anaboo.ai
Brett Alegre-Wood with bold headline: UK Government warns every business to prepare for AI-powered cyberattacks
← All posts
AI GovernanceAI Tools

UK government warns every business to prepare for AI cyberattacks

20 April 2026Brett Alegre-Wood8 min read
AI CybersecurityUK AI Policy 2026Claude MythosCyber Essentials CertificationIBM Autonomous SecurityAI Safety InstituteFrontier AI Threats
Listen to this article0:00 / 5:47
Two AI hosts discuss this article. Generated from the text.Download

TL;DR

The UK Government has issued an unprecedented open letter, co-signed by Secretary of State Liz Kendall and Security Minister Dan Jarvis, warning every business leader in the country about AI-powered cyber threats. Anthropic's Claude Mythos was assessed by the UK AI Safety Institute as "substantially more capable at cyber offence than any model we have previously assessed, " and frontier AI capabilities are now doubling every four months, down from every eight months. Mid-sized businesses are the primary target: you hold enough revenue and customer data to be worth attacking, and you almost certainly lack the enterprise-grade defences to stop it. The window to act is narrowing every four months.

What actually triggered the government's open letter?

Last week Anthropic, valued at $380 billion, announced a new model codenamed Claude Mythos. The UK's AI Safety Institute, arguably the most advanced government body in the world for evaluating frontier AI systems, ran Mythos through an extensive battery of cybersecurity benchmarks.

Their conclusion was unambiguous: Mythos is "substantially more capable at cyber offence than any model we have previously assessed."

That single assessment triggered immediate action at the highest levels of government. Secretary of State Liz Kendall and Security Minister Dan Jarvis co-signed an open letter to every business leader in the UK. This is not a routine advisory circular. It is an emergency communication, and ignoring it because you are used to ignoring government letters would be one of the most expensive mistakes you could make this year.

What is the four-month doubling rate and why does it change everything?

The AI Safety Institute revealed a critical statistic alongside its Mythos assessment: frontier AI model capabilities are now doubling every four months. Previously, the doubling rate was every eight months. The pace of advancement has itself doubled.

Here is what that means in concrete terms for your business:

  • AI models available to attackers today are twice as capable as they were in December 2025
  • By August 2026, they will be twice as capable again
  • By Christmas 2026, they will be four times as capable as they are right now

This is not a linear progression of cyber threats. It is an exponential explosion of automated, highly sophisticated offensive capability that is outpacing every defensive measure most businesses currently have in place.

The traditional model of cybersecurity, where a human hacker spends weeks or months probing your defences for a vulnerability, is effectively dead.

A new generation of AI models can now do work that previously required rare, elite expertise: scanning your entire digital infrastructure for weaknesses, writing custom exploit code, and executing coordinated attacks at a speed and scale that was physically impossible twelve months ago.

What did Claude Mythos actually find during testing?

Mythos did not find theoretical vulnerabilities in a lab environment. According to industry reports, it found thousands of critical security flaws in operating systems and web browsers used by millions of businesses every single day.

In one staggering example, Mythos identified a critical vulnerability in OpenBSD, one of the most security-focused operating systems in the world, that had gone completely undetected by human engineers for twenty-seven years. Thousands of the best cybersecurity minds on the planet had scrutinised that software for nearly three decades. An AI model found the flaw almost instantly.

Now consider what an AI model like that could find in your company's custom-built CRM, your outdated accounting software, or your WordPress website that has not been updated since last year. The answer is almost certainly something exploitable. And the AI does not get tired, does not take weekends off, and does not charge by the hour. It can scan millions of systems simultaneously at near-zero marginal cost.

Start here

See where AI fits in your business. Free.

A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.

Why are mid-sized businesses the primary target?

"Criminals will not just target government systems and critical infrastructure. They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.", UK Government open letter

You have enough revenue to be worth extorting. You hold enough customer data to be worth stealing. But you almost certainly do not have the enterprise-grade, AI-powered defensive systems of a major bank or a tech giant. That gap is exactly where the attackers are operating.

The barrier to entry for launching a devastating cyberattack has collapsed to near zero. Hackers no longer need to be technical geniuses with years of specialist training, they just need access to the right AI model. While Anthropic is tightly controlling access to Mythos through its Project Glasswing programme, giving 45 organisations including Apple, Google, Microsoft, and AWS early access, the open-source community is moving fast. Cheaper, widely available models are already achieving similar results in detecting software vulnerabilities. It is only a matter of time before these capabilities are in the hands of every criminal operation on the planet.

The attacks targeting mid-sized businesses are not all headline-grabbing ransomware events. The quiet, automated attack that nobody notices until it is too late is the real danger for most organisations:

  • AI-powered phishing emails indistinguishable from genuine communications
  • Automated credential-stuffing attacks testing millions of stolen password combinations against your login pages in minutes
  • Deepfake voice calls impersonating your CEO and instructing your finance team to transfer funds

None of these are science fiction. All of them are happening right now, and the AI models powering them are getting more capable every four months.

What are the major institutions doing in response?

The scale of the institutional response tells you exactly how serious this is.

OpenAI announced it is scaling up its Trusted Access for Cyber programme, acknowledging that AI's accelerating impact on cybersecurity extends well beyond any single company or model.

IBM has launched "Autonomous Security", a multi-agent-powered cybersecurity service designed specifically to counter threats from weaponised frontier AI models. As IBM Consulting's Global Managing Partner of Cybersecurity Services Mark Hughes stated: "Frontier models are creating a new category of enterprise threat that is fast moving, systemic and increasingly autonomous. AI powered offence demands AI powered defence."

UK regulators are in emergency mode. The Bank of England, the Financial Conduct Authority, the National Cyber Security Centre, and HM Treasury have all convened urgent meetings through the Cross-Market Operational Resilience Group to assess the systemic risks posed by these new models. The Cyber Security and Resilience Bill is currently being pushed through Parliament to strengthen protections for critical services and digital infrastructure.

Here is the uncomfortable truth: government action and enterprise-grade solutions from IBM are not going to trickle down to your business fast enough. The big banks and tech giants will have AI-powered defensive systems in place within months. If you are running a mid-sized business with 20 to 500 employees, you are on your own for now, and the attackers know it.

Does this apply to Australian and Singapore businesses?

Yes. This threat is not geographically contained to the UK.

The Australian Signals Directorate has been warning for months that small and medium enterprises are increasingly targeted by sophisticated, automated cyber campaigns. The Australian Government's own cybersecurity strategy acknowledges that the threat landscape is evolving faster than most businesses can adapt, and the introduction of AI-powered offensive tools has accelerated that timeline dramatically. Whether you are operating in Sydney, Melbourne, or Brisbane, you face the same exponential threat curve as a business in London or Manchester.

In Singapore, the Monetary Authority of Singapore has been at the forefront of AI risk management with its Project MindForge toolkit, but that framework is primarily designed for large financial institutions. The average SME in Singapore does not have the resources or expertise to implement enterprise-grade AI security on its own. The gap between what large organisations can afford to deploy and what most businesses actually have in place is widening every single month. That gap is precisely where attackers are operating.

What do you need to do about it?

Make cybersecurity a board-level priority immediately. If your board or management team has not discussed cyber risk at your most recent meeting, you are failing in your duty to your business, your employees, and your customers. This is no longer an IT issue you can delegate to a junior staff member. It is an existential threat to your business continuity. Review the Cyber Governance Code of Practice and ensure your organisation is aligned with its principles. Every person in your leadership team needs to understand the threat landscape and their role in defending against it.

Get the basics right now. Most successful cyberattacks, even those powered by AI, still exploit simple weaknesses: outdated software, weak passwords, unpatched systems, and missing backups. The government is strongly urging every business to obtain Cyber Essentials certification. It is not expensive, it is not overly difficult, and it provides a baseline level of protection against the most common automated attacks. If you do not have Cyber Essentials, you are effectively leaving your front door unlocked in a neighbourhood where the burglars now have AI-generated master keys.

Rethink your defensive posture entirely. Annual penetration tests and static defences are no longer sufficient. If offensive capabilities are doubling every four months, your defensive capabilities need to evolve at the same pace. You need continuous, AI-driven security monitoring that works around the clock to detect and neutralise threats before they can execute. You need to fight AI with AI, and you need to start now.

What to do this week

  1. Put cyber risk on the agenda for your next board or leadership meeting, not as an IT update, but as an existential business risk requiring a named owner and a response plan.
  2. Check your Cyber Essentials status. If you are not certified, start the process this week. The NCSC website lists accredited assessment bodies.
  3. Audit your software estate for anything unpatched or end-of-life, your CRM, accounting platform, website CMS. These are primary targets for automated AI scanning.
  4. Brief your finance and senior leadership team on CEO impersonation fraud via deepfake audio. Establish a verbal verification protocol for any instruction to transfer funds.
  5. Assign ownership of the Cyber Governance Code of Practice across your leadership team. Every principle needs a named accountable person.
  6. Get a quote for continuous security monitoring if you do not already have it. Static, annual-review security is now a liability, not a protection.

Where to from here

Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.

Live with passion & AI,

Brett

Podcast

Host a podcast? Have Brett on as a guest.

Straight talk on implementing AI in real SMEs, no jargon, plenty of receipts from the businesses we run.

Pitch the podcast →

Frequently asked questions

What is Claude Mythos and why is it significant for cybersecurity?

+

Claude Mythos is a frontier AI model announced by Anthropic, valued at $380 billion. The UK AI Safety Institute tested it extensively against cybersecurity benchmarks and concluded it is "substantially more capable at cyber offence than any model we have previously assessed, " prompting the UK Government's emergency open letter to business leaders.

What does the four-month doubling rate mean for my business?

+

The UK AI Safety Institute revealed that frontier AI model capabilities are now doubling every four months, previously the rate was every eight months. In practical terms, AI models available to attackers today are twice as capable as they were in December 2025, and by Christmas 2026 they will be four times as capable as right now.

What vulnerability did Claude Mythos find in OpenBSD?

+

During testing, Claude Mythos identified a critical security vulnerability in OpenBSD, one of the world's most security-focused operating systems, that had gone completely undetected by human engineers for twenty-seven years, demonstrating the ability of frontier AI to find flaws that thousands of expert cybersecurity professionals had missed.

What is Cyber Essentials certification and does my business need it?

+

Cyber Essentials is a UK Government-backed certification scheme that provides a baseline level of protection against the most common automated cyberattacks. The government is strongly urging every business to obtain it. It is not expensive or overly difficult to achieve and directly addresses the weaknesses, outdated software, weak passwords, unpatched systems, that most AI-powered attacks exploit first.

What is IBM's Autonomous Security initiative?

+

IBM launched Autonomous Security as a multi-agent-powered cybersecurity service designed specifically to counter threats from weaponised frontier AI models. IBM Consulting's Global Managing Partner of Cybersecurity Services Mark Hughes described the rationale as: "Frontier models are creating a new category of enterprise threat that is fast moving, systemic and increasingly autonomous. AI powered offence demands AI powered defence."

What is Project Glasswing and does it protect my business?

+

Project Glasswing is Anthropic's controlled early-access programme for Claude Mythos, giving 45 organisations including Apple, Google, Microsoft, and AWS early access to the model. It does not protect your business, it controls who gets access to Mythos. Cheaper open-source models are already achieving similar vulnerability-detection results, meaning these capabilities will reach criminal operators regardless.

Does the UK government's AI cybersecurity warning apply to businesses in Australia and Singapore?

+

Yes. The Australian Signals Directorate has been warning for months that SMEs are increasingly targeted by sophisticated automated cyber campaigns, and the Australian Government's own cybersecurity strategy acknowledges AI-powered offensive tools have accelerated the threat timeline. In Singapore, the Monetary Authority of Singapore's Project MindForge toolkit exists but is primarily designed for large financial institutions, leaving average SMEs exposed.

Brett Alegre-Wood, founder of Anaboo
About the author
Brett Alegre-Wood

Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.

More on ai governance

Abstract conceptual illustration of a fractured digital human face split into authentic and synthetic halves in deep purple and bright orange tones
AI Ethics
Deepfakes and Your Brand: Protecting Your Name in the AI Era
14 June 2026
Brett Alegre-Wood beside bold text reading Prompting Claude Fable 5 on an Anaboo purple gradient
AI Tools
Prompting Claude Fable 5: Brief It Like a Director, Not a Typist
12 June 2026
A wide, fast road with clear painted edge lines under deep purple and bright orange light, suggesting speed kept safe by guardrails rather than barriers
AI Governance
Control It or Guardrail It: How to Govern AI Without Falling Behind
12 June 2026

WE USE AI: All images are made with programmatic AI (a prompt is used rather than real photos) so when you meet Brett and the team they may look slightly different from these images. This is done to show you what's possible.

Want Augment AIOS in your business?

Free 60-minute audit. We'll show you what's worth automating first.