The noise around Claude Mythos and comparable frontier models has overshadowed a quieter truth: for most organisations, the most pressing cybersecurity challenges are structural rather than novel. At present, the most crucial defence lies in the consistent, thorough application of security fundamentals—done properly, at scale, together, and assisted by AI tools where appropriate. This matters most for the organisations least equipped to respond: resource-constrained municipalities, hospitals, regional utilities, and SME supply chains that support critical infrastructure. AI-enabled offensive tools exacerbate this existing disparity.

The practical agenda comes down to three operational points:

• Master security fundamentals and design for breach

• Deploy defensive AI safely by prioritising governance over capabilities.

• Engage in collective defence ecosystems.

The Mythos Reality Check

Mythos reportedly finds and exploits new vulnerabilities with unparalleled autonomy, speed, and scale. Its actual capabilities cannot be independently verified, but its advanced reasoning likely acts as a significant force multiplier for determined attackers, lowering the skill barrier for sophisticated vulnerability discovery and exploit chaining.

But most breaches still don't hinge on novel exploits. Security veterans and reports consistently point to credential abuse, unpatched N-days, and poor cyber hygiene as the dominant failure modes. 

The AISI's evaluation of Mythos Preview is the most grounded public assessment: the model completed AISI's 32-step corporate network range in 3 of 10 attempts (a first), but failed on the OT range. Moreover, the environment had no active defenders. The results confirm its capability against "small, weakly defended and vulnerable enterprise systems" once initial access is gained. Both observations point the same direction for under-resourced organisations: the dominant risk is not being outmatched by a frontier model, but being the path of least resistance.

Master the fundamentals; design for breach; exercise under stress

Some of the latest strategy briefing advice, most prominently from the consortium around the Cloud Security Alliance (CSA), SANS Institute, OWASP, and others, presents a spectrum of defenses that can feel overwhelming. Their calls to create dedicated "VulnOps" teams, implement fast-track innovation governance, and prepare for severe security team burnout are valid for highly mature enterprises. For typical resource-constrained entities like local municipalities, hospitals, or medium-sized businesses, those advanced measures are out of reach.

Fortunately, beneath these advanced concepts, a clear consensus emerges among veteran practitioners. From the consortium’s own guidance paper to expert discussions on platforms like the Risky Business podcast, experts agree that defense against AI-enabled threats still fundamentally hinges on core security basics. What matters for these teams is a three-tiered architecture of active resilience.

First, master fundamentals: Deploy the controls that disrupt the low-hanging attack chain: patching discipline, egress filtering, strict IAM with phishing-resistant MFA, and endpoint detection and response (EDR). Second, assume compromise: Accept the structural impossibility of out-patching an LLM and embrace the "design-for-breach" logic also championed by the consortium. The focus must shift from pure prevention to containment, e.g., through strict network segmentation and low-maintenance deception technologies such as canary tokens to create early warnings. Third, test this technical scaffolding and the team through high-stress exercises that simulate simultaneous, machine-speed incidents, so that this kind of containment is not just a policy but an operational reality.

AI for defence: prioritise governance over deployment

For resource-constrained organisations, the answer to AI-enabled attackers is rarely "deploy your own AI." Building the validation layers, orchestration, and engineering required to turn raw model outputs into trustworthy alerts requires a level of maturity most of these teams do not possess. Furthermore, models must be continuously maintained to prevent model drift, a gradual decline in detection performance as attack patterns evolve.If they have the expertise and resources to run local models that’s great. But if not, these organisations should focus on governance and procurement. Defensive AI will largely reach them embedded within enterprise products like EDR or SIEM. The focus must be on evaluating these vendors strictly: do their AI features actually reduce analyst workload, or do they generate more noise? Furthermore, defensive AI tools become a new attack surface in their own right. Prompt injection, compromised model supply chains, and over-empowered AI agents in security workflows are documented OWASP risk categories. Consequently, acquiring AI-enabled tools without the necessary governance to secure them undermines security efforts.

Engage in collective defence

No under-resourced organisation can solve this alone. This is where the real strategic leverage sits, and where most organisations are structurally weakest. Attackers readily share infrastructure, tools, and intelligence; defenders who fail to collaborate are at a fundamental disadvantage.

Ecosystems of Computer Security Incident Response (CSIRT) networks and other informal information-sharing arrangements have explicitly formed to force this shift, sometimes strengthened through regulation like the EU NIS2 Directive. Their aspirational goal is to standardise security postures across borders and enable the rapid, automated exchange of threat intelligence. In operational reality, however, intelligence sharing within these ecosystems is often highly manual, delayed by legal reviews, and plagued by the 'freeloader' problem, where participants readily consume intelligence but hesitate to share their own breach data.

For public sector organisations and critical-infrastructure operators, the principle needs an architectural answer. Germany's recently launched Cyberdome offers a compelling example of this.  In a joint initiative between the Federal Office for Information Security (BSI) and govdigital - a cooperative of over 30 public IT service providers - municipal and Länder Security Operations Centres (SOCs) are linked directly with the federal BSI, which operates the federal government’s Cyberdome. Together, they are building an automated early warning system and a common situational picture. BSI President Claudia Plattner has framed the goal of the Cyberdome as "industrialising" cybersecurity and scaling it to at least the national level. For public-sector organisations in Germany's complex federal system specifically, the integration into the joint Cyberdome defence system represents the only practical route to scaling defence against cybersecurity threats, whether AI-enabled or not.

Conclusion

The AI-enabled attacker represents a genuine shift in threat economics, and the gap between what frontier models can do and what most organisations can defend against is widening. The response on the defense side is mainly about removing the conditions that make the attack worthwhile: consistent fundamentals, a posture designed for breach, and collective defence structures that no single organisation can build alone. Speed and scale favour those who industrialise the basics and cooperate.

References

1. Schneier on Security: "Mythos and Cybersecurity" and "On Anthropic's Mythos Preview and Project Glasswing" (Blog Posts)

2. Risky Business Media: "Risky Business (833): The Great Mythos Freakout of 2026" 

3. Risky Business Media: "Mythos and 0day: Fixing exploits is not safety" 

4. Cloud Security Alliance (CSA), SANS, OWASP: "The 'AI Vulnerability Storm': Building a 'Mythos-ready' Security Program" (Expedited Strategy Briefing)

5. AI Security Institute (AISI): "Our evaluation of Claude Mythos Preview's cyber capabilities" 

6. AISLE: "AI Cybersecurity After Mythos: The Jagged Frontier" and "System Over Model: Zero-Day Discovery at the Jagged Frontier" 

7. OWASP GenAI Security Project. “2025 Top 10 Risks & Mitigation for LLMs and GenAI Apps”

8. Bundesamt für Sicherheit in der Informationstechnik (BSI): "Kooperation mit Ländern und Kommunen: BSI weitet Sensorik in der Cybersicherheit aus"