Mythos AI Tests Cut Through Cybersecurity Hype as EU Regulators Miss Anthropic

Mythos Preview completed a Capture‑the‑Flag infiltration that chained low‑level exploits into a full breach, AISI reported. The test required the model to locate a vulnerable service, craft a payload, bypass authentication and exfiltrate data – tasks that earlier frontier models could only handle in isolation, according to Ars Technica.

Anthropic’s own brief said the model “outperforms most humans” on vulnerability discovery, but AISI’s independent evaluation found Mythos only marginally better than other recent large language models on single‑step tasks. Its edge, the institute noted, lies in stitching those steps together without human prompting, a capability not demonstrated by GPT‑4 or Claude 3 in the same challenge.

The UK AI Security Institute’s findings arrive as European regulators scramble for oversight. Politico reported that eight national cyber agencies were largely excluded from Anthropic’s rollout, with only Germany having any dialogue and no hands‑on testing yet. The EU’s fragmented response contrasts sharply with Britain’s direct access, confirmed by AI minister Kanishka Narayan.

Anthropic limited Mythos to 12 U.S. tech giants and roughly 40 other partners, citing “ongoing discussions with U.S. government officials,” Politico noted. The company said the restriction is meant to give partners time to patch systems before broader exposure, but the lack of coordinated European input raises concerns about a potential “super‑hacking” tool operating outside continental safeguards.

AISI’s report underscores the urgency of cross‑border collaboration. While Mythos can automate multi‑step attacks, the institute cautioned that the model is not a magic bullet for defenders; it still requires a vulnerable target and proper configuration. The British test shows the technology is real, but without EU‑wide scrutiny, policymakers risk lagging behind a tool that could amplify cyber threats across the region.