Anthropic’s Claude Mythos preview sparked a wave of alarm in security circles, promising fully automated zero‑day hunting. The model and its hard‑lined sibling, Fable 5, were released then quickly withdrawn, leaving analysts to measure real impact. Early testers reported hundreds of vulnerabilities, including a decades‑old OpenBSD bug, but the hype eclipsed practical relevance. Regulators responded with calls for pauses, reinforcing a pattern of fear‑driven discourse.

The AI Security Institute’s UK‑government review found Mythos the first model to complete “The Last One” cyber‑range, simulating a full attack chain. Yet benchmarks show only incremental gains over GPT‑5.4 and Opus 4.6, whose own cyber‑range scores remain far from real‑world SOC environments. Crucially, models lack built‑in defenders and incur no penalties for triggering alerts, making noisy reconnaissance common.

Anthropic’s red‑team disclosed that extracting the OpenBSD bug required roughly a thousand runs and $20,000 in token spend, while the broader Glasswing project carries a hundred‑million‑dollar budget. The U.S. government now blocks Mythos and Fable for non‑US users, forcing Anthropic to suspend the service. Meanwhile OpenAI rolls out GPT‑5.5‑Cyber and “Daybreak” projects aimed at defense, keeping advanced AI tools out of most enterprises’ reach.