Those who have tried Mythos say it’s the best thing that could have happened to cybersecurity

Mythos, Anthropic’s AI model which has proved exceptionally adept at identifying vulnerabilities, is the talk of the town. Initially made available to a small number of companies (grouped under the ‘Glasswing project’) to help secure critical US systems, it has recently been withdrawn from use due to national security concerns. Those who have tried it, however, are enthusiastic about it and say it is the best thing that could have happened to cybersecurity.

We know this because, during Zenith Live 2026 – Zscaler’s annual event held in Vienna – we had the chance to have a chat with Sam Curry, the company’s CISO (Chief Information Security Officer), who did not hesitate to describe the new product as a genuine revolution for the cybersecurity sector, hailing its ability to transform it from the ground up.

In today’s cybersecurity landscape, Zscaler’s Chief Information Security Officer is responsible for managing one of the world’s largest and most critical cloud infrastructures, acting as a genuine global authorisation system through which every single transaction carried out by major international organisations passes.

With such a responsibility, it is no surprise that for the past few weeks he has been devoting much of his time to what has been presented as an apocalyptic threat, and he said he was surprised to discover that it is, in fact, a godsend. Like any self-respecting, highly specialised nerd, when he talks about Mythos, he doesn’t describe it as a mere technological evolution, but as a revolution comparable to the introduction of Kali Linux to the world of penetration testing. Its capabilities, in fact, are truly superhuman. Mythos does not merely identify individual vulnerabilities, but entire exploit chains, linking medium and low-risk vulnerabilities that together become critical, and writing attack code in real time. It is as if, when organising bank robberies, the AI system were not only capable of opening the safe, but also of planning the rest of the heist: from identifying accomplices, to the route to the vault, right through to making a getaway with the loot. And the factors that set it radically apart from software that has hitherto represented the cutting edge in vulnerability hunting, such as Qualys or Rapid7, are accuracy and volume: whilst the latter often have a true positive rate of around twenty per cent, Mythos achieves 82 per cent, making almost every alert a real and demonstrable threat. It should also be noted that whereas previously 10 vulnerabilities were found per month, Mythos now finds at least 100 (of which 82 are dangerous).

This transformation is radically changing the relationship between humans and machines in the field of cyber-attacks, marking the shift from an era in which artificial intelligence assisted humans to one in which humans assist artificial intelligence in complex, collaborative attacks. “For businesses,” – says Curry – “this means having to deal with an unprecedented volume of patches and updates; whereas previously they might have handled just a few critical updates a week, with Mythos they will have to manage dozens or hundreds every day, putting a severe strain on the operational continuity of many organisations that are not structured to cope with such a pace.” Security posture will have to be impeccable, with particular attention paid to the fact that no one will be able to keep up – at least initially – and that, consequently, extensive use of best practices will be required to prevent damage from intrusions. One such approach – his preferred choice, in his view – is Zero Trust. Admittedly, this approach was first theorised and brought to market by Zscaler itself, but despite the apparent conflict of interest, the Zero Trust architecture has been recognised as one of the fundamental building blocks for achieving the highest level of protection.