In late May 2026, a UK government testing lab quietly confirmed what many in cybersecurity had been bracing for: a frontier AI model can now walk through multi-step attack chains against aging infrastructure with measurably more skill than previous systems. The model in question is Anthropic’s Mythos Preview, and the lab is the UK’s AI Security Institute, an independent body under the Department for Science, Innovation and Technology. Among the flaws Mythos surfaced during testing, one has since been registered as CVE-2026-4747 in the National Vulnerability Database, giving it a formal severity score and placing it in the same tracking pipeline used by every major patch management team on the planet.
For the thousands of organizations still running pre-2020 systems, the finding lands with uncomfortable specificity. It is no longer theoretical that an AI could accelerate the discovery of exploitable weaknesses in legacy code. It has now been documented, scored, and cataloged.
What the AISI evaluation actually found
The AISI evaluation, published in May 2026, tested Mythos Preview across two categories: capture-the-flag challenges, where the model had to locate and exploit planted vulnerabilities, and multi-step attack simulations designed to mimic real intrusion chains against defended networks. In both categories, Mythos Preview outperformed earlier Claude versions by enough of a margin that AISI characterized the improvement as a “step-change” in offensive capability.
AISI operates independently of Anthropic and has no commercial interest in the model’s performance. Its mandate is to stress-test frontier systems for safety risks, which gives its findings a different weight than a vendor-published benchmark. The evaluation references supporting work from DSIT, the UK’s National Cyber Security Centre, and an arXiv paper on related offensive techniques, though AISI has not released the paper’s title or authors publicly.
The vulnerability that drew the most attention, CVE-2026-4747, now carries a formal record in the NVD. That record includes a CWE mapping and a CVSS v3.x severity vector contributed through the CISA Authorized Data Publisher program. Vendor advisories and third-party exploit references are linked from the entry, confirming the flaw has been acknowledged beyond a single lab and is moving through established disclosure channels. AISI has not publicly identified the specific legacy software or platform affected, and it remains unclear whether that detail is being withheld for responsible-disclosure reasons or simply has not been published yet.
Where the evidence has gaps
Several important questions remain unanswered, and they matter enough to temper the strongest readings of these results.
First, no primary output logs or prompt traces have been released. Without the exact sequence of steps Mythos Preview took to surface CVE-2026-4747, outside researchers cannot reproduce the finding or determine whether the model performed genuinely novel analysis or recombined publicly available exploit knowledge more efficiently than a human could. Both outcomes are significant, but they represent different levels of capability.
Second, no system vendor has publicly confirmed that the flagged vulnerabilities were previously unknown to their own engineering teams. A model that rediscovers known-but-unpatched flaws faster than human analysts is a meaningful advance, but it is not the same as finding a true zero-day. The AISI summary does not draw this line, and the existence of a CVE entry alone does not settle it: a vulnerability can be registered after any qualified party reports it.
Third, AISI compared Mythos Preview only to earlier Claude versions. No public benchmark exists showing how competing frontier models from OpenAI, Google DeepMind, or other labs performed on the identical test set. The locked headline’s claim that “nobody else could spot” these flaws reflects AISI’s relative assessment within the Anthropic model family, not a head-to-head trial across the industry. Readers should keep that boundary in mind.
Finally, Anthropic itself has not issued a detailed public statement on the evaluation’s findings. Whether the company views the results as validation of its safety-testing process or as a concern requiring additional safeguards is not yet on the record.
How to weigh what we know
Three layers of evidence sit behind this story, and they carry different weights.
The strongest is the AISI evaluation itself. A government-affiliated, independent body with no commercial stake tested a frontier model and reported improved offensive capability. When an institution in that position flags a step-change, the cybersecurity community pays attention.
The second layer is the NVD record for CVE-2026-4747, maintained through NIST’s checklist infrastructure. NVD entries are factual registrations, not endorsements. The record confirms the flaw exists and assigns it a severity score. It does not, by itself, prove Mythos Preview was the first or only system to identify it.
The third layer is contextual. NCSC guidance on preparing for frontier AI in offensive security, the arXiv paper AISI cited, and DSIT’s broader policy framing all support the argument that AI-assisted offensive tools are advancing rapidly. These sources establish the environment in which the results matter, but they do not independently verify the model’s specific performance. They point in the same direction without providing independent confirmation.
What defenders should do now
The practical takeaway is narrower than the headline but still urgent. AISI has confirmed that at least one frontier model has demonstrably improved at chaining together multi-step attacks against older infrastructure. The gap between automated discovery and manual patching is widening, and that gap is where breaches happen.
Defenders should move on two tracks simultaneously.
The first is visibility. Security teams need a complete, current inventory of legacy assets, including forgotten test environments, shadow IT, and vendor-managed appliances that rarely receive scrutiny. Mapping that inventory against known vulnerabilities, especially CVEs published after 2020, is no longer a best practice. It is a baseline duty. The UK government’s Cyber Essentials framework remains the recommended starting point for organizations running older infrastructure, and its controls are designed to close exactly the kinds of gaps that automated tools exploit first.
The second track is experimentation. The same class of models that can chain exploits can also help prioritize patch queues, translate dense advisories into concrete configuration changes, and simulate likely attack paths through outdated networks. Security teams that begin testing AI-assisted defense under controlled conditions now will be better positioned than those waiting for a polished enterprise product. The window between disclosure and weaponization is shrinking, and AISI’s findings suggest it will keep shrinking.
Governance structures will need to catch up as well. Organizations already aligned with Cyber Essentials or NIST controls may need to extend their risk assessments to account for AI-augmented adversaries, revisiting assumptions about how quickly a newly disclosed vulnerability can be scanned for, weaponized, and deployed at scale.
Where this leaves legacy operators
A government-backed lab has shown that offensive AI is getting materially better at working through real-world exploit chains on legacy systems, and one of those chains is now reflected in a live CVE. The technical details remain partly opaque. Important comparisons across competing models are missing. Anthropic has not commented in detail. But for organizations still dependent on pre-2020 infrastructure, the direction is clear enough to act on: reduce the exposed legacy surface, modernize monitoring and patching workflows, and start putting AI to work on the defensive side before attackers finish doing the same on theirs.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
