Cyber Essentials
Anthropic’s new AI model can find software vulnerabilities that survived decades of human review. Some are asking whether that makes Cyber Essentials redundant. Jonathan Krause, founder of Forensic Control and former New Scotland Yard Hi-Tech Crime Unit investigator, argues the opposite.
On 7 April 2026, Anthropic released a preview of its newest AI model, Claude Mythos. It is not a product you can buy. It is not publicly available. And for good reason: Anthropic considers it so capable that it restricted access to a small group of major technology companies, including Amazon, Apple, Microsoft, Google, Cisco, CrowdStrike and Palo Alto Networks.
What sets Mythos apart is its ability to identify and exploit software vulnerabilities autonomously. During internal testing, the model discovered thousands of previously unknown (“zero-day”) vulnerabilities across every major operating system and every major web browser. One of those flaws had gone undetected for 27 years. Another sat in widely used video processing software that automated security testing tools had examined five million times without finding it.
These are not theoretical risks. In some cases, Mythos went beyond identifying the vulnerability and developed a working exploit for it without any human guidance.
The reaction from government has been immediate. On 10 April 2026, Federal Reserve Chairman Jerome Powell and US Treasury Secretary Scott Bessent held an emergency meeting with the heads of America’s largest banks specifically to discuss the cybersecurity implications of Mythos. CrowdStrike’s chief technology officer described what the model demonstrates plainly: the window between a vulnerability being discovered and being weaponised has collapsed from months to minutes.
This is not a story about one AI model. It is a signal about where the entire threat landscape is heading.
Anthropic’s response to its own model has been as significant as the model itself. Rather than release Mythos commercially, the company launched Project Glasswing: a controlled initiative that gives a consortium of major technology companies access to Mythos for defensive purposes only. The aim is to let those companies scan their own code, find the critical vulnerabilities, and patch them before models with comparable capabilities reach less responsible hands.
Anthropic has committed up to $100 million in usage credits and $4 million in direct funding to open-source security organisations as part of the initiative. When a company restricts the release of its own flagship product and funds an industry-wide defensive programme, that is not a marketing exercise. It is an acknowledgement that the cybersecurity ground has shifted.
Most commentary on Mythos focuses on the AI capability itself. Having spent years investigating cybercrime at New Scotland Yard’s Hi-Tech Crime Unit before founding Forensic Control in 2008, I want to focus on what happens after a vulnerability is found.
The pattern in successful attacks has not changed in all the years I have been working in this field. The entry point is rarely the sophisticated, previously unknown exploit. It is the known vulnerability that appeared on a public disclosure list while the affected organisation was getting round to patching it.
We have been conducting vulnerability assessments for Cyber Essentials Plus since 2017. In that time, I cannot recall a single applicant whose external scan came back entirely clean of high or critical vulnerabilities. Perhaps most surprisingly, this is also true of the most well-resourced and otherwise security-conscious applicants, including organisations in financial services and defence supply chains. Unpatched software is not a problem confined to small businesses that lack IT support. It is very nearly universal.
Project Glasswing will accelerate the discovery and public disclosure of vulnerabilities. That is its stated purpose. The consequence for every organisation is that the time available to act after a patch is released is shrinking. An AI model that can identify a vulnerability and develop a working exploit autonomously compresses the gap between disclosure and danger to a degree we have not seen before.
For attackers, Mythos represents a force multiplier. For defenders, it represents a compressed timeline. For every business in between, it represents a reason to ensure the fundamentals are not just in place, but working.
When a significant shift happens in the threat landscape, the instinct is often to reach for more sophisticated defences. Project Glasswing will generate a great deal of commentary about AI-powered security tools and next-generation threat detection. For large enterprises with mature security programmes, that commentary will be relevant.
For the majority of UK businesses, it is a distraction.
The organisations most exposed in the environment Mythos describes are not those without the latest security tooling. They are those with unpatched software, cloud services running without multi-factor authentication (MFA) enabled, and internet-connected devices still on default or weak configurations. These are the gaps that AI-powered reconnaissance identifies first, because they are the easiest to find and the fastest to exploit.
They are also the gaps that Cyber Essentials is specifically designed to close.
The scheme covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It was designed to address the most common attack vectors, and in the context of Mythos, two of those controls are directly relevant.
First, patch management. Cyber Essentials requires critical vulnerabilities to be remediated within 14 days of a fix becoming available. That requirement exists precisely because the window between disclosure and exploitation has always been short. Mythos is making it shorter still. The 14-day window is not a compliance formality. It is the mechanism that keeps organisations ahead of active exploitation.
Second, secure configuration and access control. AI-powered scanning tools do not start with the most obscure vulnerabilities. They start with the most common ones: default credentials, open ports, services exposed to the internet that should not be. Cyber Essentials requires organisations to address all of these.
Updated Cyber Essentials requirements, known as v3.3, come into force in the UK on 27 April 2026. The most significant change is that failing to enable multi-factor authentication on a cloud service that offers it is now an automatic assessment failure. No remediation, no second chance within that assessment cycle.
This is not a coincidence of timing. The certification scheme is responding to the same shift that Mythos has crystallised. Cloud services without MFA enabled are one of the most consistently exploited entry points in attacks on organisations of every kind.
Thankfully, the message about enabling MFA where it is available has now been almost universally taken on board. What we see far more often in our assessments is a different problem: organisations underreporting the cloud services they actually use. It is very common for an applicant to declare only two or three services, typically Microsoft 365 or Google Workspace, when in reality they rely on many more. Accounting platforms, HR systems, AI tools like ChatGPT and Claude, online banking, messaging tools and project management software all count as cloud services accessed with business credentials. If an organisation is not telling us about all of them, our assessors cannot verify their MFA status. Under v3.3, that gap becomes a serious compliance risk.
If your organisation uses any cloud software with business credentials and MFA is not enabled for all users, you will fail a post-April Cyber Essentials assessment automatically. The time to address that gap is before 27 April, not under assessment pressure.
The practical response to Mythos is not complicated. It is a matter of treating the right things as urgent.
Review your patching process. Not whether a process exists, but whether it is working. When were critical patches last applied across your full device estate? Under the v3.3 requirements, Cyber Essentials Plus assessments require documented evidence of patch compliance across all devices, not a representative sample.
Audit your cloud services for MFA. List every cloud tool your organisation accesses with business credentials, not just the obvious ones. Check whether MFA is available on each one. If it is available and not enabled, enable it. For organisations renewing after 27th April, this is now an automatic assessment failure if missed.
If your certification has lapsed, the risk calculation has changed this week. AI models are compressing the timeline between vulnerability disclosure and exploitation. The fundamentals covered by Cyber Essentials are no longer just good practice. They are the minimum viable defence.
Forensic Control has delivered Cyber Essentials assessments as an IASME Certification Body since 2017. Every assessment is conducted by our own team, drawing on a background in digital forensics and cybercrime investigation that means we understand not just the controls, but the attacks they are designed to prevent. Cyber Essentials Plus packages include twelve months of continuous vulnerability scanning at no extra cost. Certification starts from £450 per year.
If you are unsure where your organisation stands, our free Quick Check tool will identify any gaps before your next assessment.
Not directly. Claude Mythos Preview is not publicly available and Anthropic has restricted access to a controlled group of organisations working on cyber defence. However, OpenAI is reportedly preparing a comparable model, and security researchers have noted that some of what Mythos can do may already be possible with smaller, openly available models. The appropriate response is to ensure the fundamentals are in place before broadly capable tools reach less responsible actors, not after.
Enable multi-factor authentication on every cloud service your organisation accesses with business credentials. Under Cyber Essentials v3.3, failing to do so is an automatic assessment failure. This applies to Microsoft 365, Google Workspace, Salesforce, Slack, and any other cloud tool where MFA is available, whether it is a paid feature or included as standard.
Cyber Essentials requires organisations to apply patches for critical vulnerabilities within 14 days of their release. Mythos demonstrated that AI can find vulnerabilities that survived decades of human review and then compress the time from discovery to weaponised exploit. The faster that cycle becomes, the more important it is to patch quickly after a fix is released. The 14-day window is not a compliance formality. It is the mechanism that keeps organisations ahead of active exploitation.
Cyber Essentials is a baseline, not a complete security programme. It closes the gaps most commonly exploited in attacks, which are also the gaps that AI-powered scanning identifies first. An organisation with current Cyber Essentials certification is in a materially stronger position than one without it. Cyber Essentials Plus, which includes active vulnerability scanning, provides a higher level of assurance and is appropriate for organisations in regulated sectors or those holding government contracts.
Most organisations achieve certification within two to five working days of completing their self-assessment, provided they are compliant with the five controls. We recommend a pre-assessment review to identify any gaps before starting, particularly MFA compliance ahead of the 27 April v3.3 deadline. Contact us to begin the process.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
