Just over a week ago, Anthropic announced its Claude Mythos model to the world, and boy, did everyone lose their tiny little marbles over it. It’s easy to see why. Mythos is effectively a cybersecurity bot, able to crawl through code, find vulnerabilities, and exploit them. In just a few weeks, Anthropic claim Mythos discovered thousands of zero-day vulnerabilities in every operating system and web browser. Naturally, Anthropic is so worried about the ramifications of such a model being publicly available and other companies creating similarly dangerous models that they are currently only launching it as a ‘preview’ for researchers, government bodies, and major software developers so they can get ahead of the tidal wave of cyberattacks these models will cause. But it’s fair to say that, like all AI bros, Anthropic has a solid track record of being more marketing spin than trousers. So, is this the AI armada we were warned about? Or is this just a marketing stunt?

Why We Should Be Sceptical

It’s fair to say that the timing of Mythos’s launch is so coincidental that it raises some major suspicions.

A few weeks ago, Anthropic’s main product, Claude Code, was being publicly dragged. AMD’s director trashed the coding assistant for getting dumber and lazier. It simply couldn’t do tasks it once excelled at. This could be explained by a recent OpenAI memo, which details how Anthropic is compute-limited, or the recent report that Claude is experiencing regular, damaging disruptions. Quite simply, Anthropic might be dumbing down Claude to cope with the enormous influx of former OpenAI users. Then, because Anthropic has vibe-coded much of Claude’s scaffolding, its source code was leaked, allowing the entire world to see what made it tick! Ironically, for a company that can only exist by stealing more copyrighted works than nearly anyone else, except OpenAI, Anthropic claimed the code was their IP and issued approximately 8,000 copyright strikes to get the leaked code taken down. Not exactly a good look for Anthropic from an ethical, cybersecurity, or competency angle — especially when you consider they are planning an IPO by the end of the year.

So, the fact that they have suddenly developed an unimaginably powerful AI that is too dangerous for us to even try, let alone verify, is a little coincidental, don’t you think? It’s almost like this is a perfect marketing tool to bury all the major issues and bad press thrown at Anthropic over the past month. And, while this is in no way proof that Mythos is exclusively a swizz, it at the very least is a sign we need a dose of healthy scepticism here.

Remember: it isn’t just cranks on the internet like me who are urging scepticism. Some of the most influential AI researchers, industry experts, and even Big Tech investors have serious doubts about Mythos.

AI and neuroscientist Gary Marcus stated that Mythos’s risk was “overblown” and that “To a certain degree, I feel that we were played.” Yann LeCun, one of the ‘AI Godfathers’, totally dismissed Mythos, calling it “BS from self-delusion”, and said that other smaller models could already finish the same tasks. Dr Heidy Khlaaf, Chief AI Scientist at the AI Now Institute, declared that the announcement of Mythos used vague language and didn’t include the right metrics to verify the claims Anthropic made, leading her to question whether the announcement was really designed to generate investment without too much scrutiny. David Sacks, arguably one of the most egregious members of the PayPal mafia — who is, in my opinion, an utter wanker and, more importantly for our conversation, a Big Tech investor — maintained that Anthropic has a history of “scare tactics” to drive hype, meaning we should take their claims with a grain of salt. When one of these guys warns that tech claims are too overblown, you know it’s bad!

That is a chorus of deeply informed people across the political and ethical spectrum, all warning that things might not be as they seem with Mythos.

Not to mention that independent analysis has supported this perspective. AISI is one of the organisations that was allowed to preview Mythos and test its capabilities. Though they did consider it a step forward in terms of its ability to perform simulated cybersecurity attacks, they also found it wasn’t as significant a leap forward as Anthropic claimed.

But there is one glaring anecdotal hole in Anthropic’s narrative.

If Mythos is so outstanding, why didn’t they use it to stop the Claude leak? You’d think that the first thing you would do if your company were about to become the de facto experts in software vulnerability detection and a tidal wave of AI-powered cyberattacks were swiftly approaching would be to use said AI cybersecurity tool to make sure all your software was fully patched. It doesn’t quite make sense that Anthropic can have a model that is supposedly as powerful as Mythos and experience a giant breach at the same time. There are a few possible explanations here: Mythos might not be able to accomplish what they claim it can; Claude’s heavily vibe-coded nature could make it nearly impossible to solve bugs and vulnerabilities; or even that Anthropic doesn’t trust Mythos not to completely ruin Claude. But no matter what the truth is here, this discrepancy doesn’t look good.

Okay, so we need to be sceptical. We get it. What questions should we be asking?

The Questions I Am Asking

Because I am not an AI scientist — just a deeply burnt-out autistic man with an internet connection — I can’t give you the ‘right’ answer. What I can do is tell you the questions I am asking to try and get to the bottom of this, which you can potentially use as a starting point.

My first question is, “How ‘good’ are the vulnerabilities?”

Just because Mythos claims it has found thousands of zero-day vulnerabilities doesn’t mean they’re actually hackable or exploitable cybersecurity risks. Indeed, Daniel Stenberg, founder and lead developer of cURL, told The Register that similar tools often incorrectly flag unexploitable bugs as vulnerabilities, adding serious slop-pressure for teams. Anthropic does claim that Mythos Preview can find working exploits 72.4% of the time, but that could just be hype. After all, the definition of ‘exploitable’ is a moving target. We need to see that Mythos isn’t just throwing spaghetti at the wall and can actually identify real-world risks in code. When the organisations with access to Mythos Preview move past lab-bench marking (which AI can famously be tweaked to do well in) and into real-world testing, we should hopefully receive our answer.

The next question is “How narrow is the model?”

For a variety of reasons — such as the Floridi Conjecture (read more here) and the Efficient Compute Frontier (read more here) — it is very difficult to make general-purpose models much better than they are today. As such, Anthropic has almost certainly had to narrow Mythos’ scope to improve it, transforming it from a general-purpose chatbot like Claude or ChatGPT into a specialised cybersecurity tool. The fact that Anthropic is currently compute-strapped is even more evidence that Mythos is likely very narrow. So, how much did Anthropic have to narrow down the Mythos model to make it efficient at this task? This question matters. Firstly, for obvious reasons, a super-narrow model isn’t as commercially viable. It can only complete one task, after all. But if Anthropic did have to significantly narrow down Mythos, it means they consciously created a tool that could unlock cyberattacks on a scale never seen before. Again, that undermines Anthropic’s ‘good guy’ ethical marketing and is a damn good example of why this cowboy industry needs to be regulated. If any other industry began purposefully making machines that could potentially collapse the digital infrastructure upon which our entire society depends, it would be regulated into the ground!

The next question is one some of you may have already been asking: “How expensive is it to run?”

If Mythos requires ungodly amounts of computing power and energy to run properly, then it can’t be the wide-scale risk Anthropic claims it is, can’t be a viable commercial tool, and is arguably a step backwards for the AI industry. Now, we do know that Mythos is very expensive to run, with Anthropic’s own documentation stating that it is “very expensive for us to serve, and will be very expensive for our customers to use.” But just how expensive? Anthropic doesn’t have deep enough pockets to subsidise a tool like this, and because investors are growing increasingly worried about the AI bubble, that is likely to remain the case for a while. Furthermore, if the model is heinously expensive to run, it might be significantly less efficient at finding bugs and vulnerabilities, measured in dollars per vulnerability found, making it commercially useless. Also, such a cost would keep the Mythos service small and out of the hands of more nefarious users.

This is a major issue plaguing all current AI systems. To make them even slightly better than they currently are requires exponentially more computing power and, therefore, exponentially more cost, which prices these tools beyond usability.

The next question is more of a pragmatic one: “How will Anthropic find solutions to the bugs and vulnerabilities Mythos finds?”

You see, it’s one thing to find a vulnerability — it’s another thing to fix it. Indeed, Daniel Stenberg from earlier told The Register that tools like Mythos don’t offer solutions when they report vulnerabilities. You might suggest that Anthropic could pair Mythos with Claude Code to find and vibe-fix these issues, but sadly, that isn’t likely to work. AI coding tools are great at generating small code snippets, but they are fucking awful at understanding entire programs and even worse at independently coding tasks. In a previous article, I discussed the University of Waterloo’s research, which found that even the best generative AI coders only have a 75% accuracy rate when tasked with very basic coding tasks. In other words, even basic AI-generated code doesn’t work a quarter of the time! I also analysed research from Veracode, which found that 45% of AI-generated code contained security flaws, and a study from Coderabbit, which found that AI-generated code has 70% more bugs than human-written code. So, no, Claude Code probably can’t join forces with Mythos to create an automated turn-key solution to cybersecurity.

This is a bit of a problem. It essentially means Anthropic has just shat in the pool and made it everyone else’s problem. If their claims about Mythos are even half-true, then the fact that AI coding can’t solve the issues Mythos finds means that the entire software industry, which is already strained past breaking point, will be lumbered with exponentially more work as they are obligated to race to fix thousands of vulnerabilities.

Again, this isn’t exactly the ethical thing to do, is it, Anthropic? Maybe industry regulation would have been the preferred solution here. But no, you guys desperately want to be the ‘ethical’ oligarch…

This leads me to the final question: “What is the long game here?”

These techbros all believe they are playing 4D chess, when in reality, they are playing tiddlywinks. It’s not that hard to see through their master plans. And that is a feature, not a bug, as it often enables them to dog whistle to potential investors. So, what is Anthropic’s end goal with Mythos? What is the narrative they are trying to subtly spin?

Well, I think it could be a terrible amalgamation of a protection racket and a Trojan horse. Let me explain.

At a time when the industry as a whole, especially the critical open-source sector, is already strained past breaking point, Mythos will apparently flood developers with reports, putting them under immense pressure. So, how are these teams going to cope? Well, they are going to be expected to turn to AI coding tools like Claude Code (particularly as it will likely work better with Mythos than other tools) to speed up patches. But, as we know, these tools produce a ton of bugs, so this isn’t a solution at all. Therefore, the Mythos reports will keep flying in, and Claude Code will rewrite a huge amount of code. Eventually, after this cycle has repeated for a while, most code will be written by AI, making it almost impossible for human coders to rewrite. That will effectively force software makers to use generative AI coding tools to maintain their services.

I think this is the narrative Anthropic is trying to push — that developers will likely pay an exorbitant price for Mythos to improve their cybersecurity, but the tsunami of reports will pressure them to adopt generative AI coding tools, effectively forcing the software industry to become deeply dependent on their AI coding tools.

Now, to be clear, I do not think this is what will actually happen. As I have said before, neither Mythos nor Claude Code is good enough to pull this off. But this is the AI bubble; reality doesn’t matter. What does matter is that investors believe you are going to become a dominating monopoly. That is why the name Mythos is so fitting. It appears to sell a myth of AI dominance, right before Anthropic goes public.

This is just a hypothetical. I don’t know if these are Anthropic’s intentions. I’m just trying to read between the lines.

Summary

Until Anthropic unleashes Mythos into the wild, we likely won’t get solid answers to any of these questions or know if Mythos is just a giant PR stunt. We are just going to have to sit with the knowledge that we are unaware of how much of this is marketing BS or genuine risk. All I know is that, either way, we should keep a healthy amount of scepticism about Anthropic.

Thanks for reading! Everything expressed in this article is my opinion, and should not be taken as financial advice or accusations. Don’t forget to check out my YouTubechannel for more from me, or Subscribe. Oh, and don’t forget to hit the share button below to get the word out!

Share