But meaningful step change is not the same as a new category of threat. And that distinction matters enormously when you are deciding where to focus your energy over the next six months.
What Mythos Actually Changes, and What It Doesn’t
Vulnerabilities have always existed. The Latitude Financial breach in March 2023, which exposed more than 14 million compromised records across Australia, was executed through stolen employee credentials obtained via a third-party vendor, no sophisticated AI, no novel attack techniques, just a conventional access control failure at scale. At the same time, the ACSC confirmed successful exploitation attempts against Australian organisations through Citrix NetScaler ADC and Gateway vulnerabilities CVE-2023-3519 and CVE-2023-4966 (ACSC, 2023). Real software flaws enabling remote code execution and session hijacking, discovered and analysed by human security researchers. In both cases, what Mythos would have changed is not whether those weaknesses existed, but how quickly an attacker could find and weaponise them.
That distinction matters. Mythos accelerates the discovery and exploitation of weaknesses that already exist in an environment. It does not inherently create new attack surfaces, nor does it change what constitutes a well-secured network. What it changes is the economics and velocity of attack, the time between a vulnerability existing and being weaponised has collapsed from days to hours, and the barrier to entry for sophisticated exploitation has dropped dramatically.
What makes this harder to dismiss than previous cycles of industry alarm is the scale of what is already in motion. CVE submissions to NIST’s National Vulnerability Database grew 263% between 2020 and 2025 (NIST, 2026), and FIRST’s 2026 Vulnerability Forecast projects this year will be the first to exceed 50,000 published CVEs, with realistic scenarios approaching 100,000 (FIRST, 2026). Submissions in Q1 2026 are already tracking nearly one-third higher than the same period last year (NIST, 2026). As vulnerability research moves into an automated, highly repeatable model, the pool of known weaknesses organisations need to remediate is not static. It is expanding at a pace that compounds the pressure on security teams before any single exploit reaches them.
Mythos is significantly changing the threat landscape. But it is a meaningful step change rather than a new category of threat. The core principles, identifying, patching, and defending against vulnerabilities remain the same. What has dramatically increased is the pace and scale at which those vulnerabilities are discovered and need to be addressed. Security researchers have noted that comparable vulnerability-discovery capabilities were achievable with available models well before Mythos, and that scale and coordination mattered more than having the latest frontier model. Anthropic’s own team estimates comparable capabilities could proliferate from other AI labs within six to eighteen months (Rest of World, 2026). The window is real. But the threat was already advancing before Mythos arrived.
The Fundamentals Are Not Optional
What I keep telling clients is this: Mythos does not change the fundamentals of cyber security. It changes the speed at which weak fundamentals get exposed. For most businesses, the value is not asking Mythos-level AI to find zero-days. The value is in connecting AI safely to the security data they already have, so investigations become faster and more complete. Australian businesses should have access to the defensive benefits of Mythos-class AI, but not unrestricted access to a frontier exploit engine. Defence-in-depth, asset visibility, patching, identity controls, telemetry, and incident response all become more important, not less.
So what do strong fundamentals actually look like? They are not mysterious. It starts with knowing your risks, your threat profile, and your attack surface. Understanding not just what assets exist in your environment, but what an adversary would prioritise within it, and which exposures carry the greatest consequence if exploited. From there: comprehensive visibility across your environment, knowing what is exposed and what is communicating with what. Reliable telemetry from your endpoint, identity, network, and cloud layers. Curated detections that distinguish signal from noise. Integrated tooling so that your SIEM, EDR, and vulnerability management platforms share context rather than operate in silos. Clear, rehearsed response processes so that when something fires at 2am, the team knows exactly what to do next. And an honest view of where your security maturity sits today — and the degree to which closing specific gaps would shift the dial on your exposure.
For mature organisations that already have these foundations in place, AI is a force multiplier. Investigations that took analysts hours begin to take minutes. Alert triage that required senior expertise becomes faster and more consistent. Threat hunting becomes genuinely proactive rather than aspirational. But for organisations that do not yet have these foundations, AI does not shortcut the journey. It accelerates the journey, which is a genuine opportunity, but it cannot substitute for the underlying capability. Without visibility, AI-augmented detection has nothing to work with. Without telemetry, AI-assisted triage is guessing. Without integrated tooling, AI-accelerated investigations still hit the same manual handoffs that slow them down today.
The implications of getting this wrong are significant and measurable. The average cost of a data breach in Australia reached AUD $4.26 million in 2024 (IBM Cost of a Data Breach Report, 2024) — a 27% increase over four years. ASD’s ACSC responded to more than 1,200 cyber security incidents in FY2024–25, an 11% increase on the prior year, with critical infrastructure notifications up 111% (ACSC Annual Cyber Threat Report, 2025). These numbers reflect the threat environment as it existed before Mythos-class capabilities reached threat actors. That environment is not becoming more forgiving.
What the 18-Month Window Actually Means
Anthropic has been clear that Mythos Preview will not be made generally available, but that comparable capabilities are likely to proliferate from other AI labs within six to eighteen months. Industry commentary has been quick to frame this as a countdown. I would argue it is better understood as a planning window, a defined period during which organisations can build the foundations that make AI-augmented defence actually work.
The 18-month question is about defensive velocity, not full transformation. AI can help organisations investigate, hunt, triage and remediate faster, but only where the basics are in place: visibility, telemetry, curated detections, integrated tooling and clear response processes. For mature organisations, AI is a force multiplier, for less mature organisations, it can accelerate uplift, but it cannot bypass the fundamentals.
Practically, this means the next 18 months should be spent asking sharp questions about where your exposure actually sits. Which assets in your environment are unpatched and internet-accessible? Where do you have identity controls that would prevent lateral movement if a credential is compromised? What percentage of your environment generates reliable telemetry that your security tools actually analyse and escalate to your security team? How long does it currently take your team to move from alert to verified remediation on a high-confidence finding?
Australia’s position on this question is not straightforward. No Australian organisation has publicly confirmed access to Project Glasswing’s defensive capabilities. Australia needs to secure access to advanced AI technologies through agencies like the Australian Signals Directorate, Home Affairs and the National Cyber Security Coordinator. If we don’t get involved now, we’re at risk of falling behind our US counterparts in terms of cyber resilience.
That access question is worth pursuing urgently at the policy level. But it does not change what individual organisations should be doing with their security investment right now. Waiting for AI tools to arrive before building the foundations those tools require is the wrong sequence. The organisations that will benefit most from Mythos-class defensive AI are the ones that have already done the foundational work, continuous exposure management, reliable telemetry, integrated response capability, that makes AI-augmented defence coherent.
The right response to Mythos is not to wait for access to the defensive model and assume the problem is solved when it arrives. It is to ask honestly where your exposure sits today, and to build the continuous visibility and response discipline that makes AI-augmented defence actually effective when it becomes accessible. That work is available to every Australian organisation right now, regardless of whether they have ever heard of Project Glasswing. And it was the right thing to do before Mythos was announced.
The urgency is real. The path forward is not complicated. But it does require being clear-eyed about where you actually stand today, not where your last assessment said you stood six months ago.
Assess your preparedness for AI cybersecurity threats Australia
Understanding where your fundamentals sit is the starting point. Orro’s Security Maturity Assessment gives you a clear picture of your current posture across the areas that matter most.
Ready to strengthen your foundations? One way is to partner with Orro.
Orro is an Australian-owned managed technology services provider with Australian-based support escalation and 24/7 global operations capability. Our Cyber Services team works with enterprise and critical infrastructure organisations across Australia to build the foundations that make security programmes resilient — regardless of what the threat landscape delivers next. Learn more about our approach to trust and security.
