Key Takeaways:
Anthropic's policy reversal on its powerful Mythos model signals a new era of collaborative defense, forcing a fragile cybersecurity sector to reckon with AI-driven threats that outpace human-led responses.
Anthropic has reversed a key policy for its powerful Mythos AI model, now permitting the roughly 50 companies in its exclusive "Project Glasswing" to share threat intelligence with outside entities. The move, a significant departure from the initial confidentiality agreements, follows pressure from U.S. lawmakers concerned that walling off AI-discovered vulnerabilities could endanger critical infrastructure.
"No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks," Rep. Josh Gottheimer (D., N.J.) wrote in a letter to Anthropic, according to The Wall Street Journal. Gottheimer co-chairs a House Democratic commission on AI.
The initial policy required the large companies and critical infrastructure operators using Mythos to keep its findings confidential. Last week, Anthropic began informing these partners they could now responsibly share information about cyber threats and Mythos's findings. This shift comes as firms like Palo Alto Networks and Mozilla have started to publicize the model's effectiveness, with Mozilla noting Mythos found 271 vulnerabilities in its Firefox browser in a single run.
The debate over Anthropic's policy underscores the core challenge facing the entire technology sector: how to manage the deployment of AI tools that can both build and break digital systems at an unprecedented scale. The capabilities of models like Mythos are fueling what some cybersecurity experts call a "Bugmageddon," an AI-driven flood of vulnerability discoveries that threatens to overwhelm the human-led process of patching and defending networks.
The assumption that exploiting complex software bugs is a rare skill is collapsing. According to a recent Google report, entire attack chains are "increasingly becoming software-defined and executed faster and cheaper than ever before." This trend is not just creating more hacking; it's leading to the industrialization of hacking. CrowdStrike documented an 89 percent year-over-year increase in AI-enabled adversary operations in 2025, a tempo that would be impractical without AI assistance.
The speed of this change is staggering. The Zero Day Clock project, which tracks the time from a patch's release to the appearance of a working exploit, saw the average time fall from 2.3 years in 2018 to just 20 hours in 2026. This acceleration, driven by AI's ability to "patch-diff" and reverse-engineer fixes, leaves organizations with an impossibly small window to remediate flaws.
According to a recent analysis from the Council on Foreign Relations, the diffusion of AI is stress-testing three core assumptions that have underpinned cybersecurity for 30 years. The first is that sophisticated attacks are expensive; AI has made them cheap. The second is that identity systems built for humans could manage non-human agents; that is proving untrue, as automated agents begin to act with unintended consequences.
The final, and most subtle, crack is the removal of human judgment as a backstop. Where an analyst might once have paused at an anomaly, organizations are now automating reviews and approvals to operate at machine speed. This removes a crucial, if informal, layer of defense precisely when it is needed most.
Anthropic's decision to allow broader threat sharing is a tacit acknowledgment of this new reality. For investors, the move signals a permanent shift in the cybersecurity landscape. The initial announcement of Mythos's capabilities caused a drop in cybersecurity stocks, reflecting fears that AI would commoditize security work. The reality is more complex: while AI automates offense, the need for sophisticated, AI-powered defense and robust governance frameworks is creating a new, high-stakes market. The policy change may increase compliance costs for AI leaders like Anthropic and OpenAI, but it also reinforces the value of the entire cybersecurity sector, which must now adapt to a world where both attackers and defenders operate at machine speed.
This article is for informational purposes only and does not constitute investment advice.
