Anthropic's announcement of Claude Mythos Preview on 7 April has given security leaders a clearer view of where frontier AI capability is heading, and the view is not comfortable. The model itself remains in restricted access, but the capability it demonstrates has been shown at scale, and will shape the threat landscape regardless of how broadly this specific model is ultimately released.
In the weeks before the announcement, Anthropic used the model to identify thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old vulnerability in OpenBSD that decades of scrutiny by top researchers had missed, and a chain of Linux kernel vulnerabilities that Mythos assembled autonomously into a full privilege escalation. The finding that unsettled security leadership most, though, sat in the Anthropic post almost as an aside. Engineers at Anthropic with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight, and woke up to complete, working exploits.
On a benchmark testing autonomous exploit development against the Firefox JavaScript engine, Mythos produced working exploits 72.4% of the time. The previous generation Claude model succeeded on fewer than 5% of the same trials. Capability that used to require nation-state investment has been demonstrated from a prompt, and the regulatory response from the UK Government's AI Security Institute, the Federal Reserve, and the Bank of England followed within days. For boards that had been treating AI-augmented threats as a future planning item, the planning horizon is now quarters rather than years.
The visibility problem underneath the threat
For mature security functions, the governing question has changed. Prevention assumes the vulnerabilities an attacker finds are the ones your tooling already knows about, which was reasonable when zero-day discovery required nation-state budgets. The Mythos findings weaken that assumption today, and will weaken it further as the capability becomes more broadly accessible. This pushes assumed breach from a tabletop exercise into the operational baseline, and shifts the questions that matter to the post-compromise. Lateral movement detection, privilege escalation containment, and remediation speed move from the secondary tier of concerns to the primary one.
Answering those questions with the precision the moment demands requires something most security functions struggle to produce on demand, which is an up-to-date, evidence-based view of what their stack can actually do in an assumed-breach scenario, mapped against the frameworks that describe modern attack paths. MITRE ATT&CK has catalogued the relevant post-compromise techniques for years, and NIS2 and the updated NIST CSF both increasingly expect organisations to demonstrate coverage against them.
Can you, right now, and with evidence rather than estimation, say which techniques your stack covers and which it does not. Historically, producing that answer has taken months of analyst consolidation, and very few teams have it done and kept current.
What security leaders actually need right now
The organisations positioned to move fastest are the ones closing that analyst gap now. They need to answer post-compromise readiness questions in hours rather than quarters, with specific assessment of lateral movement detection, privilege escalation visibility, and containment capability, tied to the frameworks their boards and regulators care about.
This is what ESPROFILER is built for. At its core sits the Collider engine, which maps your full security vendor stack against frameworks including MITRE ATT&CK, NIST CSF, NIS2, and CIS Controls. The Collider aggregates your discovered stack, product capability intelligence, framework mappings, and commercial data into a single analytical environment, then shows exactly where coverage exists, where gaps sit, and what each capability costs to deliver.
For assumed-breach readiness specifically, the Collider allows security leaders to prioritise the framework domains that matter most once the perimeter has failed, whether that is lateral movement, credential access, privilege escalation, or exfiltration. It also lets you model architectural changes by sliding technologies into or out of your portfolio, so you can see the capability impact of a vendor consolidation or a new control investment before you commit to either. When a new threat vector emerges or a regulator asks a new question, you work from a live view of your environment rather than a six-month-old snapshot.
Board confidence is earned before the crisis, not during it
The CISOs walking into the next board conversation will be asked some version of the same question. Given what Mythos and models like it can do, where are we exposed, and what happens when the perimeter does not hold? The answer that earns board confidence is a clear, evidence-based picture of post-compromise readiness: which MITRE ATT&CK techniques your stack covers, which it does not, and what the plan is for the gaps. Vendor lists do not travel to the boardroom. Coverage evidence does.
That kind of confidence comes from knowing what your vendors actually do together, measured against the frameworks that describe the attacks you now need to assume will land. Individual vendor quality matters, but it is the collective capability of the stack, assessed against a live framework, that determines whether your organisation is genuinely ready for what is coming.
If the events of the last ten days have prompted a conversation in your organisation about where you stand, we would welcome the chance to show you how it works.