anaboo.ai
Brett Alegre-Wood against a dark tech background with headline: AI finds your security flaws faster than you can fix them
← All posts
AI GovernanceAI Tools

AI finds your security flaws faster than you can fix them

11 February 2026Brett Alegre-Wood7 min read
AI CybersecurityClaude MythosAI Agent SprawlAI GovernanceVulnerability ManagementAnthropicBusiness Security
Listen to this article0:00 / 4:46
Two AI hosts discuss this article. Generated from the text.Download

TL;DR

Anthropics's Claude Mythos has crossed a threshold that has central banks and governments in emergency meetings: it finds critical software vulnerabilities (including one hiding in OpenBSD for twenty-seven years) faster than human teams can patch them. According to Fortune, over 99% of the flaws it discovers remain unpatched. Cheap, open-source models are closing the gap fast. And inside your own business, AI agent sprawl is creating attack surfaces most organisations do not even know exist.

What just changed, and why it matters

If you still think AI is primarily a tool for writing emails and generating marketing copy, you are dangerously behind the curve. We have crossed a threshold that has regulators, governments, and the world's largest financial institutions in emergency mode.

Anthropics recently launched a preview of their most capable model ever, codenamed Claude Mythos. This is not a chatbot. It is not a coding assistant. It is being described as an "AI superhacker": a model that can understand, analyse, and modify existing software code at a level previously thought to be years away from reality.

Artificial intelligence has now surpassed human capability in finding deeply hidden, critical vulnerabilities in the software that runs the world. And it is not even close.

The 99% unpatched problem

Here is the headline that should stop you in your tracks: according to Fortune, over 99% of the software vulnerabilities discovered by Claude Mythos remain completely unpatched.

The model is finding critical flaws in every major operating system (including one that had been hiding in OpenBSD for twenty-seven years) far faster than human engineering teams can even triage them, let alone develop, test, and deploy fixes.

The attackers have a machine gun, and the defenders are still loading muskets.

The traditional cybersecurity process (find a flaw, file a ticket, get it into a sprint, test a patch, deploy across the network without breaking anything else) is still slow, manual, and human-driven. It takes weeks or months. The discovery of those flaws is now automated, instantaneous, and relentless.

The implications are so serious that Anthropic co-founder Jack Clark confirmed the company briefed the Trump administration on the model's capabilities. The UK's AI Safety Institute rated Mythos as the most capable model in their benchmarks. Emergency meetings have been convened involving:

  • The Bank of England
  • The Financial Conduct Authority
  • The National Cyber Security Centre
  • HM Treasury
  • The US Treasury (briefing the largest American banks)

This is not a theoretical risk being discussed at academic conferences. It is a live, operational threat.

Why open-source models make this everyone's problem

You might be thinking: Anthropic is restricting access to Mythos, so hackers cannot use it. That is a dangerous assumption.

Anthropics has restricted access through Project Glasswing, a carefully managed programme that has given early access to over forty-five organisations including Apple, Google, Microsoft, AWS, and Nvidia. But the underlying capability is not contained to one company.

Research highlighted by Tom's Hardware shows that cheaper, open-source AI models are already achieving similar results in detecting software vulnerabilities. The barrier to entry for launching sophisticated cyberattacks has plummeted.

You no longer need a team of elite hackers with years of experience to find a zero-day exploit in your systems. You need:

  • An internet connection
  • A consumer-grade GPU
  • An open-source AI model anyone can download

The UK's AI Safety Institute found Mythos to be the most capable in benchmarks, but the gap between frontier models and open-source alternatives is closing rapidly. What costs millions to develop at Anthropic today will be freely available to anyone within months. This is the nature of AI development: capabilities that start at the frontier trickle down to the open-source community at an accelerating pace.

Automated AI agents do not care how big your business is. They can scan the entire internet for vulnerabilities simultaneously, at near-zero marginal cost. Every piece of software your business relies on (your CRM, your accounting software, your custom-built applications, your WordPress website) is now under constant, automated scrutiny from tools that get more powerful every month.

Start here

See where AI fits in your business. Free.

A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.

Is your internal AI sprawl your biggest vulnerability?

The threat is not just from external hackers. It is also internal, and it is growing at an alarming rate.

As businesses rush to deploy AI agents (autonomous software that can execute tasks, make decisions, and interact with other systems without human intervention) they are creating massive new attack surfaces within their own networks. Most of them have absolutely no idea how exposed they are.

A major report from OutSystems found:

  • 96% of enterprises are now using AI agents
  • 94% are concerned about uncontrolled sprawl
  • Only 12% have centralised governance over their AI deployments

Companies are mixing custom-built agents with pre-built ones from different vendors. They are deploying agents across fragmented environments with no standardised security protocols. Different teams are using different tools with different access levels, and nobody has a complete picture of what is happening across the organisation.

Every new agent deployed without proper governance is another potential entry point for an attacker, or another autonomous system making decisions you cannot see, audit, or control. These agents often have broad access permissions because it is easier to give them access to everything than to carefully scope their permissions. That convenience is a security disaster waiting to happen.

The call is coming from inside the house.

Shadow AI is the new shadow IT, and it is far more dangerous because these tools can act autonomously, spawn sub-processes, and interact with external systems without any human in the loop.

Can AI also be your best defence?

Before you start unplugging everything, there is a crucial flip side. The same technology that creates these threats also creates an unprecedented defensive opportunity. The businesses that move fastest to adopt AI-driven security will have a massive competitive advantage over those that continue to rely on outdated, manual approaches.

Traditional cybersecurity relies on annual penetration tests, periodic vulnerability scans, and reactive incident response. You test once, patch what you find, and hope nothing new emerges before the next scheduled test. That model is now completely obsolete.

An AI can scan your entire codebase continuously, identifying new vulnerabilities as they emerge, flagging configuration errors in real time, and even suggesting or generating fixes automatically.

If AI can find the flaw in seconds, you need AI to help you patch it in minutes. Not weeks.

This is not just about protection from external threats. In a world where AI-powered cyberattacks are becoming the norm, businesses that can demonstrate robust, AI-driven security postures will win contracts, attract partners, and retain customers. Security is no longer a cost centre. It is a competitive differentiator.

What this means for businesses in Australia, the UK, and Singapore

If you are a business owner or manager in Australia, the UK, or Singapore, cybersecurity is no longer an IT problem that lives in the server room. It is your most urgent strategic priority.

The barrier to entry for devastating cyberattacks has plummeted. The sophistication of those attacks has skyrocketed. This is not a future risk. It is happening right now.

You need to assume that every piece of software your business relies on has vulnerabilities that a sufficiently advanced AI can now find and exploit in seconds. That is not paranoia. That is the reality that regulators, central banks, and tech leaders are scrambling to address. If the Bank of England and HM Treasury are in emergency meetings about this, you should be paying attention.

The 94% of enterprises that are concerned about AI sprawl but have not yet implemented centralised governance are sitting on a ticking time bomb.

What to do this week

  1. Audit your AI agent inventory. List every AI tool and agent operating inside your business: who deployed it, what systems it can access, and who is accountable for its behaviour. If you cannot answer those three questions for every tool, you have a governance gap.

  2. Kill shadow AI. Implement a policy that requires IT or leadership sign-off before any new AI agent is deployed. Shadow AI is the new shadow IT, and it is more dangerous.

  3. Move from annual pen tests to continuous monitoring. If you are still relying on a once-a-year penetration test, that report is outdated before it is printed. Explore continuous, AI-driven vulnerability monitoring.

  4. Scope agent permissions tightly. Any AI agent operating in your business should have the minimum permissions it needs to do its job, not access to everything because it is convenient. Review and tighten permissions this week.

  5. Brief your leadership team. The Bank of England, HM Treasury, and the US Treasury are treating this as an emergency. Your board or senior team should understand the landscape, not just your IT manager.

  6. Track the open-source model landscape. The frontier is moving fast. What only Anthropic could do six months ago, open-source projects can do today. Subscribe to a source that tracks this: Tom's Hardware and the UK AI Safety Institute publish relevant benchmarks.

Where to from here

Book a free 60-minute AI audit and we'll explore exactly what workflows are worth augmenting with AI.

Live with passion & AI,

Brett

Speaking

Running an event? Put practical AI on your stage.

Keynotes and workshops that send business owners home with a plan they can use Monday morning. No hype.

Book Brett to speak →

Frequently asked questions

What is Claude Mythos and why is it significant for cybersecurity?

+

Claude Mythos is Anthropic's most capable AI model to date, designed to understand, analyse, and modify software code at a level previously thought to be years away. It has surpassed human capability in finding deeply hidden software vulnerabilities, including one that had been hiding in OpenBSD for twenty-seven years.

What does it mean that 99% of vulnerabilities found by Claude Mythos are unpatched?

+

According to Fortune, over 99% of the software vulnerabilities discovered by Claude Mythos remain completely unpatched. The model is finding critical flaws far faster than human engineering teams can triage, test, or deploy fixes. The speed of discovery has completely outstripped the speed of remediation.

What is Project Glasswing?

+

Project Glasswing is Anthropic's carefully managed early-access programme for Claude Mythos. It has given access to over forty-five organisations including Apple, Google, Microsoft, AWS, and Nvidia.

What did the OutSystems report find about AI agent governance?

+

A major OutSystems report found that 96% of enterprises are now using AI agents, 94% are concerned about uncontrolled sprawl, and only 12% have centralised governance over their AI deployments.

Do you need access to Claude Mythos to launch an AI-powered cyberattack?

+

No. Research highlighted by Tom's Hardware shows that cheaper, open-source AI models are already achieving similar results in detecting software vulnerabilities. You no longer need a team of elite hackers. Just an internet connection, a consumer-grade GPU, and a freely downloadable open-source model.

Which governments and regulators have been briefed on Claude Mythos risks?

+

Anthropic co-founder Jack Clark confirmed the company briefed the Trump administration on the model's capabilities. In the UK, emergency meetings were convened involving the Bank of England, the Financial Conduct Authority, the National Cyber Security Centre, and HM Treasury. The US Treasury has also briefed the largest American banks.

How should businesses change their security posture in response to AI-powered threats?

+

Businesses need to move from annual penetration tests to continuous, AI-driven security monitoring. They also need full visibility and centralised governance over every AI agent operating within their network: what it can access, what decisions it can make, and who is responsible for it.

Brett Alegre-Wood, founder of Anaboo
About the author
Brett Alegre-Wood

Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.

More on ai governance

Abstract conceptual illustration of a fractured digital human face split into authentic and synthetic halves in deep purple and bright orange tones
AI Ethics
Deepfakes and Your Brand: Protecting Your Name in the AI Era
14 June 2026
Brett Alegre-Wood beside bold text reading Prompting Claude Fable 5 on an Anaboo purple gradient
AI Tools
Prompting Claude Fable 5: Brief It Like a Director, Not a Typist
12 June 2026
A wide, fast road with clear painted edge lines under deep purple and bright orange light, suggesting speed kept safe by guardrails rather than barriers
AI Governance
Control It or Guardrail It: How to Govern AI Without Falling Behind
12 June 2026

WE USE AI: All images are made with programmatic AI (a prompt is used rather than real photos) so when you meet Brett and the team they may look slightly different from these images. This is done to show you what's possible.

Want Augment AIOS in your business?

Free 60-minute audit. We'll show you what's worth automating first.