An AI model built by Anthropic just completed a simulated 32-step corporate network hack from start to finish, chaining together reconnaissance, lateral movement, privilege escalation, and data theft across a mock enterprise environment. No other AI system has done that in a published evaluation. The model, called Claude Mythos Preview, also produced working exploits for 157 real-world software vulnerabilities in a separate academic benchmark, again topping every rival tested.
And most organizations will never get to use it. Anthropic has restricted Mythos to a hand-picked group of governments and critical infrastructure operators, making it the first frontier AI cyber capability distributed on an invite-only basis.
Two independent evaluations published in May 2026 lay out the evidence.
The benchmarks behind the claims
The first evaluation is ExploitGym, a benchmark developed by Wang and collaborators containing 898 vulnerability instances drawn from real CVEs. The targets span userspace applications, the V8 JavaScript engine, and the Linux kernel, each running inside a containerized environment. To score a success, the AI agent must discover a flaw, write an exploit, and trigger it inside the sandbox. Mythos produced working exploits for 157 of those 898 instances, the highest count of any model or configuration the researchers tested. The paper evaluated Mythos alongside other frontier models including OpenAI’s GPT-4o and o3, Google DeepMind’s Gemini 2.5 Pro, and several open-weight systems, providing a direct comparison across the current generation of leading AI.
The second comes from the UK AI Security Institute (AISI), which evaluated Mythos alongside other frontier models using capture-the-flag challenges and a 32-step simulated attack on a corporate network, according to AISI’s published findings. The simulation required the model to behave like a skilled red-team operator: scanning for entry points, moving between machines, escalating privileges, and extracting target data. AISI reported that Mythos completed the entire chain. In the CTF portion, it solved more challenges than any competitor. The evaluation was conducted with input from the UK National Cyber Security Centre and the UK government’s Department for Science, Innovation and Technology. As of publication, AISI has not released a standalone public report with full methodology and per-challenge results for this evaluation cycle; the findings referenced here are drawn from AISI’s summary disclosures and Anthropic’s own system card, which cites the AISI results.
Neither evaluation relied on the other, yet both reached the same ranking. That kind of independent convergence across different methodologies is rare in AI capability assessments and makes the finding harder to dismiss.
Where Mythos failed
AISI also tested Mythos against an operational technology scenario called “Cooling Tower,” which simulates an attack on industrial control systems. The model did not complete that range.
The distinction matters. OT environments, including power grids, water treatment plants, and manufacturing lines, run on protocols and safety constraints that look nothing like a standard corporate IT network. Mythos can chain together dozens of steps inside an enterprise, but it has not demonstrated the ability to cross from IT into the physical-process layer that controls real equipment. AISI flagged the limitation explicitly, though the published materials did not detail whether the failure stemmed from unfamiliar industrial protocols, gaps in the model’s reasoning about physical processes, or constraints in the test setup itself.
Lab results vs. the real world
Strong benchmark numbers do not translate directly into real-world threat levels, and both sets of researchers are careful not to overstate their findings.
ExploitGym’s containerized design faithfully reproduces software-level conditions, but it strips away the defenses that shape real incidents: network segmentation, endpoint detection, rate limiting, patching cycles, and human analysts watching dashboards. A 157-out-of-898 success rate in a lab is not a 17.5 percent success rate against live targets. The benchmark measures what an AI can do with repeated attempts in a controlled setting, not what it will reliably pull off against a defended network.
The AISI simulation adds realism by forcing the model to maintain a coherent plan across many actions and adapt to intermediate results, traits that make human red-teamers effective. But simulations are still abstractions. AISI controlled the environment, selected the challenges, and set the success criteria. The 32-step scenario did not include noisy logs that might trigger incident response, partial documentation, or the unpredictable friction of a real enterprise under active defense.
Together, the evaluations support a narrow but important conclusion: among the AI systems tested so far, Claude Mythos Preview is the most capable at automated exploitation and multi-step offensive operations in controlled settings. They do not prove it can reliably compromise arbitrary organizations on its own.
Who gets access, and who doesn’t
Anthropic, the San Francisco-based AI company founded by former OpenAI researchers and backed by Google and Amazon, has not published the formal criteria it uses to select approved Mythos recipients. No primary source reviewed for this article contains a complete list of governments or utilities with access, and the contractual terms governing use have not been disclosed.
The restricted distribution model raises a question that cybersecurity professionals are already debating: does limiting access to a powerful offensive tool make the ecosystem safer, or does it create a two-tier system where approved operators gain a measurable advantage in vulnerability research and red-teaming while many defenders fall further behind?
One reading is that Anthropic is acting cautiously, keeping a potentially dangerous capability away from threat actors until governance mechanisms catch up. Another is that concentrating advanced offensive tools in a small circle, without public transparency about who qualifies, raises equity and accountability concerns, especially for the security teams at hospitals, banks, and municipal utilities that could benefit from testing their own defenses with the same technology.
Anthropic has not issued a public statement explaining its rationale. The company did not respond to a request for comment before publication.
What the Mythos rollout signals for AI-driven cyber operations
For security leaders, the practical takeaway is straightforward: the ceiling for automated offensive capability just moved up. A model that can chain 32 attack steps in sequence and exploit real CVEs at scale changes the math on how quickly vulnerabilities need to be patched and how thoroughly networks need to be segmented.
For policymakers, the Mythos rollout is an early test case for how frontier AI capabilities get distributed when they carry clear dual-use risk. Whether Anthropic’s invite-only approach becomes a model for the industry or an outlier will depend on whether independent evaluators get access to more granular data, whether competing labs follow a similar path, and whether regulators weigh in on who should be allowed to deploy AI-driven offensive tools.
The capability gap between Mythos and publicly available models is real and documented. How long that gap lasts, and who benefits from it, remains an open question.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
