When AI Becomes the Attacker: Claude Mythos and the End of Implicit Trust

Claude Mythos represents a fundamental acceleration in how attacks are executed, but it does not change what makes them successful: excessive access, unnecessary visibility, and unrestricted lateral movement. As AI removes the barriers to exploiting these weaknesses, security must evolve from reactive detection to proactive architectural control. AppGate ZTNA enables this shift by enforcing identity-based access, cloaking infrastructure, and eliminating the pathways attackers depend on. 

Something shifted abruptly in cybersecurity this month. Anthropic announced Claude Mythos Preview, an AI model that can autonomously find and exploit software vulnerabilities, chain multi-step attacks across networks, and complete in hours tasks that once took elite security researchers days. At the same time, Anthropic launched Project Glasswing, a controlled coalition of about 50 organizations, including Microsoft, Google, Apple, Cisco, and JPMorgan Chase, that were given early access to Mythos to help patch critical infrastructure before similar capabilities reach adversaries.

As is the case with most security vendors, we've been watching this closely. Here's our honest read on what it means for the organizations we support. 

What Mythos Actually Demonstrated

In Anthropic's own red team testing, Mythos operated fully autonomously, with no human involvement between the initial prompt and a working exploit. The clearest example: it discovered and exploited a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747) that allows unauthenticated root access over the internet. No human was in the loop.

The UK AI Security Institute independently confirmed that Mythos is the first AI model to complete its full network takeover simulation, a multi-stage attack designed to compromise an entire network. On expert-level capture-the-flag challenges, Mythos succeeded 73% of the time. Before last year, no prior model could complete those challenges at all.

ISACA's analysis put the practical implication plainly: time-to-exploit has collapsed from weeks or months to hours or days in AI-assisted workflows. The window between a vulnerability being discovered and being weaponized is now nearly zero.

What Project Glasswing Is — And Isn't

Project Glasswing gives coalition members early access to Mythos so they can find and patch code-level vulnerabilities in their own systems before the model, or one like it, ends up in the wrong hands. Anthropic committed up to $100 million in usage credits and $4 million in donations to open-source security organizations. A full public disclosure report is expected around July 2026.

It's a meaningful defensive initiative, but its scope matters. Project Glasswing is a software patching program. It finds flaws in code; it does not change the network access architecture that determines what an attacker can do once a vulnerability has been exploited. That layer is where Zero Trust operates, and where AppGate ZTNA comes in.

Independent security firms, including IANS Research, Arctic Wolf and Mandiant, have made the same point: this is a temporary defender advantage. Mythos-class capabilities will eventually proliferate to adversaries. Organizations that use this window to harden their architectures will be in a fundamentally different position than those that don't.

Why Architecture Matters

Mythos-class attacks are faster and more autonomous than human attackers, but they still depend on the same structural conditions to succeed: the ability to move laterally, find and enumerate targets, exploit over-permissioned credentials, and operate long enough to chain an attack. Remove those conditions, and the speed advantage of AI becomes irrelevant.

This is the core of AppGate's position, and it hasn't changed. Zero Trust architecture was designed for exactly this kind of threat model. AppGate ZTNA helps to defeat Mythos-class attacks at the structural level, not by trying to detect and outrun them, but by eliminating the conditions they depend on.

AppGate ZTNA protects against Mythos-class threats by:

  • Eliminating lateral movement, the lifeblood of AI-driven attacks. Mythos-class systems succeed by chaining dozens of steps across a network. AppGate ZTNA creates session-based, just-in-time segment-of-one access between users and resources, making unsanctioned lateral movement structurally impossible, not just detectable after the fact.
  • Shrinking the attack surface to near zero. AppGate ZTNA makes network resources invisible to unauthorized users. An AI system cannot exploit what it cannot see. By cloaking infrastructure from unauthenticated endpoints, AppGate ZTNA removes the reconnaissance capability that makes tools like Mythos so effective in the first place.
  • Enforcing least-privilege access, always. Mythos-class AI exploits over-permissioned credentials and excessive access rights. AppGate ZTNA ensures every user and device receives only the minimum access required for their role, dynamically enforced and continuously verified.
  • Continuously re-authenticating at machine speed. Continuous authentication and real-time behavioral verification mean that even if credentials are compromised, anomalous behavior can trigger an immediate adaptive response. AI attackers moving autonomously at speed generate behavioral signals that AppGate ZTNA is designed to act on without waiting for a human analyst.
  • Protecting every connection type, not just remote users. AppGate ZTNA's universal ZTNA framework secures user-to-resource and resource-to-resource connections across on-premises, cloud, and hybrid environments. AI-driven attacks do not distinguish between remote and internal vectors, and neither should the architecture built to stop them.

The Cloud Security Alliance's expedited CISO briefing on Mythos specifically called out network segmentation and robust access controls as the top mitigations, both of which are foundational to AppGate ZTNA.

Taking the Right Step Forward  

If you're an AppGate ZTNA customer with a fully deployed Zero Trust architecture, Mythos does not change your posture. It validates it. Organizations that have adopted a Zero Trust architecture grounded in AppGate ZTNA have already removed the implicit trust, flat networks, excessive access rights and lateral movement pathways that Mythos-class tools depend on to succeed. The focus now is ensuring that architecture is fully implemented across the environment, including consistent segment-of-one access, least-privilege access for all users and devices, and continuous authentication operating end to end. This is less about reacting to a new threat and more about confirming that the Zero Trust foundation is fully in place.

If you're still using a legacy VPN or perimeter-based architecture, the Mythos era is the clearest possible signal that the transition window is closing.  AI-driven attacks are designed to exploit flat networks and implicit trust, turning any initial access into rapid lateral movement and escalation. In this environment, detection and response alone cannot keep pace with machine-speed execution.

The architecture that helps defeat Mythos already exists. Learn how AppGate ZTNA delivers direct-routed, identity-centric Zero Trust access designed to remove the structural conditions AI-driven attacks depend on, without disrupting operations.

Receive News and Updates From AppGate