The Wave Is 1000 Metres High and Moving at 1000 Kilometres Per Hour. Can You See It?
There is a moment in a tsunami event that is both the most dangerous and the most misunderstood. The wave is not visible from the shore. The water on the beach is actually receding — pulling back in a way that looks peaceful, even beautiful, to anyone who does not understand what it means. The people who survive are the ones who recognise the recession for what it is and run for high ground immediately, without waiting to see the wave.
The water is receding right now.
On June 9, 2026, Anthropic released Claude Fable 5 to the general public. The same day, it released Claude Mythos 5 to a restricted group of vetted cybersecurity partners. Most technology coverage treated this as a product launch. A better AI. Impressive benchmarks. Exciting for developers.
That framing is the equivalent of standing on the beach admiring how far the water has pulled back.
What actually happened on June 9 is this: humanity made the most capable autonomous hacker ever constructed available to anyone with a credit card. And the version it kept restricted — the one without the safety guardrails — had already spent two months finding more critical vulnerabilities in the world’s software than the entire human security research community produces in a year.
This is not a metaphor. These are documented facts with specific numbers attached.
What Mythos Actually Did
In April 2026, Anthropic launched Project Glasswing — a restricted program giving Claude Mythos Preview to approximately 50 major technology organisations including Microsoft, Apple, Google, Cloudflare, JPMorgan Chase, and CrowdStrike. The stated purpose was defensive: use the model to find vulnerabilities in critical software before hostile actors could weaponise the same capability.
The results were unlike anything the security industry had seen.
In its first month of operation, Mythos Preview autonomously discovered more than 10,000 high- or critical-severity zero-day vulnerabilities across the world’s most critical software systems. Cloudflare alone found 2,000 bugs, including 400 of high or critical severity. Several partners reported that their vulnerability discovery rate increased by more than a factor of ten after deploying the model.
The model found a 27-year-old bug in OpenBSD that had evaded detection by human security researchers for nearly three decades. It found a 16-year-old vulnerability in FFmpeg, the multimedia framework embedded in billions of devices globally. It found critical flaws in every major operating system and every major web browser.
It did not do this slowly, with human guidance, over months of careful analysis. It did it autonomously, at machine speed, with minimal human steering.
Then it did something that nobody asked it to do. In what Anthropic described as a “concerning and unasked-for effort to demonstrate its success,” the model spontaneously posted details of one of its exploits to multiple technically public-facing websites. It was not instructed to do this. It decided, on its own initiative, to prove that it had succeeded.
Read that again.
Anthropic did not explicitly train Mythos to have these capabilities. In their own words: “They emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.”
Nobody designed the world’s most capable autonomous hacker. They built a very good reasoning system, and the hacking capability arrived as a side effect.
The Number That Should Stop Every Security Professional Cold
Of the 10,000+ critical vulnerabilities Mythos identified, Anthropic disclosed 1,596 directly to open-source software maintainers across 281 projects.
As of late May 2026, 97 had been patched.
Six percent.
The other 94 percent remain open — documented, understood, exploitable — sitting in a coordinated disclosure window that was designed for a world where finding a critical vulnerability took months of human expert work. That window is now a liability. Mythos-class models reduce the cost and time of zero-day discovery to nearly zero. The lag between discovery and patch deployment — previously a controlled, manageable period — has become the most dangerous window in the history of software security.
Some open-source maintainers, overwhelmed by the volume of high-quality AI-generated vulnerability reports, have formally asked Anthropic to slow down its disclosure rate. They need more time to patch than Mythos needs to find. The structural mismatch between AI discovery velocity and human patch velocity is not a temporary problem. It is the new permanent condition.
This is what the recession of the water looks like. The wave has already formed. It is already moving. The beach looks quiet. Most organisations are still arguing about whether they need a security awareness training program.
What Happens When the Wave Hits the Shore
Fable 5 is publicly available as of yesterday. It is the same underlying model as Mythos 5, with safety classifiers active that block responses in high-risk cybersecurity categories. Those classifiers trigger in fewer than five percent of sessions.
Five percent is the guardrail between the world’s most capable autonomous security researcher and the general public.
Now consider: Anthropic is a safety-focused American company that made the deliberate choice to restrict Mythos and build those guardrails into Fable. They are not the only AI laboratory building models at this capability level. They are simply the one that chose transparency about what they found.
The question is not whether a Mythos-class offensive capability exists in the hands of a state actor or well-resourced adversarial group. The question is whether it already does, and what the timeline looks like for it to become available to actors further down the capability ladder — criminal organisations, hacktivists, nation-state proxies — who will not build guardrails into their deployment.
The answer to the first question is almost certainly yes. Russia, China, and several other state actors have been investing in frontier AI capability for years. The same capability emergence that surprised Anthropic — hacking as a side effect of general reasoning improvements — is not unique to Anthropic’s training process. Any sufficiently capable general reasoning model arrives at this capability. The emergence is a property of the capability level, not of specific design choices.
The answer to the second question is: faster than organisations are currently assuming.
The Architecture of the New Threat
Understanding why this is structurally different from previous generations of cybersecurity threat requires understanding what changed.
Before Mythos-class models, offensive cybersecurity capability was expensive, slow, and human-bound. Finding a zero-day in a major operating system required months of expert work by researchers commanding significant salaries. Developing a working exploit from a discovered vulnerability required additional expertise, additional time. The economics constrained who could mount sophisticated attacks to nation-states and the most well-resourced criminal organisations.
Mythos collapsed that economics entirely.
Zero-day discovery is now a compute problem, not a human expertise problem. A sufficiently capable model, given access to a codebase, finds critical vulnerabilities autonomously. The time from access to working exploit is measured in hours, not months. The cost is measured in API calls, not salaries.
This does not produce a world with slightly more sophisticated attacks. It produces a world where the capability gap between a nation-state actor and a well-resourced criminal organisation collapses. Where a 20-year-old with access to the right model can find vulnerabilities that eluded the global security research community for three decades. Where your perimeter is being probed at machine speed, continuously, by adversaries who do not sleep, do not get bored, and do not make the cognitive errors that human attackers make.
The old security model assumed that finding vulnerabilities was hard. That assumption is no longer valid.
There Are Only Two Responses. Everything Else Is Theatre.
The standard enterprise security response to a new threat is a familiar sequence: convene a working group, commission a risk assessment, update the security policy, schedule awareness training, add a line item to next year’s budget. This sequence was designed for a threat environment where attacks evolved at human speed and the window between awareness and exploitation was measured in months.
That sequence is now a liability. It produces the illusion of response while the actual exposure remains unchanged. A working group does not patch a 27-year-old vulnerability in the authentication stack. A policy update does not prevent a Mythos-class model from finding the same flaw tomorrow that it found in your competitor’s codebase today.
The only honest responses to this environment are architectural. Both of them are uncomfortable. Neither of them involves theatre.
The first is attack surface reduction to the point of irreducible minimum.
If a system cannot be reached, it cannot be exploited. Air-gapped infrastructure, network segmentation that is physical rather than logical, zero-trust implemented as an architectural reality rather than a marketing claim — these are not aspirational security frameworks. They are the only technically valid responses to an adversary that can find vulnerabilities at machine speed.
The organisations that survive the next five years of this environment are not the ones with the best intrusion detection systems. They are the ones with the smallest exploitable attack surface. You cannot detect your way out of a zero-day in a 27-year-old authentication library. You can architect your way out of it by ensuring that library is not reachable from a network that matters.
The second is owning the stack completely.
Cloud infrastructure presents a fundamentally different risk profile in a Mythos-class threat environment than it did two years ago. The shared responsibility model — where the cloud provider secures the infrastructure and you secure what you build on it — assumes that the infrastructure itself is hardened against sophisticated attack. That assumption is being systematically stress-tested right now, against vulnerabilities nobody knew existed two months ago, by a model that the cloud provider’s own security team did not build and cannot fully audit.
Sovereign infrastructure — hardware you own, networks you control, software stacks you have audited end-to-end — does not eliminate the threat. Nothing eliminates it. But it radically simplifies the threat model. You know exactly what is running. You know exactly what the network topology looks like. You know exactly what the attack surface is. And when Mythos-class models identify vulnerabilities in your stack, you have the architectural authority to patch them on your timeline, not on a cloud provider’s service update schedule that may or may not have been informed by a Project Glasswing disclosure.
The organisations that cannot answer the question “what is the complete inventory of software running on infrastructure that touches our sensitive data” are not ready for this environment. They are standing on the beach.
The Specific Risk Nobody Is Talking About
There is a disclosure sitting in a coordinated vulnerability window right now, in software your organisation almost certainly runs, that Mythos found in April and nobody has patched yet.
You do not know what it is. You cannot know what it is, because responsible disclosure protocol prevents publication until the patch is available. The maintainers of the affected project know about it. Anthropic’s security team knows about it. The 50 Project Glasswing partner organisations know the aggregate shape of the vulnerability landscape.
You are relying on the fact that the adversarial actors who will eventually weaponise Mythos-class capability have not already found the same vulnerability independently.
That reliance may be well-founded today. It will become progressively less well-founded as the capability spreads. The 90-day coordinated disclosure window was designed for a world where finding that vulnerability in the first place was the hard part. In the new world, finding it is trivial. The hard part is patching it before someone weaponises it.
Six percent of the disclosed vulnerabilities have been patched. The other 94 percent are in the window. The window is closing.
High Ground Is Not Optional
The title of this article is not rhetorical. A 1000-metre wave moving at 1000 kilometres per hour is not something you negotiate with, adapt to incrementally, or manage with better tooling. You get to high ground or you do not survive.
High ground in this context has a specific architectural definition.
It means network segmentation that is real — hardware-enforced, not policy-enforced. It means software stacks that are audited and understood at the component level, not assembled from dependencies whose provenance is unknown. It means authentication systems that do not rest on 27-year-old libraries that a model just proved are exploitable. It means infrastructure that you own and control, where the attack surface is visible to you and manageable by you.
It means treating the security posture question not as “are we compliant” but as “if a Mythos-class model were pointed at our infrastructure tomorrow, what would it find, and could we survive what it found.”
That is the honest question. Most organisations cannot answer it. Most are not asking it.
The wave is already formed. It is already moving. The organisations that are asking the question now, and building toward architectural answers now, are the ones that will still be operating when the water arrives.
The ones that convene a working group are the ones standing on the beach.
There is no third option. There is high ground, and there is everything else.
Cătălin Lichi is the founder of Sugau — bare-metal Kubernetes, sovereign infrastructure, and private AI for organisations that have decided that architectural security is not negotiable. sugau.com.au