Globally, central banks, regulators and security agencies are preparing for a new category of digital threat. This threat is not from groups of hackers unleashing ransomware or malicious software, but from a new generation of highly capable AI models aimed at identifying cybersecurity loopholes. Last month, Anthropic released Mythos, the newest and most powerful model in its Claude family of AI systems, while OpenAI released GPT-5.5 Cyber as its response to Mythos.
In its launch announcement, Anthropic said the coding capabilities of Mythos are so advanced that the model can surpass even skilled human researchers in finding software vulnerabilities. The company described its capabilities as “substantially beyond those of any model we have previously trained” and considered it too powerful for open deployment. Instead, Anthropic provided access only to an elite group of around 40 organisations through its “Project Glasswing” initiative.
However, many critics argued that the company was overblowing Mythos’ capabilities, including OpenAI CEO Sam Altman. In the podcast Core Memory, Altman described the buzz around Anthropic Mythos as “fear-based marketing,” suggesting that such messaging could be used to justify keeping advanced AI systems in the hands of a smaller group of people.
“It is clearly incredible marketing to say, ‘We have built a bomb, we are about to drop it on your head. We will sell you a bomb shelter for $100 million,’” Altman said, referring to the idea of keeping powerful AI systems within a small group of exclusive elites.
Anthropic, in its defence, said Mythos has already identified vulnerabilities across major operating systems and browsers, including one flaw that had reportedly gone undetected for 27 years. Mozilla also said Mythos Preview helped discover and fix a large batch of security flaws, including 271 bugs in Firefox.
Much of the concern around Mythos comes from fear that, unlike traditional AI systems, it can both plan and carry out tasks on its own. Researchers warn that weak safety controls could eventually allow such systems to perform cyberattacks automatically and at a large scale.
For this reason, Anthropic says, it has limited access to Mythos through Project Glasswing, allowing only a select group of organisations to use the model to scan and secure both first-party and open-source systems before any wider release.
Difference in approach between OpenAI and Anthropic
While both Anthropic’s Mythos and OpenAI’s GPT-5.5 Cyber are aimed at identifying cybersecurity vulnerabilities in software, the biggest difference lies in how the two AI companies are approaching access and deployment.
Anthropic has maintained a tightly controlled, invite-only approach to Mythos. OpenAI, meanwhile, is attempting to fill the gap left by Anthropic’s restricted access model through its GPT-5.5 Cyber AI model.
Although GPT-5.5 Cyber is also restricted through OpenAI’s Trusted Access for Cyber (TAC) program, unlike Anthropic’s elite-access approach, OpenAI says anyone working in cybersecurity can apply for access.
According to OpenAI, the purpose of the Trusted Access for Cyber program is to ensure that verified users working to protect systems from cyberattacks can access GPT-5.5 Cyber for tasks such as finding software vulnerabilities, analysing malware and defending systems from attacks, while preventing malicious actors from using the model to cause real-world harm. OpenAI uses identity verification and KYC-style checks before granting access to the model.
Why OpenAI has taken this approach
OpenAI argues that AI has already allowed attackers to find vulnerabilities at a much faster pace. The company says the aim of its approach is to give developers access to advanced coding and cybersecurity models so they can receive immediate and actionable feedback while building software. This could help developers fix security loopholes during development itself instead of discovering bugs after software has already been deployed. OpenAI has also tried to keep the verification process for access to GPT 5.5 Cyber relatively simple. Individual users can verify their identity directly while enterprises can request access through OpenAI representatives.
In many ways, OpenAI’s approach is focused on making AI more useful for cyber defenders while still preventing it from becoming a tool for offensive hacking.
Anthropic, meanwhile, has said it plans to share learnings from Project Glasswing so that “the whole industry can benefit.”
Apart from the difference in approach, there are also differences in the capabilities of the two models. While Anthropic’s Mythos remains far more restricted, it is also considered significantly more advanced than GPT-5.5 Cyber in raw benchmark performance. Mythos can process larger amounts of information, retain more context in memory and analyse more data simultaneously within a single prompt and response. However, Mythos is also reportedly 10 to 12 times more expensive than GPT-5.5 Cyber, according to some reports.
– Ends
