expert opinion – For a decade the cyber security community had been predicting a cyber apocalypse involving a single event – that day cryptographically relevant quantum computers can run Shor’s algorithm And break the public-key cryptography system on which much of the Internet runs. We are prepared for a one-time shock which we will bear and adapt to. The National Institute of Standards and Technology (NIST) has already published the standard For the first set of post-quantum cryptography codes.
It’s possible that the first cybersecurity apocalypse may have arrived early. anthropic mythos Now the odds in the cybersecurity arms race have been tilted in favor of the attackers – and the mathematics of why it is tilted, and for how long, is at odds with what our institutions were built to handle.
Edward Snowden changed people in 2013 understood Regarding nation-state cyber capabilities. In the decade that followed the revelations and Leaks of nation state cyber tools Uncertainty reduced and the proliferation of cyber tradecraft accelerated.
Cipher Brief applies expert-level context to national and global security stories. Give yourself full access to Cipher Brief expert insights, analysis and private briefings in the new year by becoming a Subscriber+Member.
The defensive playbook that followed – compartmentalization, need-to-know, leak-surface reduction, clearance reform, “worked” as the Snowden leaks and subsequent one-time revelations were absorbed over a decade, returning the system to something like equilibrium.
We have become good at responding to the shock of revelations. This became a principle. It was the right theory for the wrong future.
pandora’s box
In 2026, anthropic mythos (and similar AI systems) are changing what people can do. mythology Zero-day vulnerabilities and thousands of “bugs” found that were not publicly known to exist (a must-read article) Here.) Many of these weren’t just run-of-the-mill Stack-smashing feats But sophisticated attacks that required exploiting subtle race conditions, KASLR (kernel address space layout randomization) bypasses, memory corruption vulnerabilities, and logic flaws and bugs in cryptographic libraries TLS, AES GCMAnd ssh.
The reality is that many of these were not “bugs”. The nation-state was a feat built over decades.
This means this anthropic mythosAnd the tools that will surely follow have exposed hacking tools that were previously only available to nation-states and turned them into tools that script kiddies Within a few months (and certainly within a year) there will be no need for any expertise to implement that tradecraft, which will compress both the learning curve and the execution barrier.
The entire government will act arbitrarily
When Mythos-class systems are used to analyze code in critical infrastructure and systems, hidden sophisticated zero-day exploits that are already in use, (including those in nation-states that have been sitting around for years) will be found and patched. This means that intelligence agencies’ sources of information collection will go into the dark as companies and governments close these vulnerabilities.
Every serious intelligence service, possibly with its own AI, will struggle to find new access before visibility gaps lead to something they cannot replace. A new generation of AI-powered cyber exploits will emerge to replace those that have been burned. This will trigger an arms race and a new generation of AI-powered cyber exploits will replace the discovered cyber exploits. Whichever side supports rapid AI adoption – not only “buys” it, but sends it to operational systemsKeeps a massive profit, measured in powers of two, every four months.
The binding constraint is not the budget. No rights. No access to models. This is the institutional capacity for change – the rate at which a protector organization can actually change what it deploys.
The long tail will not be patched
Anthropic has given companies Early access to secure the world’s most important software. This will help Fortune 100 companies. But the Fortune 100 is not a small part of it software attack surface.
The attack surface includes unpatched county water utilities, regional hospitals, third-tier defense suppliers, school districts, state motor vehicles departments, municipal 911 systems, and small-town electric cooperatives. The thousands of systems running the software that no one has time to patch are maintained by teams that have never heard of KASLR.
Every single one of those systems is now exposed to nation-state-level tradecraft, operated by attackers with no expertise required. Mythos-class hardening at the top of the pyramid does not fall down. The long tail will remain unpatched for years.
The attackers have the advantage – for now.
Under the continuous exponential growth of AI designed cyber attacks, a cyber defender using traditional tools cannot simply respond once and stabilize their systems. They have to continue investing at a rate that matches the growth rate of crime. A one-time defensive blow like compartmentalization may work against a sudden attack, but it will fail against sustained exponential pressure because there is no stable equilibrium to return to. The defender’s investment rate must track the growth rate of the offense.
Ultimately and hopefully, the next generation of AI-powered cyber-defense tools will strike a new balance.
what do we need to do
The Mythos and its follow-up will change the way we think about cyber-defense. We can’t just create a set of features to catch every exploit x or y. We need to build cyber systems that can maintain or exceed capacity Rate Of the attackers.
Here are three tools that governments and cyber defense companies need to create Now: :
- Measure the gap between attackers and defenders. We need to know what attackers can do and what we can defend against. We need to develop instrumented red/blue exercises (simulation of a cyber attack, where two teams – red team and blue team – are pitted against each other) to estimate cyber defense mitigation versus the number of new vulnerabilities. (It can be built in six months with a small team.)
- Measure Defender response time. For each corporate or government mission system, measure how long it takes to implement the change from identification to production deployment. Treat each organizational hurdle as equivalent to technical debt that needs to be overcome.
- Specify speed, not features. Any new cyber defense tools and architectures – including the next generation cloud-native systems currently under review – must have clear ‘rate’ requirements. The claim “Our product provides X capability” is now a misspecification. “Closes the detection gap at a rate greater than or equal to the crime growth rate” is correct.
buckle up. It’s going to be a wild ride – for companies, for defense and for government agencies.
The mythos is a sea change. This requires a different response than the one the current cybersecurity ecosystem was built for, and the current system is not designed to generate that. We are still not behind. The gap between the mythos and what we can create to defend is so small today that a serious response can still match it. A year from now, the same response will be eight times slower. Two years, sixty-four.
Well, only hope was left in Pandora’s box.
Have you subscribed to this? Cipher Brief’s digital channel on Youtube? There’s no better place to get candid perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspectives, and analysis in The Cipher Brief because national security is everyone’s business.
