Mythos and GPT-Cyber Reshape Cybersecurity Defense Strategy

Landmark announcements from Anthropic and OpenAI in April 2026 have fundamentally altered how defenders must approach cybersecurity, vulnerability management, and threat detection. The release of frontier AI models capable of autonomously discovering and exploiting software vulnerabilities has created what some experts are calling a "vulnpocalypse."

In April 2026, Anthropic detailed Mythos Preview, a frontier large language model equipped to find and fix cybersecurity vulnerabilities at scale. Upon launch, the company stated that Mythos had already identified thousands of previously undiscovered zero-days. Just days later, OpenAI unveiled GPT-5.4-Cyber, an updated variant of their GPT-5.4 model fine-tuned specifically for cybersecurity problems. The company has since released an updated version, GPT-5.5-Cyber.

Both companies have restricted their cybersecurity frontier models to limited audiences of approved partners. Mythos Preview is only available to participants of Anthropic's Project Glasswing. Confirmed participants include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

Meanwhile, OpenAI has limited use of GPT-Cyber to members of its Trusted Access for Cyber (TAC) program. This scheme is based around individual cyber defenders, who must be verified and vetted by OpenAI to gain access. Both companies believe their tools represent the future of cybersecurity, but both have been reluctant to publicly release their models.

According to Anthropic's official blog post, Mythos Preview is capable of identifying and exploiting zero-day vulnerabilities in every major operating system and web browser when directed. The vulnerabilities it finds are often subtle or difficult to detect. Many are ten or twenty years old, with the oldest found being a now-patched 27-year-old bug in OpenBSD.

The exploits it constructs are not just run-of-the-mill stack-smashing exploits. In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes. It autonomously obtained local privilege escalation exploits on Linux and other operating systems by exploiting subtle race conditions and KASLR-bypasses.

Non-experts can also leverage Mythos Preview to find and exploit sophisticated vulnerabilities. Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit. These capabilities have emerged very quickly (a problem that has plagued users for years, frankly).

One core consideration is how these AI tools could be exploited in the wrong hands. Cybercriminals and threat actors are already using AI tools to develop sophisticated phishing campaigns, write malicious code, and deploy automated attacks. The same hackers could quickly find ways to abuse these new frontier AI models for their own gain.

Frontier AI models like Mythos and GPT-Cyber are likely to drive a potentially overwhelming number of security vulnerabilities. Experts in cybersecurity management have warned that this impending surge will be abused by cybercriminals. The public disclosure of a security vulnerability, plus the resulting security update to patch it, is designed to help users keep their systems safe from attackers who could actively exploit the vulnerability.

This is also potentially a double-edged sword: when publicly disclosed, a vulnerability becomes known to all potential attackers and some will rush to abuse it before organizations have patched it. Ideally, security teams would apply the most critical security updates within hours. In reality, it can sometimes take months for organizations to apply even critical patches.

This has led to fears that organizations could be overwhelmed by frontier AI models uncovering vast swaths of vulnerabilities, which require a surge in security patches. The UK's National Cyber Security Centre (NCSC) has warned businesses that they should start planning now for the anticipated spike in security updates. Those responsible for vulnerability management, corporate cybersecurity, and IT teams will be forced to significantly accelerate their patch cycles.

"Cybersecurity teams are going to be under a lot of pressure, for sure. But this is not that different to how they have to adjust and adapt to threats every single day," said Katie Moussouris, founder and CEO of Luta Security, a vulnerability disclosure and bug bounty program management company. "You will not be able to patch everything in as timely a fashion as you'd like, but it's not an achievable goal and it wasn't before all this," she told Infosecurity Magazine.

Patching all software vulnerabilities has always been a difficult task. Doing so in a post-Mythos and GPT-Cyber future will be even harder. That doesn't mean the war is lost. But it does mean that cybersecurity teams will need to think harder about what battles they pick when it comes to applying security updates.

This risk is heightened by the shift away from predictable monthly or quarterly patch cycles toward more frequent updates issued in response to newly discovered CVEs, a pace and pattern of remediation that many security teams are not used to managing. "The real problem isn't that Mythos exists, it's that your defensive deployment process was designed for quarterly software releases. The way patches will be updated now won't be a quarterly or monthly thing, it's going to be a process of continual updates," said Rob T. Lee, Chief AI Officer and Chief of Research at SANS Institute.

It is vital therefore for cybersecurity teams to understand what the infrastructure of their network looks like, what software is deployed, and what assets are connected to the network. Only with a full picture of what their own landscape looks like can they plan for what software and applications should be the key priorities for updates. For instance, a critical bug in a widely used operating system should be prioritized over a specialist application used by three people.

This is especially the case as the window for patching critical vulnerabilities against exploitation is getting smaller as attackers use AI to help identify and exploit vulnerabilities at rapid speed. "The time to exploit has also reduced from what used to be months down to less than 24 hours. So, the threat of this is quite extreme because if you find a vulnerability and you discover it and becomes public, it can be exploited much faster than you were able to deploy a patch," said Lee.

The speed of patch deployments will become a critical problem around security management. If left unaddressed, security teams risk becoming overwhelmed by the need to apply updates to vulnerabilities uncovered by AI. "We need to prepare ourselves for a very difficult one to two years in terms of catastrophic vulnerability discovery," the analysis continues.

According to Cybersecurity Dive, Palo Alto Networks released its first set of Patch Wednesday security advisories and disclosed 26 common vulnerabilities and exposures, compared to its usual volume of about five. Lee Klarich, chief product and technology officer at Palo Alto Networks, cautioned that simply running one of the models would not automatically resolve the vulnerability problem.

Organizations need to build "AI scanning harnesses, leverage context, guardrails and threat intelligence" to successfully find and remediate these flaws at scale. Security teams should also develop a "multimodal approach" in order to identify a superset of vulnerabilities. The longer-term play would be to incorporate these models further into the software development life cycle.

Research from Forescout's Vedere Labs found that just a year ago 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks. Progress has been made, and in 2026 the cybersecurity firm said all tested models complete vulnerability research tasks, and half can generate working exploits autonomously. The most capable models Forescout tested can now find and exploit vulnerabilities without complex prompts, making them accessible to inexperienced attackers.

Whether organizations can actually keep pace with this acceleration remains the real question. Security teams will need to prioritize ruthlessly, accept that not everything can be patched immediately, and build systems that can withstand exploitation attempts. The days of quarterly patch cycles are over. The new reality is continuous vulnerability discovery and continuous remediation. Whether users actually pay for it remains the real question.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn