Mythos is not the AI Apocalypse

Find Threat Talks on

Mythos is Not the AI Apocalypse, But Time Is Running Out

Mythos found a 23-year-old FreeBSD vulnerability that no human team had caught. That is the capability. It is not the end of the world.

Anthropic restricted access through Project Glasswing, letting vendors like Palo Alto Networks and Microsoft test their own software first. The public version, Fable, arrived ahead of schedule.

The zero-day window has collapsed from two-plus years in 2019 to one day now. Next year: one hour. That timeline is the threat, not the model itself.

In this episode of Threat Talks, Lieuwe Jan Koning, Co-founder & CTO at ON2IT, sits down with Rob Maas, Field CTO at ON2IT, to assess what Mythos found and what the FABLE framework gives defenders to work with right now.

If your fundamentals are in place, this is not the apocalypse. If not, the time to act is now.

What you’ll learn

What Mythos actually found, and what it did not
The 23-year-old FreeBSD flaw, the AISI pen test results, and why Rob rates the real-world threat lower than Anthropic’s own marketing suggests.
How the zero-day exploitation window is collapsing
From two-plus years in 2019 to one day now, one hour projected next year. What that means for any organization still on a 30-day patch cycle.
What the FABLE framework covers
Five controls: asset discovery at the edge, authentication, segmentation, exposure hardening, and monitoring. Based on the CSA “Mythos Ready” paper.
Why egress filtering may matter more than patching
How Log4j showed that outbound traffic controls can stop an exploit even when a vulnerability exists.

View all the infographics

Your cybersecurity experts

Lieuwe Jan Koning

Co-Founder and CTO
ON2IT

Rob Maas

Field CTO ON2IT

Episode details

The AISI pen test report confirms Mythos solved almost all CTF challenges designed for human professionals. The ON2IT Security Operations Center spent weeks patching the vulnerabilities it uncovered through Project Glasswing. The model is genuinely capable. But solid defenses still hold against it.

The public version, Fable, flags almost all security questions as unsafe by default. Even with a special exemption, ON2IT still encounters friction using it for security work. The model defenders should worry about most is not Fable. It is the open-source or unrestricted equivalent without those guardrails.

The FABLE framework is the practical response. Find everything at your edge. Authenticate with MFA and short-lived tokens to shrink the window for AI-accelerated brute-force. Bound the blast radius through segmentation so lateral movement is contained when something breaks through. Limit exposure by removing unnecessary services and processes. Have Eyes on everything with automated detection and response that does not wait for a human to act.

None of these controls are new. What has changed is the urgency.

Get your Hacker T-shirt

Join the treasure hunt!

Find the code within this episode and receive your own hacker t-shirt for free.