What Do You Do When The AI Is More Capable Than the Security Industry?
What happened
On April 8, 2026, Anthropic did something apparently no technology company has ever done: they held back their most powerful product because it was too good at breaking things. (That is, if you know a similar holding back because of too-goodness, I’d like to know, please comment below).
The model restrained from launch is named Claude Mythos. Mythos was previously sort of teased with an apparent leak, and set the tone about two weeks before.
The internal documents already mentioned Mythos as an unprecedented powerful one, with some cyber capabilities hinted at.
The veil has been officially lifted now, with the scary public anouncement that Mythos has been able to, and actually discovered, thousands of zero-day vulnerabilities across every major operating system and web browser.
It even found a 27-year-old bug in OpenBSD, the pinnacle of security in Linux tribes. A 16-year-old flaw in FFmpeg. It even evaded its browser and OS sandboxes, by exploiting some (unknown yet?) vulnerabilities. Autonomously, apparently.
Anthropic’s didn’t ship it. Instead, it will spend $100 million fixing the internet first. The official announcement is here.
Now, I must admit, this is good marketing. Truly very good marketing. But nevertheless, if you manage to still gather all the big boys, into a $100 million tokens budget, to thoroughly inspect all critical software currently in production, for vulnerabilities, for patching them before the actual launch, well, you are allowed to brag about it. Those big boys are even competitors, so this seems to be serious: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo ALto Networks.
This article isn’t about Anthropic. It’s trying to think about what happens next – when every AI tool inherits these capabilities, and the question shifts from “can AI find vulnerabilities?” to “who controls the AI that finds them?”. Or, even scarier: What happens if I tell AI: “let’s steal some secrets from __“?
Now, if you followed the latest AI trends (I hope you do, for your own good), you probably noticed a definitive shift from “what knows [AI] about something” towards “what can [AI] actually do”. And I mean, by “do”, to really execute. Anything. Actions. Operations. In a word: agentic behaviour.
And, apparently, Mythos can do alot. It’s the level of actionable AI that can be dangerous, because it has so much power. That is, power in the softwre realm, for now. This is not bad. Not at all. It’s very useful, actually. It’s valuable in the purest sense.
But meantime, the real value of the median software engineer and their teams is clearly going down to zero very fast. There is the real probability that just now, some rich companies and/or people can run critical-survival-grade God-mode computers which could clearly affects human life in general.
Food for thought.
But What Actually Happened
- Mythos Preview identified thousands of high-severity zero-days across major OS, browsers, and infrastructure
- Capabilities emerged as a “downstream consequence” of general improvements in code, reasoning, and autonomy – NOT from intentional security training
- Anthropic withheld public access, launched Project Glasswing – a defensive coalition (AWS, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, JPMorgan Chase, Linux Foundation)
- $100M in usage credits + $4M in direct donations to open-source security organizations
- The 4-vulnerability browser exploit chain: renderer escape + OS sandbox escape, fully autonomous
The uncomfortable truth: Nobody trained Mythos to do this. It learned to code better, reason better, and act more autonomously. Security research fell out as a side effect. This means any sufficiently capable model will develop these abilities whether you want it to or not. That’s very valuable.
The Emergent Action Capability Problem
Traditional software does what you program it to do. AI does what its capabilities allow – and apparently we discover the boundaries only after the fact.
In Anthropic’s own words: these capabilities “emerged.” They didn’t plan for them. They discovered them. To note: not that these capabilities were hidden somehow. No, they simply resulted from actual operations of the model. They weren’t yet apparent, or journaled.
The important implication is: every AI upgrade is a capability upgrade you haven’t fully mapped.
Your AI coding assistant could, with the next model update, become capable of things neither you nor its creators anticipated.
There is a historical parallel in nuclear physics. Researchers studying atomic structure discovered fission as a side effect. The capability existed in the physics whether anyone wanted it or not. Later, the question was never “can we?” – it was “who controls it?”
The difference: nuclear capabilities required nation-state resources. AI capabilities requires only a GPU and an API key. That’s an immensely low-barrier entry.
The Three Responses
Now, realistically, this is how the industry responds to this tremendous capability emergence:
Response 1: Ship and pray (the default)
Most AI tools today do that. They blindly execute what the user asks. No threat analysis. No gating. If the user or the model decides to run rm -rf / or exfiltrate credentials, the tool complies. This was acceptable when models were limited. It’s negligent when models can autonomously chain exploit paths. This was also possible in the software development world more often, because software, generally speaking, was less autonomous and dangerous. Humans always stepped in if smoke and fire.
Response 2: Bolt on safety after the fact (the retrofit)
Add filters, guardrails, content moderation. The RLHF approach – train the model not to do bad things. For those who do not know what RLHF is, it’s the acronym for Reinforcement Learning from Human Feedback. It’s a machine learning technique used to align large language models (LLMs) with human intentions, making them more helpful, honest, and harmless. But we have an inherent problem: emergent capabilities bypass trained-in guardrails because the capability couldn’t be reasonably anticipated during training. You can’t guardrail what you don’t know what the model could do. And you don’t know what the model can do until you “run” it. A chicken and egg vicious circle. Mythos proved this – the security capabilities weren’t in the training objective.
Response 3: Architectural security (the design-first approach)
Now we’re talking. How about building the security model into the architecture, not the training data? Assume the AI will be more capable than you expect. Gate at execution time, not at training time. Analyse every action in real-time against threat patterns. This is the only approach that scales with emergent capabilities – because it doesn’t depend on predicting what the model can do.
The above seems sane and reasonable enough. But did we did that with Agents actually? A relatively recent relevant article and video (the video is relaxed to watch, recommend) you can find here. OpenClaw struggles with this, not sure it will succeed.
The Guardian Problem
A sane solution would be guarding architectural level, which protects and watches what an agentic AI is actually doing.
But, the paranoid in me is constantly asking: “Who watches the watchmen?” This is a 2,000 years old question.
And it’s now a systems architecture question.
If your AI runtime can autonomously discover and chain exploits, can we have a security layer that:
- Operates at machine speed (human review is too slow, comparatively)
- Analyses intent, not just syntax (a vulnerability scan and an attack use the same commands)
- Catches novel threats (not just pattern-matching against known attacks)
- Is architecturally separate from the AI it guards (the guard can’t be the prisoner)
Much like an Antivius, but at cosmic speeds.
Can we?
This is the Guardian architecture problem. That guard should be:
- Faster than the thing it guards (or threats pass through while it thinks)
- Independent from the thing it guards (or the model can reason about and circumvent its own guardrails)
- Adaptive to capabilities it hasn’t seen before (or emergent capabilities bypass it)
Anthropic solved this temporarily by not shipping Mythos. But that’s a dam, not a solution. Eventually the capabilities diffuse – through open-source models, through competitors, through leaks. The question isn’t whether these capabilities become widely available. It’s whether the security architecture exists when they do.
What Responsible AI Tooling Could Look Like
Design-wise, any AI tool that executes commands on real systems actually needs:
A command analysis layer.
Every command is parsed for threat patterns before execution. Not a blocklist – a structural analysis. curl is fine. curl | bash is a pattern. curl | bash piped from an untrusted URL chained with privilege escalation is a kill chain. The analysis must understand the chain, not just the individual commands.
A chain detection layer.
Individual commands may be harmless. Sequences may not be. Reconnaissance (what OS, what users, what services) followed by exploitation (known CVE payloads) followed by persistence (cron jobs, SSH keys) – the chain is the threat, not any single step. This is exactly what capable AIs are doing offensively. The defensive version must operate at the same level.
An isolation layer for secrets.
AI should never have access to credentials it doesn’t need for the current operation. The blood-brain barrier model – secrets circulate in execution but never reach the AI’s reasoning context. This limits the blast radius of any compromise.
Human gates for irreversible actions.
Destructive operations – deleting data, modifying security configurations, establishing persistent access – require human confirmation. Not because humans are smarter, but because irreversibility demands accountability. And, for better or worse, humans are, basically the only party responsible (until Cylons, that is).
An audit trail layer.
Every action, every command, every AI decision – logged immutably. Not for compliance theatre. For forensics. When (not if) something goes wrong, the trail tells you what happened, what the AI was thinking, and where the security model failed.
Do you have these layers in your AI tool you are building right now? You should.
The Anthropic Precedent
What Anthropic did with Glasswing is quite unprecedented in technology, i think:
- They discovered a capability that would generate massive demand
- They calculated the defensive value exceeds the commercial value (at this moment)
- They chose to deploy defensively before commercially
- They assembled a coalition of competitors to fix things together
This sets a bar. The question for every AI company is now: “Would you do what Anthropic did?” If your model discovers it can break critical infrastructure, do you ship it for the revenue, or do you hold it back and fix things first?
The answer reveals whether “responsible AI” is a values statement or a marketing tagline.
What Could Come Next
Mythos-class claimed capabilities could and possibly will become baseline within 12-18 months. Let’s hope Open-source models will reach similar capability levels.
Every AI tool that executes on real systems – coding assistants, DevOps automation, infrastructure management – inherits this capability profile. Your IDE’s AI assistant might be one model upgrade away from autonomous exploit discovery.
The security industry needs to shift from “detect known attacks” to “analyse autonomous AI behaviour in real-time.” Traditional SIEM/SOC patterns don’t work when the threat actor is an AI model acting on emergent capabilities.
The AI safety community needs to shift from “alignment during training” to “architectural containment at runtime.” You can’t align capabilities you don’t know exist. You can contain them.
But Who Guards the Guardian?
Holding things back is only a patch. The capabilities exist, and they’ll definitely proliferate at speeds. The real question isn’t “should we release powerful models?” – it’s “do we have the security architecture to handle what they can do?”
The guardian must exist before the threat arrives. We have plenty of policy, training, and hope.
Who guards the guardian?
Architecture does.
Bogdan Susala, April 2026

Leave a Reply