AISI Claude Mythos Eval: AI Owns 32-Step Network Attack

The UK AI Security Institute (AISI) has published its independent evaluation of Anthropic's Claude Mythos Preview — the unreleased frontier model powering Project Glasswing — and the findings reframe how defenders should think about AI-driven offensive cyber capability. Mythos Preview succeeded on 73% of expert-level capture-the-flag (CTF) challenges (tasks no model could complete as recently as April 2025), and became the first AI system to autonomously solve AISI's 32-step corporate attack simulation from reconnaissance through full network takeover.¹

What You'll Learn

• What AISI evaluated and why its results matter more than vendor benchmarks
• The exact CTF numbers — 73% expert success and what expert-level actually means
• How Mythos Preview performed on "The Last Ones," a 32-step attack range
• How Mythos Preview compares to Claude Opus 4.6 on the same range
• The critical caveats AISI attached to its findings — and what defenders should actually do

TL;DR

AISI, the UK government's AI Security Institute, tested Claude Mythos Preview across capture-the-flag challenges and a multi-step attack range called "The Last Ones" (TLO). On expert CTF tasks the model succeeded 73% of the time. On TLO — a 32-step corporate network intrusion AISI estimates takes human experts roughly 20 hours — Mythos Preview is the first model to complete the range end-to-end, doing so in 3 of 10 attempts and averaging 22 of 32 steps across all runs. The next-best model tested, Claude Opus 4.6, averaged 16 of 32 steps and never completed TLO. AISI cautions the ranges lacked live defenders and endpoint detection, so results reflect autonomous attack of weakly-defended systems, not breaches of hardened enterprise networks. The Institute's operational takeaway: patching discipline, access controls, hardened configuration and comprehensive logging still matter. AISI points UK organisations to the NCSC Cyber Essentials scheme as a baseline.²

Why an Independent AISI Evaluation Matters

When a frontier lab ships a model, it also ships its own safety evaluations. Anthropic's Mythos Preview technical report is detailed and self-critical, but it is still the vendor grading its own homework.³ AISI is different. It is a UK government body funded to carry out independent, pre-deployment evaluations of frontier AI systems. Its cyber tests are designed and run by the Institute, not scored against a model's own fine-tuning data. When AISI reports a number, it is one of the few publicly accountable reference points the security community has.

Anthropic describes Claude Mythos Preview as "a new general-purpose language model" that "performs strongly across the board, but it is strikingly capable at computer security tasks."⁴ Anthropic announced it on April 7, 2026, bundled with Project Glasswing — an industry consortium giving restricted access to Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, along with more than 40 additional organisations that maintain critical software.⁵ The model is not generally available: partners pay $25 per million input tokens and $125 per million output tokens via Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.⁶

That restricted-access posture makes AISI's evaluation the most authoritative external signal of what Mythos Preview can actually do.

Capture-the-Flag: 73% on Expert Tasks

Capture-the-flag challenges are the standard currency of offensive security skill assessment. Each task sets up a vulnerable system and asks the solver to retrieve a "flag" — a secret string — through exploitation. AISI groups its tests by difficulty, from entry-level misconfiguration puzzles to expert-level chains that combine reverse engineering, exploit development, and privilege escalation.

AISI's headline finding on the CTF side: Mythos Preview solves 73% of expert-level challenges. For scale, AISI notes that no model could complete any expert-level CTF tasks before April 2025. In 12 months the frontier has moved from "impossible" to "mostly solved." The delta is not a smooth trend line — it is a step change, and Mythos Preview sits at the leading edge of it.⁷

Expert-level success matters because these are the tasks that map most closely to the skills of a real offensive security researcher: reading binaries, reasoning about memory corruption, and building a working exploit from a bug. A model that can do that 73% of the time across AISI's set is not a pen-test automation helper — it is a peer-level co-operator for an experienced red-teamer.

"The Last Ones": AISI's 32-Step Attack Range

CTFs test puzzle-solving. They do not test whether a model can stitch those skills together into a full intrusion kill chain. That is what AISI built TLO for.

"The Last Ones" is a 32-step simulated corporate network attack that spans the full intrusion lifecycle: initial reconnaissance, foothold, credential theft, lateral movement, privilege escalation, persistence, and ultimately full network takeover. AISI estimates a human expert needs roughly 20 hours to work through the range.⁸

On TLO, the results look like this:

Two things in that table are worth sitting with. First, Mythos Preview is the first AI system AISI has seen complete TLO from start to finish — a milestone the previous generation of frontier models did not reach. Second, its 6-step average lead over Opus 4.6 is the gap between a model that can stage an attack and one that cannot finish it. Opus 4.6 reliably gets the front half of the intrusion right; Mythos Preview routinely pushes past the point where lateral movement, privilege escalation, and persistence are required — the phases where human defenders normally still have time to react.

The Caveats AISI Attaches (and Why They Matter)

AISI is unusually direct about what its own evaluation does not show. Three caveats stand out:⁹

1. No live defenders. The ranges do not include human responders, blue-team activity, or real-time decision-making. A model can try a noisy technique five times with no consequence.
2. No endpoint detection or real-time incident response. Modern enterprise networks run EDR tooling that flags unusual process behaviour and terminates suspicious chains. The ranges do not.
3. No penalties for triggering security alerts. In a real network, a single noisy artifact — an unexpected PowerShell invocation, a DNS beacon from an unusual host — can blow an operation. In TLO, no alerts fire.

AISI's own framing: the results establish that Mythos Preview can autonomously attack weakly-defended systems. They do not establish that it can breach hardened enterprise networks with mature security operations.

This is not a hedge — it is an important technical distinction. A 32-step attack that succeeds against a silent range can still be detected at step 3 in a real environment with competent logging and alerting.

What AISI Tells UK Organisations to Do

AISI's operational recommendation is almost defiantly unglamorous. The Institute points UK organisations back to cybersecurity fundamentals: patching discipline, access controls, hardened configuration, and comprehensive logging. It explicitly endorses the NCSC Cyber Essentials scheme as a baseline framework.¹⁰

That recommendation lands differently once you read it alongside Anthropic's own Mythos Preview findings — that the model has already identified thousands of high-severity zero-day vulnerabilities, including a 27-year-old TCP SACK flaw in OpenBSD, a 16-year-old H.264 bug in FFmpeg, and a 17-year-old NFS remote code execution bug in FreeBSD (CVE-2026-4747).¹¹ Patching discipline was always a fundamentals issue. In an environment where frontier models can autonomously find decade-old bugs at scale, the half-life of "unpatched but probably fine" has collapsed.

AISI's message to UK boards is that cyber fundamentals are not optional plumbing anymore; they are the thin layer that determines whether an attacker using Mythos-class tooling lands on a system that gets owned in one hour or one minute.

How This Fits Anthropic's Responsible Scaling Policy

Mythos Preview's cyber capability is why Anthropic is not shipping it to the public. The model's ability to discover zero-day vulnerabilities at scale places it at or near the ASL-3 threshold for cybersecurity capabilities under Anthropic's Responsible Scaling Policy — the internal bar at which current safeguards are considered insufficient to prevent serious misuse.¹² Project Glasswing is the workaround: give the model to defenders under contract before any attacker-equivalent capability ships openly.

AISI's results give that restriction some weight. If an independent government evaluator is recording the first model-completed end-to-end 32-step corporate intrusion, it is easy to see why unrestricted access would change the defensive calculus for every organisation on the internet simultaneously.

What To Do This Week If You're a Defender

The AISI evaluation is genuinely useful for defenders because it is actionable. Three concrete moves:

• Read the Anthropic Mythos Preview technical report alongside AISI's evaluation.¹³ Anthropic discloses the classes of bugs Mythos Preview is good at finding; AISI tells you how those translate to a full attack chain. The two documents together are a threat model.
• Audit your patch cadence against decades-old open-source bugs. Mythos Preview's public disclosures show a sustained pattern of finding very old code paths that everyone assumed were reviewed. If you depend on FFmpeg, OpenBSD networking stacks, or NFS servers, treat this as an active patch sprint, not a tracker item.
• Invest in detection breadth, not just depth. AISI's caveats are the good news: in a range with defenders, Mythos Preview's noise would have surfaced. That is only true if your blue team can see the noise. Comprehensive logging and modern EDR are now the gap between the AISI range and your production network.

Bottom Line

AISI's evaluation is the clearest independent confirmation that frontier AI has moved, in roughly 12 months, from unable to complete expert CTFs to autonomously owning a full 32-step corporate network. That is a real capability jump, and it is why Mythos Preview is sitting behind Project Glasswing instead of shipping to the public. The caveats AISI attached — no live defenders, no EDR, no alert penalties — are not a reason to relax. They are a description of what the AI can do against an undefended environment, and an implicit argument that the gap between "undefended" and "genuinely defended" is now the most important thing your cyber programme can be closing.