The model completed a 32-step attack chain in a landmark test
The UK’s AI Security Institute (AISI) has issued a warning about the speed of AI development, after an evaluation found a new experimental model capable of carrying out multi-step attacks with minimal human input.
In a report published this week, the Institute said Anthropic’s Claude Mythos Preview was able to autonomously execute complex cyber operations in controlled environments, becoming the first AI system to complete a 32-step enterprise attack simulation from start to finish.
“Two years ago, the best available models could barely complete beginner-level cyber tasks,” AISI noted.
“Now, in controlled evaluations where Mythos Preview was explicitly directed and given network access to do so, we observed that it could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously — tasks that would take human professionals days of work.”
Claude navigates lengthy attack chain
The evaluation focused on two main tests designed to simulate real-world hacking scenarios.
In ‘Capture the Flag’ challenges, widely used in cybersecurity training, the model achieved a 73% success rate on expert-level tasks.
More strikingly, in a test known as ‘The Last Ones,’ the model attempted a full-scale corporate network breach involving 32 sequential steps, from reconnaissance to full system compromise.
Across ten attempts, the system:
- Completed an average of 22 steps
- Successfully executed the entire attack chain three times
- Outperformed previous leading models by a significant margin
The AISI said the model’s performance improved with greater computing resources, suggesting further gains are likely.
Despite the results, the Institute stressed that the tests were conducted under controlled conditions, with explicit instructions and access provided to the system.
Government publishes open letter to business leaders
The findings have prompted concern beyond the technology sector.
On Wednesday, the UK government issued an open letter to businesses across the country, warning that AI is rapidly transforming the cyber threat landscape and calling on company boards to treat cybersecurity as a “board-level priority”.
The letter, signed by Secretary of State Liz Kendall and Security Minister Dan Jarvis, reiterates earlier calls for senior executives to take clear responsibility for cyber resilience, stressing the importance of active leadership involvement.
It calls on companies to strengthen fundamental security practices, assess their exposure to cyber threats, and ensure they are prepared to respond to and recover from potential incidents.
The developments should serve as a wake-up call, said experts.
Charlotte Wilson, head of enterprise for the UK and Ireland at Check Point, said AI is enabling attacks that are “more advanced, more personalised and far easier to execute at scale.”
“Attackers go where defences are weakest. What’s important to recognise here is that this is a dual responsibility. The government has been clear that it wants industry to lean in as it shapes regulation. It doesn’t want rules that stifle innovation, but it does need them to be agile and adaptive. That means businesses can’t sit on the sidelines.”
Muhammad Yahya Patel, cybersecurity adviser for EMEA at Huntress, described the government’s message as “not routine communication.”
“It is an alarm bell, and business leaders would be wise to hear it. The detail that should stop every leader in their tracks is this: the UK’s AI Security Institute now assesses that frontier AI capabilities in cyber offence are doubling every four months. That’s twice the pace recorded just months ago. The window businesses have to get their defences in order is closing faster than anyone anticipated.”
He added, “The time for treating cybersecurity as an optional extra is over. And if today’s letter isn’t enough to prompt that conversation in the boardroom, I genuinely don’t know what will be.”
OpenAI joins rival in launching cyber AI model
OpenAI has unveiled a new cybersecurity-focused AI system, GPT-5.4-Cyber, in a limited rollout aimed at vetted experts, as competition intensifies with rival firm Anthropic.
GPT-5.4-Cyber is a modified version of OpenAI’s broader GPT-5.4 model, tailored specifically for security-related tasks in a similar vein to Claude Mythos Preview.
Unlike general-purpose AI systems, it is designed to engage more directly with complex and sensitive topics such as system vulnerabilities, attack pathways and defensive strategies.
The new model is being deployed under OpenAI’s “Trusted Access for Cyber” programme, which grants entry only to verified researchers and organisations working in digital defence.
Participants are expected to probe the system aggressively, attempting to bypass safeguards, uncover weaknesses and simulate how malicious actors might exploit it.
OpenAI says the aim is to expose vulnerabilities before any broader release.
Click Here For The Original Source.
