Anthropic’s new ‘Mythos’ model is so powerful at hacking that the British government wrote a letter warning about it
The British government has issued an urgent open letter to business leaders, warning that AI has reached a dangerous new threshold in offensive cyber capabilities.
In the letter, Science and Technology Secretary Liz Kendall and Security Minister Dan Jarvis point directly to Anthropic’s newly announced model, Mythos, as a major escalation.
Testing by the Department for Science, Innovation and Technology’s AI Security Institute, one of the world’s leading evaluators of frontier AI, found Mythos “substantially more capable at cyber offence than any model we have previously assessed.”
“For years, the most serious cyber attacks have relied on a small number of highly skilled criminals,” the ministers write.
“That is now shifting. A new generation of AI models is becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago.”
Capabilities are doubling every four months
The UK’s AI Security Institute assessment is particularly striking: frontier model cyber capabilities are now doubling every four months – twice as fast as the previous rate of every eight months.
The ministers note that OpenAI also moved quickly, announcing an expansion of its Trusted Access for Cyber programme, underscoring that the trend is industry-wide.
“The trajectory is clear, and therefore it is vital that we are prepared for frontier AI model capabilities to rapidly increase over the next year, and plan accordingly for that outcome,” the letter states.
Businesses must act now
While the UK has invested heavily in defensive capabilities, including what it calls the world’s most advanced AI Security Institute and the world-leading National Cyber Security Centre (NCSC) at GCHQ, the ministers are blunt: government action alone is not enough.
“Criminals will not just target government systems and critical infrastructure,” they write. “They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.”
The letter stresses that the protective measures needed against AI-powered attacks are the same proven “cyber hygiene” basics that already protect against traditional threats – but businesses must now treat them as non-negotiable.
You can read the full letter here.
