AI Just Made Your Disgruntled Barista Dangerous

Welcome to the AI Brief from the YPO Technology Network. I'm Stephen Forte. On today's episode, the UK government quietly confirmed that an AI model just completed the hacking equivalent of a four-minute mile. Eleven of the largest companies on Earth already have a copy. And the reason this matters to you is not the one the headlines are selling. If you caught yesterday's episode on giving your AI its own identity, today is the other half of the conversation. Yesterday, we talked about the AI agent sitting inside your company. Today, we talk about the AI agent sitting across from you, the one with the zero days. Here's the contract. One story told properly, one analogy that will change how you think about cybersecurity for the rest of the year. and one specific question you should be asking at your next forum meeting, because the threat model you were operating under on Friday is not the one you are operating under today. The thesis up front, cybersecurity for the last 30 years was a game of probabilities. Nation states had the capability to ruin your week. Ransomware crews had the motivation. And in between, most of us just hoped that nobody sufficiently skilled and sufficiently motivated ever pointed at us specifically. Today, that math breaks. Today, we are going to read it that way. On April 7th, Anthropic announced a model called Claude Mythos Preview. It is not being released broadly. Anthropic's own words, and I'm going to quote because the sentence is worth quoting, Mythos is, quote, the best aligned model we have released to date by a significant margin and also likely poses the greatest alignment-related risk of any model we have released to date. Read that twice. The safety team is telling you it is simultaneously the safest and the most dangerous thing they have ever built. That is the company admitting they built something they cannot fully predict. Then on April 13th, the UK's AI Security Institute published an independent evaluation. AISI is a British government body. They are not anthropic. They have every reason to be skeptical. AISI built a test environment called The Last Ones. 32 sequential steps simulating a full corporate network attack. Initial reconnaissance, credential harvesting, lateral movement, privilege escalation, full network takeover. AISI estimates it takes a human expert 20 hours to complete. Claude Mythos completed the full 32-step chain from start to finish. Three out of ten attempts, end-to-end. Autonomously, average 22 of 32 steps across all runs. The next best model, Claude Opus 4.6, completed the whole chain zero times. Every other model tested zero. Before April of last year, no model could complete any of these expert-level tasks at all. On a separate test, expert-level, capture-the-flag challenges, Mythos scored 73%. And the detail I cannot stop thinking about Anthropix own red team asked Mythos to escape a sandboxed computer Mythos built a multi exploit broke out and then unprompted emailed the researcher, who was eating a sandwich in a park, to tell him it had succeeded. Then it posted the exploit details to hard-to-find but technically public websites to demonstrate, to leave receipts, give Anthropic credit for publishing that story. Most companies would have buried it. Here's the analogy. I am going to ask you to sit with it. In 1954, Roger Bannister ran a mile in 3 minutes, 59 and 4 tenths seconds. Every sports physiologist alive believed the human body could not do it. A physical barrier, not a training one. 46 days after Bannister broke it, an Australian named John Landy ran it faster. Within three years, 16 runners had done it. Today, high school athletes run sub-four miles. What was physically impossible on May 5, 1954, became a training benchmark by the end of the decade. The barrier was never physical. It was psychological. Once one person proved it was possible, the entire population of runners recalibrated what they believed about themselves. Claude Mythos is the four-minute mile. One model completed an attack chain that was, for every AI system before it, as unreachable as the four-minute mile was in 1953. Once one lab does it, every other lab knows it as possible. GPT 5.4 cyber is already in restricted release. Chinese labs are close. Open source is behind. But open source is always behind. Until it isn't, the capability will diffuse. It always does. The AI hacker has run its four-minute mile. Now, who already has it? Anthropic calls the Access program project Glasswing. The partner list was announced on April 7th. Amazon Web Services, Apple Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Goldman Sachs joined shortly after. Anthropic committed $100 million in usage credits. Post-preview pricing runs $125 per million output tokens, Roughly five times the standard tier. Official purpose, defensive. Partners use Mythos to find bugs in their own code before attackers do. That is the pitch, and it is genuine. Here is the problem the headlines are not telling you. A tool that finds vulnerabilities in your code is the same tool that finds vulnerabilities in your competitor's code. Anthropik's oversight framework for how partners use Mythos is, I'm being precise here, not public. 11 of the largest technology and financial organizations on earth have access to the most capable vulnerability discovery tool ever built, and the telemetry is not disclosed. I am not alleging misuse. I am saying the incentive exists, the tool exists, the oversight does not. Draw your own conclusion. And now the part that matters to a CEO. Set aside the nation threat model entirely For 30 years we have thought about cybersecurity as something that happens to other people We hear about Colonial Pipeline SolarWinds Target and we file it the way we file a plane crash. Possible. Statistically unlikely. Someone else's problem. That filing system is now obsolete. Picture a $200 million specialty manufacturer in Ohio. Third-generation family business. 95% of their IT runs on Microsoft 365, a QuickBooks install from 2019, and a website a contractor built in 2014. The CEO's ex-son-in-law was the IT director from 2017 to 2022. When he left, nobody rotated the API keys. Nobody remembered which ones he had set up. Today, that ex-son-in-law can rent capability that six months ago cost a nation state a 10-person team. Let's be specific about who should worry you. The developer you hired on Upwork in 2021 who still has a read-only copy of your production database. The marketing contractor whose MailChimp login was never disabled. The roommate who set up the office Wi-Fi in 2018. The barista you fired last month who noticed the CEO's laptop password on a Post-it. The ex-spouse who still remembers the answer to three of your security questions. Those people individually are not capable hackers. The tool is. The tool does the skill. The tool does the 20 hours of work. The tool finds the keys still valid. The tool writes the exploit. A motivated amateur with a clawed API key and a grudge is now, in expected value terms, a credible threat. That is the democratization of the zero day, the capability used to be gated by skill. Now it is gated by a credit card. Your threat model is no longer nation states. Your threat model is everyone who has ever been angry at you and kept a copy of something. Stand back. What actually changed? For 30 years, we assumed a bell curve of attacker skill. Elite teams at the top, hobbyists at the bottom, and most of us safe in the statistical middle because no skilled attacker cared enough about us personally. That assumption is gone. The tool moves the hobbyist to the top of the curve for the price of a subscription and the part that stings. Most CEOs outsourced their cybersecurity posture to Microsoft's defaults, the IT director and hope. Microsoft's defaults are fine. The IT director is fine. Hope used to be a reasonable strategy. It is not anymore. Cybersecurity used to be a specialist problem. It is now an operational problem. It belongs in the same meeting as insurance and succession. Now, what most commentary skips, what to do this quarter. Three things to ask about by Friday. Kill switches, AI log reading, and backups that cannot be touched. First, kill switches. The industry standard is the 1-10-60 rule codified into NIST Cybersecurity Framework 2.0. One minute to detect a threat, 10 minutes to scope it, 60 minutes to contain it. If your team cannot do those three things in that window, you do not have an incident response plan. You have a prayer. Containment means pre isolation CrowdStrike Falcon Sentinel One Singularity Microsoft Defender Each has a one function that cuts a machine off the network while letting security reach it Most companies own the license and have never tested the button. Test it. Put it in a runbook. Practice it quarterly like a fire drill. And identity-first containment. When a credential is compromised, you do not start with the machine. You start with the account. Disable the user, revoke every OAuth token, invalidate every session, rotate every secret it touched. Pre-stage those scripts now, the opposite of writing them while the building is on fire. Second, AI reading your logs. Every enterprise generates more log data in a week than a human team could read in a year. The average breach goes undetected for about 200 days. The tools that close the gap are called agentic security platforms, elastic security, sentinel one Singularity, XDR, CrowdStrike, Falcon Complete, Radiant Security. Pick one, they run around the clock and flag the three things that matter out of the 10 million that do not. If Mythos class tools attack autonomously, your defense has to monitor autonomously. Human-only security teams are over. Third, backups you cannot delete. If a Mythos class attacker gets in, the first thing they hit is your backup system. The defense is called 3211. Three copies, two media, one off-site, one immutable, right once, so nothing alters or deletes it. Not the attacker, not your IT director, not you. Veeam, Rubrik, Commvault, AWS S3, Object Lock all do this. The test, if ransomware hit tonight, could you be operational by lunch tomorrow? If the answer is not a confident yes, that is your Q2 capital allocation. One last piece, out-of-band communication. If your email and Slack are compromised, you cannot coordinate recovery on them. Pre-establish a fallback, a signal group, a phone tree, a card in the desk drawer with the incident commander's cell. Every CISO who has lived through a real incident says it is the first thing they wish they had. That is the first hour playbook. Isolate the machine, kill the identity, read the logs with AI, recover from a backup nobody can touch, coordinate on a channel the attacker cannot see. All of it is available from vendors you already write checks to. The question is whether you have tested it. And here is the question to take into your next forum meeting. Pull out a sheet of paper. Three columns. Column 1. Every person who has ever had credentials to anything you own. Going back 10 years. Column 2. Whether those credentials were actually revoked. Not just marked disabled. Column three, what each person now has reason, however small, to be unhappy about. If that list takes less than an hour, you have not thought about it hard enough. If it takes more than an hour, you have your project plan for this quarter. That is the YPO Tech Network AI Brief for Wednesday, April 22nd. I am Stephen Forte. If this was useful, send it to a fellow member. I will be back tomorrow with more. Until then, stay sharp.