AI Makes the Cybersecurity Game Faster, Not New - R Street Institute
Skip to content
Analysis<br>AI Makes the Cybersecurity Game Faster, Not New
by<br>Ed Tarnowski
June 25, 2026
Share via Email: AI%20Makes%20the%20Cybersecurity%20Game%20Faster,%20Not%20New
Share via Facebook: AI%20Makes%20the%20Cybersecurity%20Game%20Faster,%20Not%20New
Share via X: AI%20Makes%20the%20Cybersecurity%20Game%20Faster,%20Not%20New
Share
issues:<br>AI Security, Artificial Intelligence, Cyber Threats, Cybersecurity, Cybersecurity Policy, Technology and Innovation
AI tools continue to grow more advanced, which simultaneously increases the speed at which attackers can find and exploit cyber vulnerabilities, and defenders can both find and patch them. The longer it takes for defenders—including banks, hospitals, and utilities—to access to the most powerful cybersecurity tools, the longer they will be vulnerable to potential attackers working overtime to develop or obtain ever-more-capable AI systems—whether nation-states or rogue criminal actors.
Attackers will push on with their objectives regardless of whether public access to frontier AI models is slowed in the U.S., and they hope to use advanced AI to conduct espionage, hold critical infrastructure ransom, commit financial fraud, and more. The public debate surrounding highly capable AI tools should not be about whether they should exist, but about who gets to them first. And that debate is catching headlines with the pending and uncertain rollout of the Anthropic AI model, Mythos.
Anthropic recently announced a public “Mythos-class model” called Fable 5, which the company says includes “safeguards” against using the model’s most advanced cyber vulnerability-detection capabilities. Mythos-class models are general-purpose models like their predecessors, and Anthropic says Mythos’ ability to detect cyber bugs is the driving force behind the phased launch. When the company’s Project Glasswing—Anthropic’s roadmap for a tiered and gradual release of Mythos—was announced in April, Mythos was available to a limited 50 organizations. It has since expanded to 200, but Anthropic paused the rollout of both after a federal decision barring foreign nationals from using the models.
Anthropic says the tiered rollout is designed to prevent its model from getting into the hands of cyberattackers. And while attackers obtaining access to powerful AI models could pose profound risks, with the emergence of new software bugs remaining unavoidable, the formula for mitigating these risks is not inherently new. There is a more effective strategy for combatting cybersecurity threats than tiering access to the leading tools.
Advanced AI becoming more capable of finding bugs does not fundamentally change the underlying cybersecurity formula: software bugs create exploitation opportunities for hackers seeking to gain entry, and to prevent this, defenders must find and patch those vulnerabilities before they can be exploited. And with software bugs being inevitable, while AI tools are growing more capable of discovering them, those bugs were already there, and new ones will continue to arise.
This dynamic intensifies in the age of agentic AI, which are systems that can execute goals autonomously with limited human intervention. Agentic AI can be prompted to carry out tasks, pursue objectives, and take actions on its own in a multi-step fashion, often much faster than people can. This changes the speed at which gaps can be found and patched, and wielding advanced AI capable of matching that pace is key to defenders outpacing attackers.
The Parity Problem
While Mythos is certainly more capable at uncovering cyber vulnerabilities than previous models, according to testing, Anthropic’s Opus 4.6 scored 66.6% to Mythos Preview’s 83.1% on the CyberGym cybersecurity vulnerability reproduction benchmark. CyberGym is a benchmark developed at the University of California, Berkeley to evaluate the capabilities of AI agents on real-world cyber vulnerabilities. That’s not an insignificant difference, but this publicly available model is also highly capable. And there are already real-life examples of existing models rivaling many of the capabilities demonstrated by Mythos.
Aisle, a vulnerability remediation startup, tested open-source models to see if they could match the capability that shook markets in April when Anthropic demonstrated Mythos ability to identify cybersecurity flaws. Aisle ran what it describes as “cheap, open-weights models” on the same relevant code. These open-source models were shown to be just as capable of uncovering many vulnerabilities—and completed the task for much cheaper. “Eight out of eight models detected Mythos’s flagship FreeBSD exploit,” said Aisle, “including one with only 3.6 billion active parameters costing $0.11 per million tokens. A 5.1B-active open model recovered the core chain of the 27-year-old OpenBSD bug.”
Attackers having access to models at capability...