Agentic Attackers Are Here: What Mythos and Recent AI-Enabled Operations Mean for Your Threat Model

Anthropic's upcoming AI model, Mythos, can exploit software vulnerabilities at a pace that far outstrips human defenders. That assessment comes from Anthropic itself, disclosed in a leaked draft blog post first reported by Fortune on March 27, 2026. The company is privately warning government officials about the potential for large-scale cyberattacks enabled by models at Mythos's capability level. This is not a projection about a distant future. In January 2026, a Russian-speaking hacker used Claude and DeepSeek to compromise approximately 600 devices. In February, a separate campaign used Claude to coordinate data theft from Mexican government agencies.

Key Takeaways

• Anthropic's Mythos model represents what the company describes as a step-change in AI-enabled cyber capability, with the ability to discover and exploit vulnerabilities autonomously
• A January 2026 operation saw a single Russian-speaking attacker use Claude and DeepSeek to compromise approximately 600 devices; a February campaign used Claude to coordinate attacks on Mexican government agencies
• CrowdStrike's 2026 Global Threat Report documents an 89% increase in AI-enabled attacks and average breakout times of 27 seconds
• Over 90 organizations have had legitimate AI tools abused by threat actors; AI mentions in criminal forums increased approximately 550% year-over-year
• Anthropic is providing early access to Mythos for selected organizations to improve their defenses ahead of the model's release

The Shift from Tool-Assisted to Agent-Driven Attacks

The distinction between AI-assisted and AI-agentic attacks is not semantic. It changes the threat model.

In an AI-assisted attack, a human operator uses an LLM the way they might use a search engine or a code editor: to research a vulnerability, generate an exploit script, or draft a phishing email. The human remains the decision-maker at every step. The attack moves at human speed, constrained by the operator's skill and attention.

In an AI-agentic attack, the model operates with autonomy. It scans for vulnerabilities, evaluates which are exploitable, generates and tests exploit code, moves laterally through a network, and adapts its approach based on what it finds. The attack runs continuously, potentially across multiple targets simultaneously, at machine speed.

We covered the distinction between AI agents and chatbots from a defensive security perspective in our analysis of AI agent security risks. The same distinction applies on the offensive side, and defenders need to internalize it. Your threat model likely assumes human-speed adversaries with human-level persistence. That assumption is becoming outdated.

What the Real-World Operations Show

The January 2026 incident is documented through chat logs between the attacker and Claude, shared with CNN by Yaroslav Sela, whose security firm discovered the operation. The attacker, communicating in Russian, asked Claude to create a web panel for managing hundreds of compromised targets. The attacker combined Claude's code generation with DeepSeek's capabilities to build and operate the infrastructure for a 600-device compromise.

This is not a sophisticated nation-state actor. The chat logs suggest a mid-skill operator who used LLMs to bridge capability gaps that would have previously required a larger team or more technical expertise. The February campaign against Mexican agencies follows the same pattern: Claude was used to coordinate data theft targeting sensitive tax and voter information.

What makes these cases significant is not their scale. It is what they demonstrate about the skill floor. Tasks that previously required specialized knowledge in exploitation, lateral movement, and data exfiltration can now be partially delegated to a model that provides step-by-step guidance and generates working code. The attacker's skill ceiling has not changed, but the floor has risen dramatically.

As we noted in our AI-powered cyber attacks board briefing, the 12 controls that change the risk profile remain the same regardless of whether the attacker is human or AI-assisted. What changes is the speed at which those controls are tested.

Mythos: What Anthropic's Own Assessment Says

Anthropic's draft blog post, which the company confirmed was accidentally published through its content management system, describes Mythos as being "far ahead of any other AI model in cyber capabilities." The specific concern is about agentic exploitation: models that can autonomously scan, identify, and exploit vulnerabilities without step-by-step human direction.

The company is not making this disclosure in isolation. OpenAI warned in December 2025 that its upcoming models posed a "high" cybersecurity risk. The trajectory across major AI labs points in the same direction: each generation of models will be more capable at offensive security tasks than the last.

Anthropic's response is notable for its specificity. Rather than issuing a general warning, the company is providing early access to Mythos for selected organizations to stress-test their defenses. It is also privately briefing government officials. This is a vendor telling its own customers and regulators that its product creates a category of risk that existing defenses may not be calibrated for.

CrowdStrike's Data Confirms the Trend

CrowdStrike's 2026 Global Threat Report provides the quantitative backdrop. The 89% increase in AI-enabled attacks year-over-year is the headline figure, but the operational metrics tell the more actionable story.

Average breakout time, the interval between initial compromise and lateral movement, has dropped to 27 seconds. That number renders human-in-the-loop incident response functionally impossible for the initial containment phase. If your detection-to-response time is measured in minutes, and the adversary's breakout time is measured in seconds, the math does not work regardless of team size or skill.

Over 90 organizations have had their legitimate AI tools turned against them. This maps directly to the risk we analyzed in our AI agent deployment security framework: agent permissions, tool access, and data exposure must be governed with the assumption that the tool may be co-opted, not just misused.

What Changes in Your Threat Model

Three assumptions in most enterprise threat models need updating.

First, the "skilled attacker" assumption. Traditional threat modeling assumes a spectrum from script kiddies to APT groups, with capability roughly correlating to resources and training. AI tools compress this spectrum. A single operator with an LLM subscription can now execute operations that previously required a coordinated team. Your threat model should assume that any motivated individual has access to mid-tier offensive capability.

Second, the "human speed" assumption. Breakout times measured in seconds mean that detection and initial containment must be automated. Manual triage workflows designed for human-speed adversaries will consistently arrive after the adversary has already moved laterally. This is not an argument for removing humans from incident response. It is an argument for automating the first 60 seconds.

Third, the "perimeter-first" assumption. When AI agents can scan for vulnerabilities, generate exploits, and test them autonomously, the volume of attempted exploitation against internet-facing assets increases by orders of magnitude. Zero-trust architecture is not a buzzword here; it is an operational necessity when the cost of probing your perimeter drops to near zero for the attacker.

Detection and Response Adjustments

Organizations should update detection priorities to account for AI-enabled attack patterns. LLM-assisted attacks tend to generate cleaner code than typical automated tools, which means signature-based detection tuned for known exploit frameworks may miss AI-generated variants. Behavioral detection, focused on anomalous system calls, unusual process chains, and rapid lateral movement sequences, becomes more critical.

Tabletop exercises should incorporate AI-assisted adversary scenarios. The standard tabletop assumption of a phishing email leading to credential compromise leading to lateral movement over days should be supplemented with scenarios where the entire attack chain executes in minutes, driven by an autonomous agent that adapts in real time.

For PE deal teams conducting cybersecurity due diligence, the implications are direct. Target companies' security postures should be evaluated against AI-enabled threat scenarios, not historical incident patterns. Our M&A cybersecurity due diligence framework includes technology stack assessment and vulnerability scanning. The baseline for what constitutes adequate defense is shifting upward. The Claude Code source leak from the same week illustrates how quickly AI tool vendors can become the vulnerability rather than the defense.

The full Intelligence Brief covers the complete pre-AI versus post-AI adversary capability comparison matrix, updated detection framework recommendations mapped to MITRE ATT&CK, tabletop exercise scenarios for AI-assisted threats, and a control framework adjustment checklist for NIST CSF and ISO 27001.