Two weeks ago, we argued that the only defence that works against a Mythos-class threat is to baseline normal agent behaviour and block every deviation in real time. Whether or not every claim in Anthropic’s Claude Mythos disclosure was precisely accurate, we wrote, the direction of the story was real, the capability was not going back in the bag, and any security programme built around known threat signatures was already obsolete.
We did not expect the news cycle to validate that argument quite this quickly.
What just happened with Claude Mythos
Bloomberg, the Financial Times, and Vox are all reporting that Anthropic is investigating unauthorized users accessing Claude Mythos, the frontier model Anthropic restricted to a small Project Glasswing consortium precisely because of its offensive cybersecurity capabilities. At the time of writing, Anthropic has not publicly disclosed who the unauthorized users are, how they gained access, or what they have used the model for.
Here is what we can say with confidence:
- A model that Anthropic’s own safety team judged too dangerous to release broadly is being used by people who were never meant to use it.
- Every assurance that “Mythos is restricted to a trusted consortium” just became an assumption rather than a control.
- The Mythos-class zero-day pipeline is no longer a hypothetical that might leak out eventually. It is leaking out now.
What this means for agentic AI security
Mythos restriction was a thoughtful policy. It was never a defence. The minute a model with that capability exists, the question is not whether its output reaches adversaries; it is how quickly. A week is quicker than most of us expected.
For anyone running AI agents in production (via MCP servers, LangChain, CrewAI, or anything else), the practical implication is the one we laid out two weeks ago:
- Novel zero-days generated by Mythos or a descendant will not have CVEs when they hit your agents.
- Your scanner, SBOM, and signature feed will have nothing to match against.
- The only control that works is one that does not require knowing what the attacker knows.
Why Rein customers don’t need to panic
Rein does not depend on knowing what Mythos found this week, or what the unauthorized users are doing with it. Rein depends on knowing what your agents are supposed to do, and stopping everything else, in real time, at the point of execution.
Every tool call, every service invocation, every resource access, every inter-agent message is captured as part of a learned behavioural baseline specific to your agents in your environment. When a compromised MCP server, a novel prompt injection, or a Mythos-discovered RCE tries to push an agent off that baseline, the deviation is blocked before the action completes. It does not matter whether the triggering vulnerability has a CVE. It does not matter whether the attacker is a nation-state, a research group, or whoever just accessed Mythos without an invitation.
Set the baseline. Block the deviation. That philosophy survives this week’s news, and the one after it.
The honest takeaway
Anthropic Mythos unauthorized access, in whatever form it turns out to have taken, is not a surprise. It is the scenario the industry should have been planning for since the day Project Glasswing was announced. If your agentic AI security strategy still assumes that dangerous capabilities stay contained, today is a good day to revisit it.
If it assumes the opposite, that the attacker eventually gets everything, and the only thing you control is what your agents are allowed to do, you are already in the right place.
