Anthropic's Mythos has dominated the security conversation this week. But the debate about whether it's overhyped is the wrong argument. The real question is simpler and more uncomfortable: if an attacker had execution inside your environment right now, would you know?
Anthropic says Mythos autonomously found a long-standing bug, in a case some coverage framed as a “$20,000 bug”. The coverage has been wall-to-wall. Boards are asking questions. Vendors are updating their pitch decks.
Marcus Hutchins – the researcher who stopped WannaCry – questioned whether the cost and capability claims actually hold up. His challenge was well-founded. He’s been watching AI security hype closely for years, and his read on this one deserves more attention than it’s getting.
The debate about whether AI misses the strategic point: the real question isn’t how many vulnerabilities a model can find, whether your organisation would even know if someone was already using one.
Every conversation about Mythos is orbiting the same point: how many vulnerabilities can AI find, and how fast?
A real attacker doesn’t care how many holes exist in your network. They need one. One way in, one set of credentials, one misconfigured third-party connection. Once they’re inside, the vulnerability that got them there stops mattering entirely. What matters is what happens next – and whether you know they’re there at all.
Your attack surface is elastic. It shifts every time a developer pushes code, every time a new SaaS tool gets added without a ticket, every time an employee resets their password over the phone with an MSP who asks for a surname and a site name. A list of CVEs, however it was generated, takes a snapshot of a surface that never stops moving.
Ask yourself a different question: if an attacker had execution inside your environment right now, would you know? Not “is it patched?” but, would you know?
We ran an assumed breach engagement with a single rule: don’t get caught.
We didn’t use a frontier model or a 20-gadget ROP chain. We exploited one overlooked UDP port. Tunnelled in via WireGuard. Found credentials in clear text on a shared folder. Ran a password spray. Over 30 accounts fell. Pass-the-hash took care of the rest.
By the end, we were using the monitoring team’s own account to look around.
The alerts never fired. The team never noticed. We were in there for over 15 hours.
No novel exploit. No AI. A forgotten UDP port, a text file with a password, and a cloned OS image with identical local admin hashes across every workstation in the subnet.
While AI is busy identifying bugs that have survived decades of human review , we were proving that attackers don’t’ always need to “hack in” – they are simply logging in.
Verizon’s 2025 DBIR says exploitation of vulnerabilities accounted for 20% of initial access, while third-party involvement in breaches doubled to 30%.
The problem was never discovery; it. It was the “remediation gap”. Mythos widens that gap. The problem was never discovery; it was the “remediation gap”. Mythos widens this gap. If your teams are already struggling with “n-minus-ten” backlogs—vulnerabilities ten versions behind—more findingsat higher speed only increase the noise. And noise is exactly what a patient attacker wants. The 2026 landscape is littered with “unknown unknowns,” but some of the most famous breaches, from Target’s HVAC-linked compromise to WannaCry, began with third-party access or vulnerabilities that already had patches available.
The question worth asking isn’t “did we find the vulnerability?” It’s “can we detect initial execution, regardless of how it happened?”
Not which CVE. Not whether Mythos found it. Whether your monitoring catches an attacker moving through your systems using your own tools, your own accounts, your own credentials. Whether your alerts fire when someone resets an employee’s MFA device at 11pm. Whether your third-party connections are segmented and watched.
That’s not a gap a faster scanner closes. It’s a gap that requires constant pressure from a team operating like a real adversary across every surface, digital, physical, and human. Without a fixed scope, a defined end date, or stopping when the report lands.
Vulnerability discovery is a starting point. Detection is the test. And you don’t pass it once a year.
Find out what’s already in your network. Contact CovertSwarm.
Mythos found a $20,000 bug. It won’t tell you who’s already inside.
Anthropic’s Mythos has dominated the security conversation this week. But the debate about whether it’s overhyped is the wrong argument. The real question is simpler and…
CovertSwarm launches RAID: Our red team AI division
CovertSwarm COO Luke Potter announces RAID, our Red Team AI Division, and why real adversaries made it non-negotiable.
What kills new CISOs in their first 90 days – it’s not attackers.
The pen test report. The risk register. The green dashboard. They feel like facts. They’re not. They’re a record of someone else’s decisions, at a point…