root@wolf-solutions:~$ whoami
root@wolf-solutions:~$ cd /whoami/stdout root@wolf-solutions:~$ cd /whoami

stdout

Mythos and the Defender

3/30/2026 10 min

tl;dr — A leaked AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence model called Mythos just changed the threat model for every organization on the planet. The press is focused on how it helps attackers. I’m more interested in what it means for defenders, and why most of your security vendors aren’t ready for either side.

Last Wednesday, Anthropic accidentally published a draft blog post about a model they weren’t ready to announce. The post was sitting in an unsecured, publicly searchable data store. An AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence company whose model scores off the charts on cybersecurity benchmarks leaked via a misconfigured CMSContent Management System — Software for creating and managing digital content. You’d think someone would have pointed the model at their own infrastructure first.

I’ll let the irony breathe for a second. Delicious.

I won’t linger too much on the specifics of the leak — they’re covered plenty elsewhere. Here’s the gist:

The model is called Mythos, internal codename Capybara. It’s a tier above anything currently available, with dramatically higher scores on coding, reasoning, and cybersecurity benchmarks. Anthropic’s own assessment, which they’ve been sharing with government officials behind closed doors, is that Mythos makes large-scale cyberattacks “much more likely” by enabling agents to “work on their own with wild sophistication and precision to penetrate corporate, government and municipal systems.”

That’s not a journalist’s spin. That’s Anthropic describing their own product.

The cybersecurity press reacted exactly how you’d expect. “Hacker’s dream weapon.” Cybersecurity stocks tanked are tanking. Everyone’s writing about what attackers can do with this.

Almost nobody is talking about what defenders can do with it.

The tempo problem

Here’s what actually changed. It’s not capability. It’s speed.

A human attacker running a penetration test (or, worse, an actual adversary) moves through a kill chain over days or weeks. Really, hours at best. Reconnaissance, initial access, lateral movement, persistence, exfiltration. Each phase involves manual analysis, coffee breaks, context switching, sleep. There are natural speed limits on how fast a human can compromise an environment, even a skilled one.

An agentic attacker (an AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence model orchestrating tools autonomously) compresses that same kill chain into minutes to hours. It doesn’t sleep. It doesn’t lose context (well, ok, I mean, obviously LLMs lose capital c Context — but not quickly, and there are workarounds to help, and the context window for Mythos is quite large). It can run parallel reconnaissance across every attack vector simultaneously and synthesize findings in real time. What a red team does in a week, an agent does in an afternoon.

Now here’s the part that should keep you up at night: most of your defensive infrastructure is calibrated for human-speed attackers.

Your SOC’s alert triage workflow assumes hours of dwell time between initial access and lateral movement. Your SOARSecurity Orchestration, Automation, and Response — Automates security operations workflows playbooks page a human and wait for triage. Your SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting correlates events on 5-15 minute ingestion cycles. Your incident response procedures assume you’ll have time to assemble a war room.

An agentic attacker that achieves initial access and moves laterally in under 10 minutes breaks every one of those assumptions. Detection-to-response latency becomes the only metric that matters, and most organizations measure theirs in hours, not minutes.

Asymmetry at 11 (it’s one more, innit?)

Security has always been asymmetric. Attackers only have to find one way in; defenders have to cover every possible entry point. That’s not new.

What’s new is the multiplication factor.

A human attacker finds one way in through skill, persistence, and some luck. An agentic attacker doesn’t find one way in. It evaluates every way in, simultaneously, with genuine reasoning about which paths are most likely to succeed based on the specific target’s architecture. It doesn’t just try more things faster. It tries smarter things faster.

And when it gets blocked, it adapts. Not by cycling through a wordlist, but by reasoning about why it was blocked and generating a novel approach. WAFWeb Application Firewall — Layer 7 firewall protecting web applications caught the payload? Analyze the rejection pattern, infer the WAFWeb Application Firewall — Layer 7 firewall protecting web applications vendor from behavioral signatures, generate an evasion strategy specific to that vendor’s rule engine. Credential stuffing failed? Pivot to analyzing the target’s public APIApplication Programming Interface — Interface for software-to-software communication behavior to infer IAMIdentity and Access Management — Framework for managing digital identities and permissions misconfigurations that don’t require credentials at all.

The attacker’s traditional advantage (initiative and surprise) combined with machine-speed iteration and genuine reasoning capability doesn’t just tilt the asymmetry further. It might fundamentally break the model that defensive security has operated under for decades: that a well-resourced defender can make exploitation cost-prohibitive through friction and depth. It’s the Pyramid of Pain. But now we’re dealing with a machine that doesn’t feel pain or frustration.

When the attacker’s cost per attempt approaches zero and their reasoning quality approaches expert-level, friction-based defense stops working. You can’t make it expensive enough.

I want to be wrong about this. I don’t think I am.

The defender gets Mythos too

Doom and despair out of the way, here’s the good news: this isn’t one-sided.

The attacker has Mythos. The defender also has Mythos. And the defender has something the attacker doesn’t: full internal visibility.

An attacker, no matter how capable, reasons from the outside in. They infer architecture from public signals. They guess at internal topology based on external behavior. They work with incomplete information, always.

A defender with an agentic AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence has access to every system configuration. Every piece of internal source code. Every current library version in use. Every log. Every identity event. Every configuration change. Every network flow. Every authentication attempt. The complete and total picture. A Mythos-class model reasoning over that telemetry in real time isn’t just a faster analyst, it’s something that hasn’t existed before in security operations.

Think about what an experienced SOC analyst does on a good day with enough context: they connect dots across disparate data sources. “This service account in our cloud environment just did something it’s never done before. 40 minutes ago there was a failed auth attempt from an IPInternet Protocol — Network layer addressing and routing that showed up in last week’s certificate transparency scan. These might be related.” That’s the kind of insight that catches real attacks, and it happens maybe a few times a month because humans can only hold so much context, and frankly can’t give their full attention to all the logs at once.

An agentic defender can make that connection every time. Across every data source. Continuously.

An agentic defender can do a deep analysis of your infrastructure, code, and libraries and point out where the vulnerabilities are and how to fix them before your systems are even online.

The asymmetry is real. But the defender has a counterweight that’s never been available before: an AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence that can reason about the entire defensive surface at once, continuously, with full context. That doesn’t eliminate the asymmetry. The attacker still picks the time, the place, and the method. But it compresses the gap and helps close a lot of holes before they even exist.

Whether it compresses it enough is the open question.

Your vendors aren’t ready

I’ve been evaluating security vendors while all of this is unfolding, and here’s what I can tell you: most of them are not thinking about this yet. If you ask them about AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence, at best they’ll tell you about their super nifty chatbot that will help you .

Ask your MDRManaged Detection and Response — Outsourced detection and response service provider what their detection-to-response latency is for an automated attack that completes its kill chain in under 10 minutes. Not their SLAService Level Agreement — Measurable performance expectations with a vendor for acknowledging an alert, the actual elapsed time from malicious activity to containment action. If the answer involves a human analyst triaging the alert, they’re not ready.

Ask your CSPMCloud Security Posture Management — Monitors cloud configurations for misconfigurations vendor whether their posture scans run on a schedule or produce real-time events. If they scan hourly and an agentic attacker can exploit a misconfiguration within minutes of it being introduced, that scan is a historical record, not a defensive tool.

Ask your WAFWeb Application Firewall — Layer 7 firewall protecting web applications vendor whether their detection feeds can be consumed programmatically for automated response, or whether they expect you to watch a dashboard. An agentic attacker targeting your APIs doesn’t care about your dashboard.

Ask every vendor this: What is your roadmap for autonomous defensive capability? Not a chatbot. Not “AI-powered detection.” Actual autonomous reasoning about threats and automated response.

The vendors who understand the question will give you a real answer. Maybe it’s “we’re building it,” maybe it’s “we expect the customer to build the orchestration layer.” Both are valid. The vendors who respond with marketing language about their existing AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence features are telling you they haven’t thought about this yet.

You’re not buying tools anymore. You’re buying telemetry sources that need to feed a unified defensive intelligence layer. The vendors that expose rich, real-time event streams with good APIs are the ones worth investing in. The vendors that want you to live inside their dashboard are building walled gardens that can’t participate in agentic defense.

Choose accordingly.

What defenders should be doing right now

If you have access to a frontier-class model — and increasingly, you do — here’s where to start thinking:

Cross-source correlation. Your security tools operate in silos. Your MDRManaged Detection and Response — Outsourced detection and response service sees endpoints. Your CSPMCloud Security Posture Management — Monitors cloud configurations for misconfigurations sees cloud posture. Your WAFWeb Application Firewall — Layer 7 firewall protecting web applications sees APIApplication Programming Interface — Interface for software-to-software communication traffic. Your identity provider sees auth events. At best, you have a SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting trying to aggregate all the logs and analyze them, but really, no single tool sees the full picture. A reasoning model that ingests enriched events from all of them and looks for connections across sources is the highest-value application of AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence in defensive security today. You don’t need a product for this. You need a model, your telemetry feeds, and a well-designed prompt architecture.

Behavioral baseline reasoning. Static rules catch known patterns. MLMachine Learning — AI subset using data patterns for prediction classifiers catch statistical anomalies. A reasoning model can go further: “This service account has never called this APIApplication Programming Interface — Interface for software-to-software communication before, and the timing correlates with an unusual certificate issuance. Is this a deployment change or a compromise?” That kind of contextual judgment has always required a senior analyst who’s really on his game when it happens. It doesn’t anymore.

Automated investigation, not just automated response. Before you give an AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence the authority to isolate hosts and revoke credentials, give it the authority to investigate. Let it enrich alerts, pull related logs, check behavioral baselines, and assemble a complete evidence package. Then present that package to a human for the decision. You get 90% of the speed benefit without the risk of autonomous action on a false positive.

Adversarial resilience. If you deploy an agentic defender, understand that it becomes a target, too. An attacker who knows you have AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence-driven defense will try to poison your telemetry, inject false signals, or overwhelm the model with noise. When noise becomes your baseline, then signal starts to look like noise, too. Design for this from the start. Cross-validate across independent sources. Treat all telemetry as untrusted input. Don’t let the defender act on a single source’s data for high-consequence decisions.

Mythos-generated honeypots. Here’s where it gets fun. Just as a Mythos-based attack can work on poisoning your monitoring data, a Mythos-based defender can work on poisoning your environment. If an agentic attacker has to interact with your environment to compromise it, you can make that environment lie. Use a Mythos-class model to generate honeypots specifically designed to be convincing to a Mythos-class attacker: realistic-looking credentials that trigger alerts when used, fake internal services that behave just plausibly enough to waste an agent’s time and burn its context window, APIApplication Programming Interface — Interface for software-to-software communication endpoints that return data shaped exactly like what an attacker would hope to find. Traditional honeypots fool scripts. AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence-generated honeypots can fool AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence. You’re turning the attacker’s own reasoning capability against it, because the same model that makes the attacker dangerous is the same model that knows what a dangerous attacker would find tempting.

The honest reckoning

I don’t know how this all plays out yet. No one does. But it’s interesting.

The asymmetry might be worse than I think. Machine-speed attackers with expert-level reasoning and near-zero marginal cost per attempt might outpace any defensive capability we can build, AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence-assisted or not. The “attacker only has to win once” problem might go from hard to impossible.

Or the defender’s advantage (full internal visibility, legitimate access to every data source, the ability to reason about the complete picture) might be enough to close the gap. An agentic defender that catches what a human analyst would miss, at a speed that matches the attacker’s tempo, might restore a defensible equilibrium. Even in spite of the enhanced attack capabilities.

What I do know is that the worst position to be in is pretending the threat model hasn’t changed. If you’re a security practitioner, your vendors need to hear these questions. Your architecture needs to account for machine-speed adversaries. And you need to start thinking about AIArtificial Intelligence — Machine systems performing tasks requiring human intelligence not as a tool the attacker uses against you, but as a capability you wield in your own defense.

The attacker gets Mythos. The defender gets Mythos. The question is who builds the better architecture around it.

I know which side I’m building for.

> _

More stdout logs live in the archive.

root@wolf-solutions:~$ cd /whoami/stdout