It empowers the person throwing the stone
In the spring of 2026, Anthropic's Mythos model arrived not merely as a new tool but as a shift in the ancient asymmetry between those who build and those who break — accelerating the discovery of hidden vulnerabilities at a cost that places sophisticated attack capabilities within reach of many more hands. Europe, already trailing the United States and China in artificial intelligence development, finds itself excluded from access to Mythos entirely, deepening a structural disadvantage that its cybersecurity officials are only beginning to reckon with. The question this moment poses is not simply technological but civilizational: in a world where machines wage war on machines, what does it mean to be secure, and who gets to decide?
- Mythos can find zero-day vulnerabilities — flaws unknown even to the software's own creators — faster and cheaper than any existing tool, tilting an already uneven battlefield further toward attackers.
- European defense and cybersecurity insiders are sounding alarms, with one source calling the model 'a nuclear bomb,' while Anthropic has locked European companies out of access entirely through its exclusive Project Glasswing consortium.
- The threat is not Mythos alone — OpenAI's GPT-5.5-Cyber has demonstrated comparable capabilities, and experts warn this marks a structural industrialization of offensive cyberpower, not a single exceptional event.
- Eighty percent of real-time cyberattacks are already machine-conducted, and the emerging reality is one of AI systems fighting AI systems — a landscape where even actors with minimal skill and small budgets can now launch sophisticated, large-scale attacks.
- Europe's response is constrained by years of underinvestment, but some experts argue its real leverage lies not in raw model power but in governance, data sovereignty, and the trust frameworks that the rest of the world is increasingly looking to it to define.
When Anthropic unveiled Mythos in April 2026, European cybersecurity officials moved quickly from curiosity to alarm. The model's specialization — finding zero-day vulnerabilities, the hidden flaws that even software makers don't know exist — was not entirely novel. What unsettled experts was its speed and its cost. Penetration testing that once required significant time and expertise could now be compressed and cheapened, handing attackers a sharper edge in a contest that was already tilted against defenders.
Pedro Pablo Pérez, who leads the Spanish systems integration firm TRC, frames the problem in structural terms: cybersecurity has always favored the attacker, because breaking a system requires finding only one flaw while defending it requires closing every one. Mythos, he argues, throws that stone harder and faster. Across Europe, the reaction has ranged from alarm to measured concern. Stéphane Lenco of Thales, France's major defense contractor, urges perspective — GPT-5.5-Cyber from OpenAI has demonstrated similar capabilities and has already reached European firms including Telefónica and BBVA. Mythos, he suggests, is a symptom of a broader evolution, not an isolated rupture.
Yet Anthropic's decision to restrict Mythos access to a closed American consortium — Amazon, Apple, Google, Microsoft, Nvidia — has left European companies entirely excluded, sharpening a wound that predates this moment. Europe's investment in artificial intelligence lags far behind the United States and China. Mistral, the continent's most prominent AI effort, received 1.3 billion dollars in late 2025 — a fraction of what flows routinely into American competitors. Antonio García of Teldat, whose firewalls protect ninety percent of Spain's banking sector, puts it plainly: Europe has not done its homework.
The world García describes is already arriving — one where eighty percent of real-time cyberattacks are machine-conducted, and where the future belongs to confronted neural networks, AI fighting AI at industrial scale. Pablo Ballarín of ISACA Valencia adds that these models have democratized attacks once requiring specialized knowledge and substantial resources, placing sophisticated campaigns within reach of nearly anyone.
And yet the story is not only one of deficit. Ballarín argues that the real competition is not about who builds the most powerful model but about who controls data, infrastructure, and the mechanisms of oversight. Europe's strengths — in governance, resilience, and data protection — are precisely what international institutions are beginning to look toward as the technical race accelerates. Whether Europe can convert those advantages into genuine security, before the gap widens further, remains the open and urgent question.
Anthropic announced a new artificial intelligence model in April called Mythos, and within weeks, European cybersecurity officials were sounding alarms. The system specializes in finding zero-day vulnerabilities—security flaws unknown even to the software makers who built them, and therefore impossible to patch. What makes Mythos dangerous is not that it does something entirely new. It is that it does what security researchers call penetration testing far faster than existing tools, and apparently at a lower cost.
Pedro Pablo Pérez, who runs TRC, a Spanish systems integration firm and a recognized authority in European cybersecurity, frames the problem in architectural terms. Cybersecurity has always been asymmetrical: it is easier to attack a system than to defend one. Building a secure structure requires meticulous work. Breaking it requires finding a single flaw. Mythos tilts that balance further toward the attacker. "It empowers the person throwing the stone," Pérez says, using a metaphor about breaking glass.
The concern ripples across the continent. A source working with multiple European defense and cybersecurity firms describes the new model as "a nuclear bomb." Stéphane Lenco, the chief security executive at Thales, one of France's largest military contractors, offers a more measured assessment. Mythos is not an isolated case, he argues. Other models have reached comparable capabilities. OpenAI's GPT-5.5-Cyber, for instance, has demonstrated similar abilities according to research from the UK's AI Safety Institute. That model has been made available to European companies, including the Spanish banks Telefónica and BBVA. Lenco suggests viewing Mythos as part of a broader structural evolution in technological capacity rather than a unique advantage.
Yet Anthropic has restricted access to Mythos to a select group called Project Glasswing, which includes American technology giants like Amazon, Apple, Google, Microsoft, and Nvidia. European companies have been shut out entirely. This gatekeeping deepens an existing wound: Europe's lag in artificial intelligence development compared to the United States and China. Anthropic justified the restriction by citing implications for "the economy, public safety, and national security," framing the move as a defensive measure. Some observers see it as effective marketing for a company that, while not publicly traded, was valued at 900 billion dollars in a funding round completed last week, surpassing OpenAI's valuation.
Antonio García, the chief executive of Teldat, a Spanish cybersecurity firm that manufactures firewalls for banks and serves 90 percent of Spain's banking sector, describes a future already arriving. Eighty percent of real-time cyberattacks are now conducted by machines, he notes. The world ahead will be one of "confronted neural networks"—artificial intelligence systems fighting other artificial intelligence systems. This industrialization of offensive capability changes everything. Pablo Ballarín, a cybersecurity expert and board member of ISACA Valencia, explains that these models democratize attacks that once required specialized knowledge, time, and substantial resources. Actors with minimal technical skill and limited budgets can now launch sophisticated phishing campaigns, fraud schemes, social engineering attacks, and automated vulnerability exploitation at a scale previously impossible.
Europe's position in this emerging landscape is weak. Investment in European AI companies pales beside American spending. Mistral, perhaps Europe's most prominent AI initiative, received 1.3 billion dollars from ASML, a Dutch chipmaking equipment manufacturer, in September 2025—a sum that represents a fraction of what flows into American firms. García acknowledges the shortfall bluntly: "We have not done our homework well." Europe has talented engineers and sufficient productive capacity to compete, he argues, but the continent has not mobilized them effectively.
Ballarín offers a different lens. The real competition is not simply about who builds the most powerful models. It is about who controls data, critical infrastructure, oversight capabilities, and decision-making mechanisms. Europe has genuine strengths in governance, resilience, interoperability, and data protection. International organizations are beginning to look to Europe as a reference point for AI governance and regulation precisely because the challenge is no longer purely technical—it is about trust. The question for Europe is whether it can leverage those advantages while the technological race accelerates elsewhere.
Notable Quotes
It is easier to attack a system than to defend one. Mythos tilts that balance further toward the attacker.— Pedro Pablo Pérez, director general of TRC
These models democratize attacks that once required specialized knowledge, time, and substantial resources.— Pablo Ballarín, cybersecurity expert and ISACA Valencia board member
The Hearth Conversation Another angle on the story
Why does it matter that Mythos is faster at finding vulnerabilities? Couldn't defenders just use the same tools?
Because speed changes the economics of attack. If you can find a flaw in hours instead of weeks, and do it cheaply, you can attack more targets. Defenders still have to patch every single flaw. The attacker only needs one.
But the source says other AI models like GPT-5.5-Cyber already exist with similar capabilities. Is Mythos actually special?
Probably not technically. What makes it special is the narrative around it and the fact that Anthropic locked it away. That creates the impression of a unique threat, which may be marketing genius or genuine caution—hard to say.
If Europe can't match American AI spending, what's the actual path forward?
The experts quoted suggest it's not about building a bigger model. It's about controlling your own data, protecting your infrastructure, and setting the rules for how AI gets used. Europe has regulatory strength. That might matter more than raw computing power.
You mentioned 80 percent of cyberattacks are already automated. Doesn't that mean the damage is already happening?
Yes. The concern is that AI makes those automated attacks smarter and cheaper to deploy. Right now, most are still relatively crude. Mythos and its peers could make them surgical.
Why did Anthropic restrict access to Project Glasswing?
They claim national security. But it also means American companies get the tool first, and everyone else has to catch up or buy access later. It's both a defensive move and a competitive advantage.
What happens if Europe just accepts it's behind and focuses on defense instead?
That's actually what some experts are arguing—stop chasing the biggest models and instead build better governance, better oversight, better ways to detect and respond to attacks. It's a different game, but Europe might have better cards for it.