Claude Mythos, ChatGPT-5.5 And Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

What risks really lie behind the new language models, and how can businesses, government agencies, and private individuals protect themselves?

The new AI models Mythos (Anthropic) and ChatGPT-5.5 (OpenAI) have caused quite a stir. As so-called frontier models, they are currently considered to be among the most powerful models available. However, there are fears regarding their impact on cybersecurity. Anthropic is even warning about its own product, saying it can not only identify security vulnerabilities on its own but also exploit them. Researchers at the Max Planck Institute for Security and Privacy and other research institutions wanted to investigate this more closely and commissioned tests from Anthropic and OpenAI. This is because Claude Mythos, at least, is not yet publicly accessible.

Thorsten Holz, the scientific director of the Institute, therefore knows the answers to many pressing questions. As one of the signatories of an open letter regarding the European Grand Challenge in AI and Security, he is calling on the European Union to pool more knowledge about such offensive AI systems.

But what exactly is behind Claude Mythos? Why is a language model a concern for IT security, and how does it all work? Does it function as a universal Swiss Army knife that can be used to hack a bank and are individuals just as affected as large companies? We clarify these and other questions surrounding the topic here.

Is Anthropic’s warning about its own product (Claude Mythos) a PR stunt, or is the danger real?

“Probably both,” says Thorsten Holz. Anthropic plans to go public in 2026. “Corporate communication always has a strategic side.” When Anthropic states that its own model is highly powerful and therefore dangerous, the company is also positioning itself in the public eye. This is nothing new; OpenAI also warned about its ChatGPT-2 model in 2019 before releasing it.

“However, it would be wrong to conclude that all of this is just PR,” says Holz. Frontier models like Mythos or ChatGPT-5.5 are getting better and better at autonomously handling complex technical work. In the field of IT security, this means they can not only find vulnerabilities in complex programmes, but also analyse them and build specific exploits, which means finding ways to exploit those vulnerabilities.

What exactly is Claude Mythos and what makes it so dangerous?

Claude Mythos from Anthropic is a particularly powerful AI language model with strong agentic capabilities in cybersecurity. These days, language models, including those behind chatbots, are increasingly deployed in agentic systems What does that mean? Behind the language models themselves are neural networks that have been trained on vast amounts of information from the internet. Their responses are word sequences generated on the basis of probabilities. Their responses are word sequences generated on the basis of probabilities. An AI model on its own is therefore very passive. “It’s the way the AI model is embedded in a platform that makes it active and gives it agency, that is, the capacity to act,” says Krishna Gummadi from the Max Planck Institute for Software Systems.

When used as an agent, the model has access to various tools and incorporates external information, such as that from a calculator. OpenClaw explicitly uses this behavior to optimize the user’s IT workspace, accessing external programs and sending emails independently. Anyone who gives the tool too much freedom may be in for an unpleasant surprise.

But even the common ChatGPT models are agentic: they can analyse code, test it for vulnerabilities, interpret errors, and offer solutions. This makes agentic AI models potentially more dangerous than pure chatbots. As a result, they also appear “smarter”, without actually understanding any of the underlying context. These AI models remain tools, not autonomous actors.

What makes Claude Mythos and ChatGPT-5.5 relevant in the field of IT security?

This agentic behaviour is especially central in the cyber domain: the AI language model forms a hypothesis, uses various programmes to develop an exploit for a vulnerability in the IT system, tests the attack, analyses, corrects, and tests again. “That is the core of agentic systems: plan, act, observe, correct,” says Thorsten Holz. “If a model performs these steps well and quickly, it becomes a powerful technical assistant, both for defensive and offensive purposes.”

What’s new about this? What dangers did agent-based AI systems pose before?

“Earlier models were already capable of writing automated phishing emails or finding vulnerabilities in code What is new is the level of autonomy,” says Thorsten Holz. An attack, he notes, rarely works on the first try; one has to test, debug, understand why something is not working and then make adjustments. The feedback loop of these steps makes Claude Mythos and GPT-5.5 more powerful – and riskier – in the cyber domain.”

This requires the AI model to be granted the necessary permissions not only to suggest how a vulnerability could be exploited, but also to attempt to exploit it. Initial results could be available after just a few minutes or a few hours; future models will be even faster. “That means we need to prepare now,” says Holz

How good are Claude Mythos and ChatGPT-5.5 at finding and exploiting IT vulnerabilities?

A research team that includes the Max Planck Institute for Security and Privacy, tested the two companies’ new models in collaboration with Anthropic and OpenAI.

The result was a benchmark: ExploitGym can be used to measure offensive AI capabilities.

Under controlled conditions, the team tested which models can actually exploit which types of vulnerabilities. The researchers wanted to know: which safeguards help? Where do they fail? How do capabilities change from one model generation to the next? This helps model providers make security decisions, defenders prioritise, and policymakers decide which capabilities may need to be regulated. “Our results show that AI models cannot simply crack any system at will. That would be an exaggeration and unrealistic,” says Holz. But in the tests, the Mythos Preview model successfully exploited 157 out of 898 real-world vulnerabilities, while GPT-5.5 managed 120. By comparison, the next-best model, Claude 4.6 Opus, managed only 15, which is an order of magnitude lower. Overall, Claude Mythos appears to be slightly more capable than GPT-5.5, but what really matters is the trend, and in both cases, that trend is towards increasingly efficient agentic capabilities. In this context, it is less important which model is used, and more important which tools the model is given access to.

These results are important for general IT security. Apparently, the modern agentic systems tested are already good enough today to significantly shorten the time between the discovery of a vulnerability and its practical exploitation. “In the past, you needed specialists for this; now AI agents are taking over parts of this work,” says Holz.

Will private users soon be able to hack a bank at the push of a button?

“No, individuals cannot hack a bank with Claude Mythos. It’s not that simple,” says Thorsten Holz. For a real-world attack, an attacker first has to choose a target. Among other things, initial access to the target system is required, as well as infrastructure and network knowledge. Additionally, one must bypass detection mechanisms to avoid being caught.

The danger comes less from curious individuals and more from organised actors, meaning professionals who integrate such models into automated attack systems, thereby making them more efficient and powerful. A single language model is just one component. It becomes dangerous when combined with stolen credentials and phishing campaigns – in other words, when it gains access to systems and automated decision-making processes. This creates an agentic attack system that searches for targets, prioritises vulnerabilities, develops and tests exploits, evaluates results and adapts its strategy.

And it’s faster to research background information on the target system, write code, adapt known exploits, and structure attack chains. “That doesn’t mean every municipal utility facility can be shut down tomorrow. But the gap between ordinary cybercriminals and state-sponsored actors is narrowing,” says Thorsten Holz.

What would be a realistic scenario, and what can we learn from it?

Before Claude Mythos is rolled out on a large scale, it could be used in cooperation with companies to alert them to IT vulnerabilities. It could become dangerous if the model is made accessible to everyone. This is because when a software company releases a patch for a security vulnerability in its product, that patch is publicly viewable. AI models like Mythos could attempt to reverse-engineer the patch to identify the vulnerability it is meant to fix. If users wait too long to install the update, an attack chain using Mythos as a tool could have enough time to work its way up to reach the vulnerability.

Systems did not become vulnerable only because of AI. The Federal Office for Information Security has been pointing out vulnerabilities for years. The new AI models only increase the risk of successful attacks, making them easier, cheaper, and faster.

Who should protect themselves now, and how?

“Everyone should protect themselves, but not everyone to the same extent,” says Thorsten Holz. For private users, the risk posed by Mythos is comparatively low and primarily indirect: in the future, there will presumably be better phishing emails, more convincing fraudulent dialogues, and more automated attacks on poorly secured devices, such as smart home systems.

The most important measures are straightforward.

• Activate automatic updates
• Use a password manager
• Use a unique password for each account
• Enable multi-factor authentication
• Make backups
• Do not leave old devices unprotected on the internet (old modems with insecure hardware, for example, are easy to hack and are often used to relay large volumes of requests to specific websites, causing them to crash.)

For companies and government agencies, the situation is more serious, according to Thorsten Holz. “For well-protected critical infrastructure, Mythos and similar models are not an immediate doomsday scenario.” But for poorly maintained municipal IT systems, public utilities, industrial facilities or service providers with weak security levels, the risk increases significantly. It is therefore worth looking for vulnerabilities in your own system.

This is because many attacks on critical infrastructure in companies do not begin with highly specialised attacks on industrial control systems, but with very common IT weaknesses, such as:

• Systems exposed to the internet
• Successful phishing
• VPN vulnerabilities
• Unpatched firewalls
• Weak patch management
• Compromised login credentials
• Poorly segmented networks
• A complex, poorly documented IT landscape
• IT with a weak security level and vulnerabilities

“The most important measures are not exotic, but they must be consistently implemented,” says Thorsten Holz. These include:

• Patching security vulnerabilities quickly and installing updates rapidly
• Implementing strong authentication and network segmentation, so that a compromised office workstation does not lead directly to critical services
• Logging and monitoring systems, meaning the recording of errors and anomalies in the system, and other detection methods that are fast enough to keep pace with AI-driven attacks
• Conducting simulations of cyberattacks on one’s own system, so-called red team exercises, using AI-enabled tools
• Securing system access

Are Linux systems more secure than Windows?

Whether Linux or Windows, security patches and updates should not be delayed for long. With new AI tools, the time it takes for professional attackers to identify and exploit vulnerabilities is shrinking.

However, Windows is often a more attractive target for mass attacks, as it runs on many computers used by individuals and businesses, with attacks frequently targeting typical Windows corporate environments. Linux, on the other hand, is a key system for servers, cloud systems, and critical infrastructure components. Vulnerabilities in Linux or open-source components can therefore lead to major problems.

Claude Mythos is also compared to nuclear technology in the media. Do you agree with this, and what follows from it?

“I think comparing the new AI to a nuclear threat is problematic,” says Thorsten Holz. The analogy is helpful at most insofar as it points to dual use, strategic power and risks. However, there are also clear differences: fissile material, Holz notes, is physically scarce, more controllable and detectable. By contrast, AI model structures and attack chains can be copied easily.

Furthermore, while nuclear weapons always have catastrophic consequences, AI-powered cyberattacks span a spectrum of harm, from simple nuisance to serious attacks. “And there are effective defensive measures that can keep pace with the complexity of AI models,” says Holz. “So I wouldn’t describe AI as a superweapon for cybersecurity operations, but rather as an acceleration technology, an amplifier for existing capabilities.”

Do regulations, such as the AI Act, help slow down this development?

That will be the case only to a limited extent, if at all. “The problem is that the detection and exploitation of security vulnerabilities are technically very close to one another,” says Thorsten Holz. AI providers like Anthropic or OpenAI could be required to report cases of misuse. However, it is hardly realistic to design agentic AI systems and their operations in such a way that they cannot be used for dual-use applications.

According to Thorsten Holz, basic research, which explores what is possible in controlled tests, is particularly important right now. More knowledge about such offensive AI is needed, but knowledge alone is not enough:

“Critical infrastructures should not wait for regulation, but act now,” says Thorsten Holz. “The most important question is not whether AI will eventually become dangerous. The question is rather whether one’s own infrastructure is robust enough when attacks become faster, cheaper and more scalable.”

What regulations such as the AI Act can achieve is transparency, reporting requirements, and security standards. However, the AI Act cannot eliminate the capabilities of current frontier models.

“Regulation is slow, while technical development is very fast,” says Holz. “That’s why all companies and operators of critical infrastructure must take preventive action now. It would be negligent to wait for a law to solve the problem.” Prevention alone is not enough, however, because it does not close the asymmetry between faster attack capabilities enabled by AI and slower defence mechanisms.

The answers are based on a conversation with Thorsten Holz, Scientific Director at the Max Planck Institute for Security and Privacy. The questions were asked by Tobias Beuchert.