Evolve is BlueFort’s unique, outcome-driven cybersecurity services ecosystem.
Platform and Enterprise Security solutions to protect all your human and non-human identities.
OT security focuses on protecting the specialised systems that control industrial operations.
Enable your organisation to embrace AI securely.
These programs provide structured ways for ethical hackers and researchers to report security flaws.
API security involves securing the interfaces that allow software systems to communicate with each other.
From darkness to defence: Mapping your attack surface for ultimate visibility.
Secure access for every user, device and location without compromising control or visibility.
As phishing, BEC, and supply-chain attacks evolve beyond legacy defences, learn how AI based email protection can block threats before they hit inboxes.
By Josh Neame, CTO, BlueFort Security
Every few months, a new AI model arrives promising to change everything. Most generate headlines long before they generate real-world value.
Claude Mythos feels different.
Whether every claim surrounding the model ultimately stands up to independent scrutiny is almost beside the point. What Mythos represents is a fundamental shift in capability. AI models are rapidly evolving beyond conversational assistants into reasoning engines capable of analysing complex environments, identifying attack paths, and executing multi-stage tasks with minimal human input.
For cybersecurity professionals, that’s significant.
The same capabilities that promise to transform defensive operations also have the potential to dramatically improve an attacker’s efficiency. We aren’t simply entering another phase of AI adoption; we’re entering an era where both attackers and defenders will increasingly operate at machine speed.
That changes the rules.
As I write this, Mythos remains subject to controlled access, with Anthropic continuing to expand availability through trusted programmes while balancing obvious safety concerns. Recent developments surrounding access restrictions and reports of attempted safeguards bypasses have only added to the speculation surrounding the model.
Whether Mythos itself becomes generally available next month, next year, or never isn’t really the question organisations should be asking.
The better question is:
“What happens when highly capable reasoning models become commonplace?”
Because they will.
Every major AI vendor is investing heavily in agentic AI. Competition between frontier models is accelerating at an astonishing pace and capability improvements are arriving faster than most organisations can adapt their security strategies.
Even if Mythos never reaches widespread availability, another model inevitably will. Security leaders shouldn’t be planning for one AI model, they should be planning for an entirely new operating environment.
Previous generations of AI have largely focused on helping humans work faster. They summarised documents, generated code, answered questions, and improved productivity.
Models like Mythos move beyond productivity. Their real strength lies in reasoning. Instead of processing individual prompts in isolation, they can maintain context across large investigations, correlate enormous volumes of information, generate hypotheses, test assumptions, and execute structured workflows with remarkably little supervision.
For defenders, that’s incredibly powerful.
Imagine analysing hundreds of gigabytes of telemetry, correlating endpoint, identity, email, and cloud activity, identifying likely attack paths and producing a complete investigation in minutes rather than hours.
That isn’t simply faster security. It’s a fundamentally different way of operating. The challenge of course, is that attackers gain access to exactly the same capability.
This is perhaps the biggest misconception I hear. From conversations with CISOs and security teams, many people assume AI will introduce entirely new attack techniques. In reality, the biggest change is speed.
These techniques already exist. What changes is the time required to execute them.
Tasks that previously required multiple specialists working over several days, could increasingly be orchestrated by autonomous agents operating continuously without fatigue or distraction. Traditional SOC workflows simply weren’t designed for that.
Many organisations still rely on alerts being generated, triaged by analysts, enriched manually, investigated and then escalated before any meaningful action is taken. That process may take hours. Against AI-powered attacks, hours may be the difference between containing an incident and responding to a ransomware deployment.
Whenever new technology emerges, there’s a tendency to look for equally new solutions. I’m not convinced that’s the right approach. The organisations that will struggle most against AI-enabled attackers aren’t necessarily those without AI. They’re the ones that haven’t mastered the fundamentals.
Every year we still encounter organisations with:
None of those problems are new. AI simply makes them easier to exploit. If anything, Mythos reinforces what security professionals have been saying for years: visibility, identity, resilience, and operational discipline matter more than ever.
Rather than worrying about whether Mythos itself becomes publicly available, I’d focus on five practical areas.
Security teams can no longer afford to prioritise remediation purely by CVSS score. The real question is whether vulnerabilities create exploitable attack paths into critical assets. Understanding exposure in business context is becoming far more valuable than maintaining an ever-growing list of vulnerabilities.
This is exactly why Continuous Threat Exposure Management (CTEM), attack path analysis, and continuous validation are gaining so much momentum. Understanding how an attacker could realistically move through your environment provides far greater value than simply knowing what vulnerabilities exist.
Identity has become the new network perimeter. Attackers know compromising credentials is often significantly easier than exploiting software vulnerabilities. As AI accelerates credential attacks, identity decisions must become both smarter and faster.
This is one area where we’re seeing genuinely innovative approaches from vendors such as Silverfort. Rather than relying solely on detection after authentication has occurred, Silverfort enforces security controls inline (‘Run Time’) during the authentication process itself, preventing risky access before a session is ever established.
That shift from detecting compromise to preventing it in real time is exactly the direction I believe identity security needs to move.
Interestingly, Silverfort’s own Mythos Field Report demonstrated this perfectly. During testing, inline identity controls repeatedly interrupted autonomous attack chains before they could progress. Regardless of which AI model we’re discussing, the underlying lesson remains the same: stopping attacks at the identity layer is significantly more effective than trying to clean them up afterwards.
SOC analysts remain one of the most valuable and overstretched resources in cybersecurity. Too many teams still spend their days enriching alerts, gathering evidence, pivoting between consoles, and performing repetitive investigations. AI should remove that burden.
Platforms such as Torq are demonstrating what the next generation of SOC operations looks like. Initially designed to augment analysts, they’re now evolving towards autonomous investigation and response, allowing routine decisions to happen at machine speed while human expertise focuses on genuinely complex incidents. That’s not replacing analysts. It’s allowing them to operate where they add the greatest value.
Measure your own capability honestly. How long does it take to investigate a privileged login? Disable a compromised account? Contain an endpoint? Block lateral movement? If the answer is measured in hours, AI-enabled attacks should encourage uncomfortable conversations about operational readiness.
Controls that looked effective during annual penetration tests may not withstand persistent AI-driven attack paths. Security validation needs to become continuous rather than periodic. Whether that’s adversary emulation, attack path simulation, breach and attack simulation, or purple team exercises, organisations need ongoing confidence that their controls still perform as expected.
One phrase I find myself discussing more frequently with customers is runtime security. Not because it’s a new product category, but because it’s becoming a necessary architectural principle.
If attacks increasingly operate at machine speed, defensive controls must also make decisions at machine speed. Waiting for alerts to reach a human analyst before action is taken simply introduces too much delay. We’re already seeing vendors move in this direction. Identity platforms are enforcing policy inline. Endpoints are making autonomous containment decisions. Cloud platforms are preventing risky activity before workloads execute. SOAR is evolving into autonomous security operations.
This isn’t about replacing people. It’s about removing latency from security decisions.
There will undoubtedly be plenty more headlines surrounding Mythos over the coming months. Some will prove accurate, some probably won’t. That’s almost inevitable whenever breakthrough AI capabilities emerge. Focusing solely on one model risks missing the bigger picture.
The industry has already crossed an important threshold. We’re moving from AI that assists humans, to AI that acts. That changes both offensive and defensive cybersecurity.
For attackers, it means greater scale, greater speed, and greater automation.
For defenders, it means rethinking where security decisions happen and how quickly they’re enforced. The organisations that adapt successfully won’t necessarily be those that deploy the most AI. They’ll be the ones that understand their exposure, build security around identity, automate repetitive operations, validate continuously, and enforce controls in real time.
That’s where I believe the industry is heading.
Whether the catalyst is Claude Mythos, another Anthropic model or something we haven’t yet seen is almost irrelevant. The AI security arms race has already begun. The only real question is whether we’re preparing quickly enough.
I’d love to hear how others are approaching this challenge. Are you already adapting your security strategy for agentic AI, or are you still assessing what these developments mean for your organisation? Either way, the conversation is one worth having.