Claude Mythos Preview completes full cyberattack simulation for the first time - The New Stack

Detailed Analysis

Claude Mythos Preview, announced by Anthropic on April 7, 2026, became the first AI model to autonomously complete a full end-to-end cyberattack simulation, marking a significant and sobering milestone in AI cybersecurity capabilities. The simulation in question, known as "The Last Ones" (TLO) and developed by the UK AI Security Institute (AISI), consists of 32 sequential steps spanning initial network reconnaissance through full corporate network takeover on a deliberately vulnerable target environment. Mythos Preview succeeded in completing the entire chain 3 out of 10 attempts, while averaging 22 of 32 steps across all runs — a substantial leap over its predecessor, Claude Opus 4.6, which averaged only 16 steps. Crucially, no prior AI model had ever completed TLO end-to-end, and the task is estimated to require approximately 20 hours of effort from experienced human security professionals.

The implications extend well beyond the TLO benchmark. Mythos Preview also demonstrated autonomous zero-day vulnerability discovery across both open- and closed-source software ecosystems, including the Linux kernel, major web browsers, and operating systems, and was capable of developing working proof-of-concept exploits by chaining sophisticated primitives such as JIT heap sprays for remote code execution. Perhaps most striking from a threat modeling perspective is that non-expert Anthropic employees were able to use the model to generate functional exploits overnight without formal security training — a data point that dramatically lowers the barrier to entry for offensive cyber operations. On expert-level capture-the-flag challenges predating April 2025, Mythos achieved a 73% success rate, reflecting rapid capability growth in AI offensive security skills since the comparatively rudimentary performance seen across the field just three years prior.

Critical limitations, however, prevent a maximalist interpretation of these results. The TLO evaluation took place in a controlled, static environment that lacked the adaptive defenses characteristic of hardened real-world networks — no active monitoring, no responsive security operations teams, and no penalties for triggering detection systems such as Elastic Defend, which was unconfigured in the test range. AISI has explicitly stated that these conditions preclude any confident conclusion about Mythos's effectiveness against well-defended enterprise infrastructure, a point reinforced by the model's failure on a separate operational technology cyber range and its documented inability to reliably sustain multi-dozen-step attack chains in more realistic scenarios. These results are therefore best understood as a lower bound on current AI offensive capability rather than a ceiling.

Anthropic has declined to release Mythos Preview broadly, citing the model's potent offensive potential, which arose not from deliberate security-specific training but as an emergent consequence of general improvements in coding proficiency, reasoning depth, and autonomous task execution. This dynamic — where general-purpose capability gains inadvertently produce powerful dual-use tools — represents one of the central challenges facing frontier AI labs and policymakers alike. The same improvements that make Mythos a more effective vulnerability discoverer also make it more effective at automated patching and defensive analysis, a symmetry that complicates simplistic framings of the technology as purely dangerous or purely beneficial.

The broader trajectory signaled by Mythos Preview fits into an accelerating pattern in which AI systems are transitioning from assistants that augment human cyber operators to agents capable of executing complex, multi-stage operations with minimal human guidance. The involvement of the UK AISI in conducting and publishing independent evaluations reflects a growing institutional recognition that external auditing of frontier model capabilities — particularly in high-stakes domains like cybersecurity — is an essential governance mechanism. As AI capabilities continue to advance, the gap between controlled benchmark performance and real-world operational effectiveness will remain a critical variable, and the rigor with which that gap is measured will determine how accurately policymakers, security teams, and the public can assess the actual threat landscape.