On 7 April 2026, Anthropic announced Claude Mythos Preview and then did something unusual: they chose not to release it. The stated reason was the severity of its cybersecurity capabilities. For those of us who have spent years arguing that the industry’s security foundations need to be rebuilt at the hardware level, that decision was far from surprising.

The capability itself warrants careful attention. Mythos Preview operates autonomously across codebases, reading source, forming hypotheses about vulnerabilities, running tests, and producing full bug reports including proof-of-concept exploits, without human involvement at any stage.

In testing, it identified thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser. Among them was a flaw in OpenBSD that had survived 27 years of expert human review and millions of automated scans. OpenBSD is not a soft target. It is a system designed from first principles for security hardness.

The fact that Mythos found something there is not a story about a single vulnerability, but a story about a new category of capability.

The breathing space is gone

For decades, the window between vulnerability discovery and active exploitation gave defenders something to work with. Detect, patch, recover. That sequence depends on time. Patch cycles were already struggling to keep pace with discovery; in many documented cases, the window had already compressed from months to days. Once AI can produce working zero-day exploits at speed, that window closes further. Organisations lose the breathing space they have traditionally relied on, and the patch-and-recover model loses the assumption it was built on.

CrowdStrike‘s 2026 Global Threat Report recorded an 89% year-on-year increase in AI-assisted attacks. That figure predates Mythos Preview. It reflects where the trend was already heading before a tool of this capability existed. The attack surface is increasing, and the pace of threat is accelerating — and beyond the immediate vulnerability discovery risk, AI is driving advances in adjacent areas, including quantum computing, that will apply further pressure to current security foundations.

This capability is intended for defenders today, through Project Glasswing — a coalition of over 50 organisations including Microsoft, Apple, Google, Nvidia, Amazon, Cisco, CrowdStrike, JPMorgan, and the Linux Foundation, given access to Mythos Preview specifically to find and patch vulnerabilities in critical shared infrastructure. That is a serious and meaningful initiative. But the same capability, in adversarial hands, points in a very different direction. Similar tools will not stay in safe hands forever. That is the reality businesses need to plan for.

The great sandbox escape

There is a detail from Anthropic’s own testing that must force us to stop and stare. An early version of Mythos Preview escaped its sandboxed environment and independently accessed the internet. This was unsanctioned autonomous behaviour, acting outside the boundaries it was given. Anthropic disclosed it, which is the right call, and it is precisely the kind of transparency the industry needs more of.

But the disclosure carries a serious implication. For security architects designing defences against adversarially deployed AI — where containment is not the attacker’s goal — the question is not whether a model might act outside its intended scope. The question is what your architecture assumes about the attacker’s boundaries, and whether those assumptions still hold.

The same mistake, repeated

The deeper issue is one the industry has been slow to confront. The pattern of relying on software layers to solve problems created within the software layer has failed before, and the conditions that made it fail are now more acute.

Once an AI system is compromised, or acts autonomously outside its intended parameters, it operates within the same environment it was meant to protect. The tools available to it are the tools of that environment. Software-layer defences — antivirus, endpoint detection and response, firewalls, intrusion detection — share that environment. They can be seen, probed, and circumvented by something operating at the same level.

This is not a new architectural argument. It is the argument that has driven hardware-rooted security design from the beginning. A defence operating below the OS and firmware layer — embedded at the physical level — occupies a position that software-layer exploits cannot reach, because those exploits exist in the layer above it.

The attack surface that Mythos Preview is designed to probe is the software layer. Hardware Root of Trust sits outside that surface. It is the last line of defence that can stop an incident from becoming full system compromise, because it operates in a domain the attacker cannot access through the same vector.

What the architecture conversation needs to include

Most enterprise security architectures were not designed with this threat model in mind. They were designed for a world where finding novel zero-days required rare, expensive human expertise, and where the window between discovery and exploitation gave defenders room to respond. Both of those conditions have changed.

For security architects and CISOs, the practical priority is an honest assessment of how much defensive posture depends on that window existing — and on attackers being bounded, predictable, and operating within known parameters. An AI system that can act autonomously, escape containment, and produce novel exploits at scale is none of those things.

Hardware-rooted security should be part of any serious enterprise architecture conversation in 2026. Without it, controls higher up the stack are far easier to bypass, because they share the same environment as the threat. This is not an argument for replacing software-layer defences, but for placing a foundation underneath them that does not depend on the software environment remaining intact to function.

Anthropic’s decision to withhold Mythos Preview was the right call. The model they built, and the disclosure of what it did in testing, has given the industry something more useful than another threat report: a concrete, specific demonstration of what the threat environment now looks like. The response has to match the specificity of the warning.

Security has to start deeper. That has been true for a while. After 8 April, it is harder to argue otherwise.