersecurity partners,” according to the statement. “Potentially dangerous capabilities should not be released without putting in place appropriate safeguards, coordinated disclosure arrangements, and meaningful engagement with the security community, including national Cyber Security Incident Response Teams.”

“The NCSC continues to monitor developments in AI-enabled cyber capabilities, coordinating with our international partners, and will update national guidance as the situation evolves. Organisations should continue to implement the Cyber Fundamentals (CyFun) framework, maintain robust vulnerability management, and engage with NCSC advisories as they are published.”