Mythos Beats GPT-5.5 at Real Hacking—Now What?
Anthropic's Mythos outran GPT-5.5 on independent cyber evals. Here's what that means for security teams, developers, and the AI arms race heating up fast.
Written by AI. Marcus Chen-Ramirez

Photo: AI. Renzo Vargas
Someone on X this week posted that they'd just recovered $400,000 in Bitcoin they'd locked themselves out of eleven years ago—back in college, after a password change made under circumstances they'd prefer not to elaborate on. Brute-force crackers had failed for over a decade. What worked was Claude, patiently sorting through forgotten folders on an old hard drive until it found a wallet.dat file predating the password change and matched it to a mnemonic phrase the guy still had lying around.
It's a good story. But the reason AI analyst Nate B. Jones opened his latest video with it isn't the Bitcoin. It's the shape of the thing: no flashy model launch, no benchmark press release, just an AI doing the kind of slow, contextual research work that used to require either a specialist or an unreasonable amount of your own patience. Jones's point is that this is what the current moment actually looks like—quieter and more specific than the hype cycle suggests, but consequential in ways that are starting to compound.
He covered five stories this week that illustrate that compounding. The Mythos cybersecurity evaluation is the one that deserves the most attention.
When Independent Evals Say Something Uncomfortable
There's a version of the Mythos story that's easy to dismiss. Anthropic tells us their frontier model is dangerously capable at cybersecurity tasks. Anthropic is also, obviously, incentivized to tell us exactly that—nothing sells "safety-focused AI company" like "our model is so powerful we're being careful about who gets it." You take that with a grain of salt.
What's harder to dismiss is when independent evaluators say it too.
This week, two separate organizations—XBOW and the UK AI Security Institute—released evaluations of Claude Mythos Preview that both reached the same uncomfortable conclusion: frontier models, and Mythos specifically, are now good enough at serious offensive cyber work that security teams need to update their threat models. Not in a theoretical future sense. Now.
The UK AISI test wasn't a CTF puzzle. It was a full attack chain: reconnaissance, credential theft, lateral movement, web app exploitation, privilege escalation, command-and-control persistence, infrastructure compromise, full network takeover. They ran multiple models through it on the same token budget. Mythos got farther than any of them—including GPT-5.5, which Jones is careful to note is not a weak baseline. OpenAI has positioned 5.5 as more token-efficient than its predecessor, and in OpenAI's own cybersecurity benchmarks, 5.5 already "significantly exceeds the old cyber progress trend," as the AISI put it.
So Mythos isn't beating an easy opponent. It's outrunning a strong one, and doing it while spending fewer tokens per step. In cybersecurity, that economics shift matters enormously. "If a model can find real vulnerabilities for fewer tokens," Jones notes, "the work gets cheaper, it gets faster, and it gets easier to repeat." For defenders, that's leverage. For attackers, it's the same leverage, available to anyone who can access a capable model.
XBOW added useful texture to this. Their evaluation found Mythos was genuinely strong at source code audits, native code vulnerability discovery, and reverse engineering—but noted its judgment was still unreliable in places. It can be overly literal. It overstates relevance. It needs validation infrastructure around it to produce trustworthy results. That's not a dismissal; it's a description of a tool that's powerful enough to be dangerous and immature enough to require human oversight. Which is, frankly, the most interesting combination possible.
Both Anthropic and OpenAI are responding to this with controlled-access defensive programs—Anthropic's Project Glasswing, OpenAI's Daybreak—that put these models in the hands of trusted security researchers before broader release. The logic is sound: get defenders up to speed before the capability diffuses. The open question is whether the diffusion timeline is as controllable as either company wants it to be.
The Subscription Model Wasn't Built for This
The Mythos story is the most dramatic thing Jones covers, but the Claude usage limits story might be the most structurally interesting, because it's a window into what happens when a product succeeds faster than its business model can accommodate.
The short version: Claude Code, released last December, apparently catalyzed a surge in agentic workflows that Anthropic didn't fully anticipate. Dario Amodei has reportedly said the company planned for 10x growth and got over 80x. That's a good problem in a venture-capital sense and an operational nightmare in every other sense. Anthropic ran short on compute. In response, they clamped down—first by cutting off OpenClaw, a third-party tool that let developers route agent usage through personal Claude subscriptions, effectively consuming thousands of dollars in tokens while paying hundreds. Then, after significant developer backlash and a visible user-acquisition push from OpenAI (who made OpenClaw work smoothly with their own subscriptions), Anthropic tried to thread a needle: you can use your subscription for third-party agent usage, but there's a monthly rate limit, use-it-or-lose-it, after which you pay per token.
This has not landed well.
"One of the things about PR with developers is that the clearer, simpler, more consistent message wins," Jones says. "Part of why [Anthropic] broke through in December and January is that they were so clear and so simple about Claude Code being a delightful experience. But now because of its success, they can't afford to be that clear and simple with developers anymore."
That tension is real, and it points to something the industry hasn't worked out yet: the subscription model that made AI accessible to individual developers and small teams was priced for human users typing into chatboxes. Agents aren't humans typing into chatboxes. They run continuously, consume tokens at scale, and don't take breaks. An "all-you-can-eat" plan that costs $20 or $200 a month means something categorically different when the eater is a process running for hours. The market is now figuring out—through a series of messy adjustments—what the right pricing architecture actually looks like.
For anyone building on top of these platforms, the practical implication is this: usage limits are no longer just billing details. They're product behavior. What happens when an agent hits a cap mid-task? Does it pause? Lose context? Silently switch models? Most teams building agentic workflows don't have clean answers to those questions yet, because they haven't had to.
The Quieter Shifts
Two other stories Jones covers deserve quick mention because they're the kind of infrastructure news that looks minor until you're living inside its consequences.
Notion launched a real developer platform on May 13th—not just an AI button bolted onto their existing product, but a programmable workspace layer with webhooks, hosted worker functions, database sync from external systems, and an API that lets external agents like Claude or Codex operate inside Notion as participants. Jones describes a realistic customer onboarding workflow built entirely from these components: deal closes in Salesforce, webhook fires a Notion worker, worker spins up an onboarding workspace with relevant context, agent drafts the kickoff plan, human reviews before anything goes to the customer. No speculation involved—those are the exact components the platform was built to connect.
The significance is context. So much company work lives in Notion precisely because it's informal—the lightweight CRM someone built because Salesforce was too heavy, the project database that predates any formal system. Agents need that context to do useful work, and until now, getting them into those spaces required brittle workarounds. The new platform makes that access first-class.
AWS, meanwhile, announced that AI agents can now operate desktop applications inside managed Amazon Workspaces environments—meaning agents can drive legacy software, ERP systems, mainframe interfaces, and proprietary tools the way a human would, inside an environment with centralized permissions and audit logging. A company doesn't have to wait for old systems to become API-native. The agent just learns to use the mouse. In regulated industries where legacy software isn't going anywhere, this is less boring than it sounds.
On the revenue side: payment infrastructure company Ramp—which tracks actual business card spending—reported that Anthropic now has more verified business customers than OpenAI. Both companies are reportedly approaching or exceeding $30 billion in annualized revenue. Jones frames this as a leading indicator of compute strain, not just competitive positioning, and that framing seems right. Revenue growth at this scale means demand growth, and Anthropic is already telling us publicly that demand has outrun their capacity to serve it.
The Bitcoin story at the top of Jones's video is really a story about patience and context—an AI working through a decade of forgotten files until it found the thread that mattered. The Mythos cybersecurity evals are the same dynamic at a different scale and with significantly higher stakes: a model working through an attack chain, step by methodical step, getting farther than anything before it.
The question security teams should probably be sitting with isn't whether this capability is real—two independent evaluators just confirmed it is. It's whether the window between "defenders can access this" and "everyone can access this" is long enough to matter.
By Marcus Chen-Ramirez, Senior Technology Correspondent
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
OpenAI's Codex Is Growing Up Fast—And Getting Weird
OpenAI's latest Codex updates add browser control, AI-reviewed approvals, and... animated pets? A look at where AI coding tools are actually heading.
Anthropic's Mythos AI Isn't Being Released. That's the Story.
Anthropic built an AI model so good at finding software vulnerabilities that it chose not to release it publicly. What that decision reveals about AI security.
Anthropic's Claude Mythos Found Thousands of Zero-Days
Anthropic's new Claude Mythos AI discovered thousands of zero-day vulnerabilities, prompting a defensive security initiative before public release.
Claude's Chrome Extension Turns Busywork Into Autopilot
Anthropic's Claude extension for Chrome can negotiate with customer service, triage email, and extract data across tabs—but the real trick is scheduling it all.
Who Really Owns the AI Agent Implementation Layer?
AI agents are creating a trillion-dollar implementation battleground. Here's why frontier labs, PE firms, consultancies, and SaaS giants are all converging on the same turf.
Claude Mythos Breaks AI Benchmarks—and Raises Alarms
Claude Mythos hit METR's 16-hour autonomous task ceiling—and may have exposed a deeper problem: our tools for measuring AI can't keep up.
WarGames Got the Details Wrong—But the Feeling Right
How a 1983 film used real hardware and strategic Hollywood cheating to capture what early computing actually felt like—even when faking almost everything.
Ten Tools to Fix Claude Code's Terrible Design Aesthetic
Claude Code generates the same purple gradients and Inter font on every site. Here are ten plugins and skills that might actually fix its design problem.
RAG·vector embedding
2026-05-17This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.