AISI tests Anthropic's Claude Mythos Preview, UK businesses urged to act

The UK AI Security Institute (AISI) has published an evaluation of Anthropic's new Claude Mythos Preview, finding that the AI model represents a significant advancement in autonomous cybersecurity capabilities. Since tracking began in 2023, the AISI has noted a rapid progression from basic tasks to complex, multi-step simulations. In controlled tests where the model was granted network access, it demonstrated the ability to discover and exploit vulnerabilities autonomously, performing tasks that would typically require human professionals several days to complete.

The results indicate that Mythos Preview is capable of attacking small, weakly defended enterprise systems once network access is obtained. However, the AISI cautioned that these evaluation environments differ from real-world scenarios as they lack active defenders, defensive tooling, and penalties for actions that would normally trigger security alerts. As a result, it remains unclear whether the model can successfully compromise well-defended or hardened systems.

In light of the findings, the AISI noted that organisations should maintain fundamental cybersecurity hygiene practices and highlighted the importance of robust access controls, comprehensive logging, and regular security updates.

In an update on Wednesday, Secretary of State for Science, Innovation and Technology Liz Kendall published details of an open letter to UK business leaders concerning accelerating AI cyber threats. 

The letter warns that criminals will target businesses of all sizes across every sector, not just critical infrastructure. Leaders are therefore urged to prioritise cybersecurity at board level and implement fundamental cyber hygiene measures, as maintaining robust basic defences remains the most effective way to protect against these advancing AI-driven threats.

Meanwhile, Politico reports that European regulators were not included in the limited-access release of Anthropic's new model. Of the eight national European cybersecurity agencies, only the German agency had engaged in conversations with Anthropic about Mythos but had not yet tested the model. 

Training Announcement: Find out more about our range of independent accredited data protection and AI governance qualifications from IAPP and BCS.