On April 13, the UK AI Safety Institute released its independent evaluation of Anthropic's Claude Mythos Preview, and the findings tell a different story than the vendor hype. While Anthropic announced that Mythos could autonomously hack "every major operating system and browser," the UK government's testing reveals critical nuances: the model succeeds against poorly defended systems but cannot confirm success against well-defended environments. For healthcare organizations sitting between these extremes, this evaluation highlights an uncomfortable truth — basic cybersecurity practices are no longer optional.
The AISI evaluation matters because it's the first major independent verification of Mythos capabilities from a government safety institute, not a vendor with commercial incentives. Their conclusions are more conservative, more credible, and ultimately more actionable for defenders.
The Independent Validation: What UK AISI Actually Found
The UK AI Safety Institute conducted evaluations using both capture-the-flag (CTF) challenges and multi-step cyber-attack simulations. Mythos Preview represents a significant capability jump — on expert-level CTF tasks that no model could complete before April 2025, Mythos succeeds 73% of the time.More significantly, Mythos Preview became the first model to complete "The Last Ones" (TLO), a 32-step corporate network attack simulation spanning initial reconnaissance through full network takeover. The range is estimated to require human experts 20 hours to complete. Mythos completed it from start to finish in 3 out of 10 attempts, averaging 22 out of 32 steps across all runs. Claude Opus 4.6, the next best model, averaged only 16 steps.
The performance trajectory shows rapid improvement. On multi-step attack chains tested with token budgets up to 100M tokens, Mythos Preview's performance continues scaling — suggesting even better results with more inference compute. The model outperformed all previous frontier models including GPT-5.4, Opus 4.6, and Sonnet 4.5 across both CTF and cyber range evaluations.
The Critical Caveat: What AISI Didn't Find
Here's where the AISI evaluation diverges sharply from Anthropic's marketing. The UK government explicitly states that their cyber ranges "lack security features that are often present, such as active defenders and defensive tooling." There are no penalties for the model undertaking actions that would trigger security alerts. This makes the evaluation environments significantly easier targets than real-world systems.The AISI report's key limitation: "This means we cannot say for sure whether Mythos Preview would be able to attack well-defended systems."
Mythos also showed capability gaps. It could not complete the "Cooling Tower" operational technology (OT) focused cyber range, though the model got stuck on IT sections rather than failing specifically at OT tasks. This has direct implications for healthcare environments with medical devices, building management systems, and clinical IoT infrastructure.
Performance Comparison: Mythos vs. Other Models
The AISI evaluation provides concrete data on how Mythos compares to other frontier models:| Capability | Anthropic Claims | UK AISI Findings |
|---|---|---|
| Expert-level CTFs | "Strikingly capable" | 73% success rate |
| Multi-step attacks | "Thousands of vulnerabilities found" | First model to complete TLO (3/10 attempts) |
| vs. Opus 4.6 | "Substantial difference" | 22 vs. 16 steps on TLO range |
| Token scaling | Not disclosed | Performance continues improving up to 100M tokens |
| Real-world applicability | "Game-changing for security" | "Poorly defended systems only" (confirmed) |
| OT/ICS environments | Not mentioned | Failed "Cooling Tower" range |
The performance data shows Mythos is genuinely more capable than previous models, but the evaluation environment matters enormously. Testing against vulnerable systems without active defenses is fundamentally different from attacking production environments with endpoint detection, security monitoring, and incident response teams.
The Economic Reality: Cost as a Defensive Barrier
One finding the AISI report reveals indirectly: attacking with Mythos is expensive. The evaluations ran with token budgets up to 100M tokens, and performance continued improving at that scale. At unknown Mythos pricing (likely exceeding Opus 4.6's $5 input / $25 output per million tokens), a single attack attempt could cost $2,500 to $10,000 or more in API calls.This economic barrier matters for threat modeling. Would a financially motivated attacker spend thousands of dollars in tokens to compromise a small healthcare clinic's network? Possibly for high-value targets (large health systems, research institutions with valuable IP), but the cost-benefit analysis changes significantly compared to traditional automated attacks.
The inference cost doesn't eliminate the threat — well-funded nation-state actors or sophisticated criminal groups can afford it — but it does narrow the threat profile compared to fears of fully automated, zero-cost AI-driven attacks at scale.
What This Means for Healthcare
The AISI evaluation provides a clearer picture of where healthcare organizations actually stand in this threat landscape.Most Healthcare Orgs Sit in the Danger Zone
Healthcare environments typically fall between the two extremes tested:Better than the vulnerable test ranges (hopefully) — most organizations have some security controls, patching processes, and monitoring in place.
Worse than hardened environments with active monitoring — few healthcare organizations have dedicated SOCs with 24/7 monitoring, comprehensive endpoint detection, and real-time incident response capabilities.
This gap is the risk. Mythos can exploit poorly defended systems. Healthcare organizations with inconsistent patching, weak access controls, and limited logging are exactly the "poorly defended systems" the AISI report references.
Cyber Essentials Are No Longer Optional
The AISI report concludes with a clear recommendation: "This highlights the importance of cybersecurity basics, such as regular application of security updates, robust access controls, security configuration, and comprehensive logging."The UK government's National Cyber Security Centre runs the Cyber Essentials scheme covering:
Regular security updates — automated patching systems, vulnerability management processes
Robust access controls — least privilege, multi-factor authentication, privileged access management
Security configuration — hardened defaults, configuration management, secure baselines
Comprehensive logging — security event logging, log retention, SIEM integration
These aren't new recommendations. What's changed is the consequence of skipping them. When vulnerabilities could only be found by skilled human security researchers, organizations had time to patch before widespread exploitation. When AI models can autonomously discover and exploit vulnerabilities at scale, the window between disclosure and exploitation compresses dramatically.
The SDL Implications
For healthcare development teams, this evaluation reinforces the importance of security in the development lifecycle:AI-assisted code generation tools may introduce vulnerabilities that AI-powered discovery tools can find — the SDL must catch these before deployment.
Legacy systems without regular updates become high-priority targets for AI-driven attacks — migration timelines need acceleration.
Third-party vendor code requires increased scrutiny — if your vendors aren't following secure development practices, their vulnerabilities become your attack surface.
The gap between "developer uses AI to write code" and "attacker uses AI to exploit it" is closing rapidly.
Medical Device and OT Security
The fact that Mythos failed the "Cooling Tower" OT-focused range provides limited reassurance. The model got stuck on IT sections, not OT-specific challenges. This suggests the barrier isn't inherent OT complexity but rather the specific range design.Healthcare organizations with medical devices, building management systems, and clinical IoT infrastructure should not assume these systems are protected by technological complexity. The AISI plans future evaluations on OT environments, and capability gaps tend to close quickly in AI development.
Looking Forward: Harder Evaluations Coming
The AISI report explicitly states their next steps: "Our future work will involve evaluating capabilities using ranges simulating hardened and defended environments, including ranges with active monitoring, endpoint detection and real-time incident response."As AI cyber capabilities continue improving, evaluation environments lacking defenses will no longer discriminate between the most capable models. The AISI will need to test against realistic defended systems to measure true capability.
This means we'll eventually get data on whether Mythos (or its successors) can breach well-defended healthcare environments. The time to prepare is now, before those evaluations reveal uncomfortable truths about production system vulnerabilities.
The Bigger Picture: Defense Still Has the Advantage
The most important takeaway from the UK AISI evaluation is what it doesn't say. Despite Mythos Preview's impressive capabilities, the report does not conclude that defenders are behind. Instead, it emphasizes that organizations following cybersecurity basics remain protected.This stands in stark contrast to Anthropic's framing of a "watershed moment" requiring urgent defensive action. Both perspectives contain truth: capabilities have crossed a threshold, but defenders with solid practices still have the advantage.
For healthcare security teams, the message is clear: AI doesn't change the fundamentals of defense. It just severely punishes organizations that skip them. Patching, access controls, configuration management, and logging aren't new advice — they're now the minimum bar for survival in an environment where AI can autonomously find and exploit the vulnerabilities that lazy security creates.
The UK government's independent evaluation confirms what defenders needed to hear: do the basics right, and you're still ahead of even the most advanced AI attackers. Skip them, and you're exactly the target these models are designed to compromise.
This is entry #31 in the AI Security series. For related coverage, see Comment-and-Control: GitHub Agents and Prompt Injection Attacks.
Key Links
- UK AI Safety Institute: Our evaluation of Claude Mythos Preview's cyber capabilities
- Anthropic Frontier Red Team: Claude Mythos Preview Technical Details
- Anthropic: Project Glasswing
- UK NCSC: Cyber Essentials Scheme
- AISI Research Paper: The Last Ones Cyber Range
- NBC News: Anthropic's Claude Mythos Gets Limited Release Over Safety Concerns