When the Guardian asked “What is Mythos AI and why could it be a threat to global cybersecurity?”, the most important detail wasn’t the model’s name or its maker; it was Anthropic’s decision not to release Mythos publicly because it believes the model can be prompted to discover and potentially help exploit unknown software flaws ('zero-days') across widely used systems.

In other words: Mythos points toward a future where high-end vulnerability research is no longer a scarce human craft, but a scalable, repeatable capability. That is the kind of shift that can turn cyber from 'many independent losses' into an accumulation peril.

What Mythos is and why the capability is different?

Mythos is a frontier AI model revealed on 7 April 2026 by Anthropic. Anthropic says it will keep the model gated because of the cyber misuse risk. Anthropic’s own description is blunt: in recent testing Mythos Preview helped identify thousands of high-severity zero-days, including in "every major operating system and every major web browser."

To manage the risk, Anthropic created Project Glasswing (announced in early April 2026) to provide controlled access to a set of major infrastructure and security partners, effectively trying to pull forward patching and hardening before Mythos class capabilities proliferate. TechCrunch reported that the model is being deployed by a small group of partners specifically for defensive vulnerability discovery and remediation rather than general use.

Why experts think it could raise global cyber risk

The UK’s AI Security Institute (AISI) independently evaluated Claude Mythos Preview and concluded that it represents a meaningful step up, especially on multi-step attack simulations where real-world intrusions live or die. AISI reports Mythos succeeds 73% of the time on expert-level capture the flag tasks and is the first model to fully complete 'The Last Ones'; a 32 step simulated corporate network attack (finishing end-to-end in 3 of 10 attempts, averaging 22/32 steps overall). This is significant because it suggests AI is beginning to chain reconnaissance, privilege escalation, lateral movement, and takeover steps. Anthropic has confirmed that it is investigating reports that a 'handful' of users have already gained unauthorised access via a private online forum.

What are the implications for insurers?

1) Correlated losses through common-mode software failure

Cyber insurance struggles when many insureds are hit at. Mythos-class vulnerability discovery could compress the time between a bug being discovered and the bug being exploited, shrinking the practical window for patching and detection. If a single zero-day issue is exploited, this could lead to a large portfolio-wide exposure.

This is a known insurability constraint: the Geneva Association’s work on cyber risk accumulation highlights how extreme cyber incidents can strike large segments of the economy simultaneously, challenging traditional actuarial approaches and limiting capacity. Mythos makes that scenario less theoretical.

2) Higher claims pressure in a market already seeing severity rise

Even before Mythos, insurance claims trends were moving the wrong way. UK industry data compiled by the Association of British Insurers (ABI) shows insurers paid £197m in cyber claims for 2024, up 230% from 2023, with malware and ransomware representing 51% of claims (up from 32% the year before). If AI increases attacker speed and sophistication, the frequency and severity mix that drove those numbers may deteriorate further - especially for business interruption and incident response costs, which inflate rapidly once an attacker moves laterally.

3) Policy wording, systemic-event controls, and reinsurance friction

As the risk of systemic exposure rises, insurers typically respond with tighter language and more explicit guardrails: higher retentions, stricter security conditions, sub limits for widespread events, and harder reinsurance terms.