Our Take
The real risk is not one model—it's that capable hacking tools will be cheap, numerous, and hard to regulate once they're open-source.
Why it matters
If models with advanced exploitation capabilities become routine within 12-24 months, regulatory approaches focused on controlling single vendors or export restrictions miss the structural problem. Practitioners and policymakers need to assume these capabilities will be widely available soon.
Do this week
Security teams: audit your vulnerability disclosure and incident response processes this week, assuming threat actors have access to AI-assisted exploit development by Q4 2026.
Multiple vendors are building cybersecurity-focused AI models
Anthropic released Mythos Preview in April with advanced hacking and vulnerability-hunting capabilities. OpenAI simultaneously did a private release of its own cybersecurity-focused model and announced an expanded cybersecurity strategy. Tarah Wheeler, chief security officer at TPO Group, told Ars Technica that competitors to Anthropic "probably have the capabilities, too, and are holding them in reserve as they see how Anthropic is being treated in the current regulatory environment."
Anthropic's own frontier red team lead, Logan Graham, stated the company's message plainly: "We need to prepare now for a world where these capabilities are broadly available in 6, 12, 24 months."
Policy designed to control one model won't stop the trend
Bruce Schneier, researcher at Harvard and University of Toronto, noted that "smaller, cheaper, open-source models, sometimes by themselves and sometimes in concert with each other, can match Mythos/Fable's performance with more sophisticated prompting." He expects other models to match the creative and persistent capabilities within months, slightly longer for open-source versions.
Chris Wysopal, cofounder of Veracode, reframed the policy question: "The policy question is not whether a technology has risk. The question is whether a specific restriction meaningfully reduces that risk or whether it mainly slows down the people trying to make systems safer."
A large group of cybersecurity leaders sent an open letter to the White House on the issue, arguing that export-control directives miss the actual threat. The capability itself is not novel. Researchers note that existing AI models could already be used for advanced vulnerability-hunting and exploit development with refined prompting, even before this next generation of purpose-built models.
Assume adversaries will have these tools soon
The timeline matters. If hacking-capable models are available openly, cheaply, and in multiple variants within 6-24 months, defenders cannot rely on scarcity. Organizations should treat AI-assisted exploitation as a present threat posture, not a future one. Threat modeling, vulnerability management, and incident response playbooks designed for human-paced attacks may require significant revision when an attacker can generate exploit variants at machine speed and scale.