What the UK government found inside Mythos
The UK’s AI Security Institute, which operates under the Department for Science, Innovation and Technology, ran an independent evaluation of Mythos Preview’s ability to execute multi-step cyber operations. The centerpiece was a test environment called “The Last Ones,” a simulated corporate network range requiring 32 sequential steps to fully compromise. According to the AISI’s published evaluation, Mythos Preview completed that range end-to-end in 3 out of 10 attempts. No prior model had achieved that in the institute’s own internal testing. The technical framework behind the 32-step range is detailed in an arXiv study (arXiv:2603.11214) on multi-step cyber attack scenarios. That paper defines baselines for step completion, token budgets, and human labor equivalents. According to its methodology, the 32-step sequence represents an attack that would ordinarily take a skilled human operator roughly 20 hours to execute. Mythos Preview replicated that chain autonomously, even if only intermittently, marking a measurable jump in what AI agents can accomplish against realistic network targets. A 30 percent success rate on a long, constrained scenario might sound modest in isolation. In practice, it is anything but. An adversary with access to such a model could run dozens of attempts, harvest partial progress from failed runs, and stitch together a successful compromise. The AISI evaluation did not fully explore these compounding strategies, leaving open questions about how much additional risk emerges when humans and AI models collaborate in an attack loop.Why the access gap matters now
AISI conducted its evaluation on a preview version of Mythos. Anthropic has not released the model’s weights to government bodies or permitted the kind of unrestricted, on-site testing that safety researchers argue is necessary to determine whether the 3-in-10 completion rate represents a ceiling or an early floor that improves with fine-tuning, extended token budgets, or tool augmentation. As of June 2026, no public Anthropic statement explains the scope of access it has offered or the specific conditions it has placed on further evaluation. It is possible that Anthropic has made private arrangements with government bodies that have not yet been disclosed publicly; without confirmation or denial from the company, outside observers cannot rule that out. That silence is notable partly because Anthropic has its own framework for handling models that cross dangerous capability thresholds. The company’s Responsible Scaling Policy (RSP) commits it to pausing deployment or scaling of models that exceed certain risk levels until adequate safeguards are in place. Whether Mythos Preview’s demonstrated cyber capabilities trigger RSP commitments, and what safeguards Anthropic considers adequate, remains unclear from the outside. The contrast with OpenAI sharpens the picture. While no signed agreement or official EU regulatory filing has been published confirming the exact terms, reporting from outlets including Financial Times indicates that OpenAI has moved toward providing EU authorities with a locked-down version of GPT-5.5 for structured safety evaluation. One major developer is stepping toward government access; the other has not matched that step. For the UK’s National Cyber Security Centre and its counterparts across Europe, the distinction carries direct operational weight. Defenders need to understand what these models can do before adversaries figure it out on their own. The regulatory backdrop adds urgency. Under the EU AI Act, general-purpose AI models deemed to pose systemic risk face additional obligations, including adversarial testing and incident reporting. Policymakers in multiple jurisdictions are now grappling with how to supervise systems that can generate malware, probe networks, and autonomously chain exploits. If a model like Mythos can already carry out realistic intrusion sequences in a controlled testbed, it may well qualify for the highest tier of scrutiny. But without deeper technical access, regulators are working from summaries rather than detailed logs, red-team reports, or stress tests under varied conditions.What remains uncertain
Anthropic may have legitimate security reasons for restricting distribution of a model with demonstrated offensive capabilities. Handing weights to any external party, even a government body, introduces supply-chain risk. But without an on-the-record explanation, outside observers cannot distinguish caution from resistance. It is also unclear whether Anthropic has proposed middle-ground mechanisms, such as supervised sandboxes or joint evaluation teams, that might satisfy government concerns without fully releasing model weights. The raw run logs and token-budget data from the 32-step range tests have not been published beyond the AISI summary and the arXiv paper’s methodology sections. Independent researchers cannot yet reproduce or stress-test the results. Critical details remain opaque: how sensitive the model’s performance is to prompt phrasing, how often it stalls on particular steps, and whether small changes in network configuration dramatically reduce its success rate. Without that granularity, translating a 30 percent benchmark into concrete risk assessments for specific industries is difficult. The OpenAI comparison, while directionally useful, also sits on softer ground than it might appear. No primary source document, memorandum of understanding, or official filing has surfaced to confirm the timeline, technical restrictions, or scope of the reported GPT-5.5 arrangement with EU regulators. The contrast in posture between the two companies may be real, but its exact contours remain partly speculative from the outside.What defenders and policymakers should be watching
Two pieces of primary evidence anchor the factual core of this story. The AISI blog post provides the UK government’s own account of what it measured: expert-level CTF scores and a 3-out-of-10 completion rate on a 32-step simulated corporate network attack. The arXiv paper supplies the scientific framework, including definitions of step completion, token-budget parameters, and the human-labor baselines that make the numbers meaningful. Together, they establish that a frontier AI model can now execute realistic, multi-stage network attacks that previously required hours of expert human work. Everything beyond those two documents sits on softer ground. NCSC guidance and DSIT’s broader strategy documents confirm that the UK government takes AI-enabled cyber threats seriously, but they do not contain Mythos-specific directives or regulatory proposals. Anthropic’s position is defined more by what the company has not said than by any public commitment. For security teams defending corporate networks, the immediate priority is concrete: review exposure against the types of attack chains described in the multi-step scenarios, invest in monitoring for lateral movement and privilege escalation, and prepare for a near future in which capable AI agents sit on both sides of the line. For policymakers, the question is whether enforceable benchmarks for government access can be set before the next generation of cyber-capable models arrives. Anthropic’s response, or its continued silence, will go a long way toward answering that. More from Morning Overview*This article was researched with the help of AI, with human editors creating the final content.
