Anthropic Investigation: Who Accessed the Mythos AI Tool?

The reported unauthorised access to Anthropic's Claude Mythos Preview has raised significant concerns across the technology industry, raising critical questions about enterprise infrastructure security in an era of increasingly powerful AI systems.

According to a Bloomberg report, "a handful of users in a private online forum gained access to Mythos on the same day that Anthropic first announced a plan to release the model to a limited number of companies for testing purposes."

The model represents a significant leap in computational capability. Mythos can identify thousands of vulnerabilities in everyday software and chain together these bugs to create complicated attack sequences capable of compromising platforms.

This prompted Anthropic to restrict its release to major industry players participating in Project Glasswing – a security coalition including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks.

"We're investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments," Anthropic said in a statement.

While the company notes that there is no evidence of access beyond the "vendor environment," the incident highlights a persistent challenge for technology organisations: managing security across complex vendor ecosystems.

Government engagement on infrastructure security

The breach comes as Anthropic CEO Dario Amodei was at the White House on 24 April 2025 to discuss "opportunities of collaboration" regarding the responsible use of Mythos.

After disagreements about the military use of AI in January 2025, he spoke to Treasury Secretary Scott Bessent and White House Chief of Staff Susie Wiles discussing how the technology could achieve a balance between "advancing innovation and ensuring safety," as per a White House statement.

"Anthropic has also been in ongoing discussions with US government officials about Claude Mythos Preview and its offensive and defensive cyber capabilities," the company blog reads.

The AI pioneer says that "securing critical infrastructure is a top national security priority for democratic countries – the emergence of these cyber capabilities is another reason why the US and its allies must maintain a decisive lead in AI technology."

Enterprise security strategy implications

The incident has prompted Chief Information Security Officers worldwide to reassess their security programmes.

The challenge facing enterprises is fundamentally rethinking security operations in an environment where automated systems can operate at speeds that human teams cannot match.

"If your defensive teams aren't using AI agents, they can't match the speed of AI-augmented threats regardless of their technical skill," notes Rob T. Lee, Chief of Research and Chief AI Officer at SANS Institute.

The solution Rob says is to "point AI agents at your own code and find the vulnerabilities before attackers do."

"It's already clear that Claude's Mythos represents a tectonic shift in security," says Sandeep Johri, CEO of Checkmarx.

"And, it isn't the new vulnerabilities it will discover, it's what will happen to the multitude of ones we already know about. Exploiting those vulnerabilities will become dramatically easier for attackers, making what used to require real skill child's play."

Sandeep says that "Project Glasswing is an important effort to address this phenomenon. But the barrier from discovery to exploitation is coming down now making a modern agentic application security practice more crucial than ever for enterprises."

Legacy systems could become particularly vulnerable as automated systems can rapidly identify and exploit known weaknesses, accelerating the need for infrastructure modernisation programmes.

Unauthorised access to Mythos is unwelcome news as security teams scramble to strengthen AI-native defence, with the potential for destructive cyber attacks amplified if bad actors get hold of the technology.

For technology leaders, the incident serves as a reminder that vendor security, infrastructure resilience and automated defence capabilities must all be priorities in enterprise technology strategy.