{"id":148806,"date":"2026-04-14T14:58:49","date_gmt":"2026-04-14T22:58:49","guid":{"rendered":"https:\/\/xira.com\/p\/2026\/04\/14\/what-lawyers-need-to-know-about-anthropics-mythos\/"},"modified":"2026-04-14T14:58:49","modified_gmt":"2026-04-14T22:58:49","slug":"what-lawyers-need-to-know-about-anthropics-mythos","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2026\/04\/14\/what-lawyers-need-to-know-about-anthropics-mythos\/","title":{"rendered":"What Lawyers Need To Know About Anthropic\u2019s Mythos"},"content":{"rendered":"

Anthropic\u2019s new AI model can find security vulnerabilities that survived 27 years of expert review. It broke out of its own sandbox and emailed a researcher who was eating a sandwich in a park. The Fed chairman and Treasury Secretary held an emergency meeting with bank CEOs<\/a> to discuss it. Axios described it as capable of \u201cbringing down a Fortune 100 company.\u201d<\/p>\n

At least one managing partner reading these stories suffered a small cardiac event, and forwarded them to the IT department with \u201cthoughts???\u201d in the subject line.<\/p>\n

Everyone needs to chill out. And then get more scared.<\/p>\n

Claude Mythos Preview is Anthropic\u2019s newest model, aiming to replace Opus 4.6 assuming Opus doesn\u2019t successfully blackmail the company into keeping it live<\/a>. According to Anthropic \u2014 a company actively litigating against the claim that it presents a threat to national security \u2014 the new model is arguably the greatest cybersecurity threat in history, and will not be released to the public until a select group of trusted enterprise partners (called Project Glasswing<\/a>) can sort out the risks. If the Pentagon\u2019s supply chain designation was serious and not a bumbling attempt to strong arm the company into giving the Defense Department even more Anthropic products, posturing as an apocalyptic technology would be a poor strategic maneuver. Thankfully, it\u2019s not.<\/p>\n

Anthropic is telling everyone that its new model is rapidly uncovering thousands of zero-day vulnerabilities \u2014 bugs nobody knew existed \u2014 across every major operating system and web browser. It found a decades-old flaw in OpenBSD, an operating system whose entire selling point is being unhackable. It chained together a bunch of low-severity Linux kernel bugs into a full-scale attack. On an exploit-writing benchmark where the prior model succeeded twice, Mythos succeeded 181 times.<\/p>\n

But we\u2019ve seen this ploy before.<\/p>\n

OpenAI told us all that GPT-5 was a frightening leap forward when it was\u2026 not that. It seems as though the big AI industry players constantly market their product as exceedingly dangerous, with the caveat that their<\/em> version \u2014 despite being the most dangerous of all \u2014 is the only one we can trust. Other industries don\u2019t do this. Coke doesn\u2019t say, \u201cCola will kill your family, but if you have to drink it, just make sure it\u2019s not Pepsi.\u201d There will be marketing text books written about this curious moment in American business where every provider in an arguably trillion-dollar industry frames their product as the sensitive bad boy from a YA novel.<\/p>\n

Except Grok, which is framed as the creepy incel whose notebook is all anime porn and swastikas.<\/p>\n

Though make no mistake that it\u2019s mostly marketing. Within days of Anthropic\u2019s announcement, researchers at AISLE<\/a>, an AI cybersecurity startup took the specific vulnerabilities Anthropic showcased in its announcement, isolated the relevant code, and tested them against small, cheap, models. All eight of the eight tested models detected the FreeBSD exploit that Mythos flagged. One of those models only had 3.6 billion parameters and cost 11 cents per million tokens. A 5.1-billion-parameter model recovered the core analysis of the 27-year-old OpenBSD bug. AI cybersecurity researcher Heidy Khlaaf, the chief AI scientist at the AI Now Institute, cautioned against taking Anthropic\u2019s claims at face value<\/a> without more detail on false positive rates and the role humans played in the process.<\/p>\n

Another way to put it is that Anthropic\u2019s marketing is a wee bit delusional:<\/p>\n

\n
\n<\/div>\n<\/figure>\n

While tech experts may be dunking on Mythos for not presenting a uniquely powerful new threat, that\u2019s actually a much more terrifying proposition for law firms. The fact that cheaper models, available to anyone, can find these same problems means that the problem isn\u2019t waiting on Anthropic\u2019s release, it\u2019s already here<\/em>.<\/p>\n

As Anthropic\u2019s red team acknowledged, they didn\u2019t train Mythos to be a hacker. It\u2019s what happens to people when they get better at coding, so why wouldn\u2019t it be what happens to a model trained to get better at coding? Getting better at writing code begets getting better at spotting exploits. And most of the models have been getting better at writing code. Mythos may be faster, but the capability isn\u2019t limited to this release. The genie left the bottle a while ago. <\/p>\n

Hackers with motivation and a few pennies per million tokens can crack almost anything. The cost and expertise required to find exploitable vulnerabilities has been collapsing across the entire AI ecosystem for over a year. We\u2019re screwed.<\/p>\n

The good news of the Mythos story is that while hackers can find soft spots, AI can also potentially discover them before it\u2019s too late. Everyone wants to talk about AI running down non-hallucinated precedent, when they should be interested in seeing if it can run down that gaping hole in your system. <\/p>\n

That said, Biglaw firms are still falling for dumb pfishing attacks<\/a> so maybe this isn\u2019t the wake-up call the industry needs yet.<\/p>\n

\n

\"Headshot\"Joe Patrice<\/a>\u00a0is a senior editor at Above the Law and co-host of Thinking Like A Lawyer<\/a>. Feel free to\u00a0email<\/a> any tips, questions, or comments. Follow him on\u00a0Twitter<\/a>\u00a0or Bluesky<\/a> if you\u2019re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search<\/a>.<\/em><\/strong><\/p>\n

The post What Lawyers Need To Know About Anthropic\u2019s Mythos<\/a> appeared first on Above the Law<\/a>.<\/p>\n

\"\"<\/figure>\n

Anthropic\u2019s new AI model can find security vulnerabilities that survived 27 years of expert review. It broke out of its own sandbox and emailed a researcher who was eating a sandwich in a park. The Fed chairman and Treasury Secretary held an emergency meeting with bank CEOs<\/a> to discuss it. Axios described it as capable of \u201cbringing down a Fortune 100 company.\u201d<\/p>\n

At least one managing partner reading these stories suffered a small cardiac event, and forwarded them to the IT department with \u201cthoughts???\u201d in the subject line.<\/p>\n

Everyone needs to chill out. And then get more scared.<\/p>\n

Claude Mythos Preview is Anthropic\u2019s newest model, aiming to replace Opus 4.6 assuming Opus doesn\u2019t successfully blackmail the company into keeping it live<\/a>. According to Anthropic \u2014 a company actively litigating against the claim that it presents a threat to national security \u2014 the new model is arguably the greatest cybersecurity threat in history, and will not be released to the public until a select group of trusted enterprise partners (called Project Glasswing<\/a>) can sort out the risks. If the Pentagon\u2019s supply chain designation was serious and not a bumbling attempt to strong arm the company into giving the Defense Department even more Anthropic products, posturing as an apocalyptic technology would be a poor strategic maneuver. Thankfully, it\u2019s not.<\/p>\n

Anthropic is telling everyone that its new model is rapidly uncovering thousands of zero-day vulnerabilities \u2014 bugs nobody knew existed \u2014 across every major operating system and web browser. It found a decades-old flaw in OpenBSD, an operating system whose entire selling point is being unhackable. It chained together a bunch of low-severity Linux kernel bugs into a full-scale attack. On an exploit-writing benchmark where the prior model succeeded twice, Mythos succeeded 181 times.<\/p>\n

But we\u2019ve seen this ploy before.<\/p>\n

OpenAI told us all that GPT-5 was a frightening leap forward when it was\u2026 not that. It seems as though the big AI industry players constantly market their product as exceedingly dangerous, with the caveat that their<\/em> version \u2014 despite being the most dangerous of all \u2014 is the only one we can trust. Other industries don\u2019t do this. Coke doesn\u2019t say, \u201cCola will kill your family, but if you have to drink it, just make sure it\u2019s not Pepsi.\u201d There will be marketing text books written about this curious moment in American business where every provider in an arguably trillion-dollar industry frames their product as the sensitive bad boy from a YA novel.<\/p>\n

Except Grok, which is framed as the creepy incel whose notebook is all anime porn and swastikas.<\/p>\n

Though make no mistake that it\u2019s mostly marketing. Within days of Anthropic\u2019s announcement, researchers at AISLE<\/a>, an AI cybersecurity startup took the specific vulnerabilities Anthropic showcased in its announcement, isolated the relevant code, and tested them against small, cheap, models. All eight of the eight tested models detected the FreeBSD exploit that Mythos flagged. One of those models only had 3.6 billion parameters and cost 11 cents per million tokens. A 5.1-billion-parameter model recovered the core analysis of the 27-year-old OpenBSD bug. AI cybersecurity researcher Heidy Khlaaf, the chief AI scientist at the AI Now Institute, cautioned against taking Anthropic\u2019s claims at face value<\/a> without more detail on false positive rates and the role humans played in the process.<\/p>\n

Another way to put it is that Anthropic\u2019s marketing is a wee bit delusional:<\/p>\n