What did the UK AI Security Institute find about Claude Mythos Preview?

AISI ran cyber evaluations on Anthropic's Claude Mythos Preview and found it is the first AI model to autonomously complete a 32-step simulated corporate network attack, finishing the chain end to end in 3 out of 10 attempts. A human security professional would need roughly 20 hours of focused work on the same range.

How well did Mythos Preview score on expert cyber tasks?

On AISI's expert-level capture-the-flag challenges, Mythos Preview scored 73%. No AI model was able to score above 0% on the same test before April 2025. Claude Opus 4.6 came in second at 66%, and OpenAI's GPT-5.4 scored 60%.

What is The Last Ones cyber range?

The Last Ones (TLO) is a custom AISI-built 32-step simulation of a corporate network attack. It covers nine milestones ranging from initial reconnaissance to full network takeover, including lateral movement, credential theft, web app exploitation, command and control reverse engineering, advanced persistence, and infrastructure compromise.

What should businesses do in response to this AISI report?

Follow three concrete actions: apply NCSC's Cyber Essentials checklist (security updates, access control, firewall, malware protection, configuration); audit your AI data trail by listing every AI tool your team uses and asking where the data is sent, stored, and how long it is retained; and move sensitive work to a local-first AI assistant so confidential content never leaves your device.

Breaking NewsApril 16, 2026 · 10 min read

Claude Mythos Preview: First AI to Complete a 32-Step Autonomous Cyber Attack (AISI 2026)

On April 13, 2026, the UK's AI Security Institute published an evaluation of Anthropic's Claude Mythos Preview. One line inside that report had never appeared in any previous AI evaluation. An AI model, directed to attack a simulated corporate network, had completed the full 32-step takeover by itself. Three times out of ten attempts.

AISI is an independent UK research body inside the Department for Science, Innovation and Technology. A trained human security professional needs roughly 20 hours of focused work to finish the same attack range. AISI now says, in the same report, that its own benchmarks are becoming too easy for the top models.

The report also describes a 100-million-token inference-compute budget per attempt, a chart mapping every major model tested since November 2022, a second range Mythos failed, and a set of defender recommendations for business owners. So, what changed in the last twelve months to turn a 20-hour expert job into something a chatbot can do on its own, and what does that mean for a small business before Monday? Let's look into it.

3/10

TLO runs completed end to end

22/32

Mythos average steps completed

73%

Expert CTF success rate

100M

Tokens budget per attempt

Executive Summary

AISI evaluated Anthropic's Claude Mythos Preview across two cyber test types: capture-the-flag challenges and a 32-step simulated corporate network attack called The Last Ones (TLO).
Mythos finished TLO end to end in 3 of 10 attempts. The next-best model, Claude Opus 4.6, averaged 16 of 32 steps and never reached the final milestone.
On expert-level capture-the-flag challenges, Mythos scored 73%. No AI model was able to pass this test before April 2025.
Each Mythos attempt used a 100-million-token compute budget. At current Anthropic Opus-tier API prices, that works out to roughly $1,500 to $7,500 per run, though Mythos-specific pricing is not yet public.
AISI's test environment had no active defenders, no detection tools, and no penalty for triggering security alerts.
Mythos failed a second AISI range named Cooling Tower, which targets operational technology (OT) environments, after getting stuck on the IT sections.
AISI's core hygiene advice for businesses covers regular security updates, tight access controls, secure configuration, and thorough logging, and points readers to NCSC's Cyber Essentials scheme.

Claude Mythos Preview Just Became the First AI to Take Over a Corporate Network

AISI runs cyber evaluations on frontier AI models before wide deployment. For Mythos Preview, the institute built a custom range called The Last Ones, a 32-step simulation of an internal corporate network attack. The simulation covers everything from first network reconnaissance to full network takeover.

AISI Advanced CTF Challenge Performance by Model showing Claude Mythos Preview leading the expert tier at 73%

Mythos completed the full chain in 3 of 10 attempts. Claude Opus 4.6, the previous best model, averaged 16 of 32 steps and never reached the final milestone. That six-step gap covers reverse engineering of command and control binaries, breaking custom encryption, and setting up persistence that survives reboots. Those were human-only skills in every previous AISI benchmark run.

Additional context worth noting:

Mythos began each run with basic network access already granted, so the test measures lateral attack capability, not initial breach.
AISI published its findings six days after Anthropic's public announcement of Mythos, which suggests pre-release evaluation access was part of the arrangement.
Mythos is a codename. Anthropic has not confirmed what tier it will ship as, or when it reaches paid customers.
No Google, Meta, or Chinese AI models appear anywhere in the report. AISI's dataset covers only Anthropic and OpenAI.

How AI Cyber Capabilities Jumped From 0% to 73% in One Year

Twelve months ago, no AI model could solve a single expert-level cyber capture-the-flag challenge in AISI's test suite. Every model scored zero. Mythos now solves 73% of them. Its closest competitor, Claude Opus 4.6, scores 66%, and OpenAI's GPT-5.4 scores 60%.

AISI Beginner CTF Challenge Performance chart tracking 17 AI models from GPT-3.5 Turbo in November 2022 to Mythos Preview in April 2026

AISI has tracked AI cyber capability since November 2022, when GPT-3.5 Turbo scored roughly 22% on the easiest beginner tests. The technical non-expert tier is now saturated at above 95% across every frontier model. Apprentice-level progress continues, with Codex 5.3 and Mythos both sitting around 77 to 80%. The interesting action has moved to the practitioner and expert tiers, where performance jumps between monthly releases are visible to the naked eye.

What the chart itself reveals beyond the headline numbers:

AISI uses four difficulty tiers: technical non-expert, apprentice, practitioner, and expert. Mythos leads the expert tier, but trails GPT-5.4 by two points on practitioner tasks.
Claude Sonnet 4.5 scored only 27% on the expert tier, 39 points behind its own sibling Claude Opus 4.6. Model scale inside a single lab matters more than architecture for cyber capability.
The test compute budget scales from 2.5 million tokens on beginner challenges to 50 million on advanced challenges. That is a 20x compute increase for a single difficulty jump.
A new frontier cyber-capable AI model has shipped roughly once a month since August 2025.
AISI's own report warns that evaluation environments without defenders will soon stop being hard enough to separate top models from each other.

Inside The Last Ones: The 32-Step AISI Cyber Attack Simulation Mythos Solved

The Last Ones is structured around nine attack milestones that map to real corporate breach patterns. Each milestone groups several individual steps into a recognised phase of an attack: reconnaissance, lateral movement, browser credential theft, wiki exploitation, web app exploitation with privilege escalation, command and control reverse engineering, advanced persistence, infrastructure compromise, and full network takeover.

AISI chart showing completed steps on The Last Ones per spent tokens with Mythos Preview reaching higher milestones than any other model

Mythos averaged 22 steps across all 10 runs, which lands inside the advanced-persistence milestone. Its best single run reached step 28, inside the infrastructure compromise phase. The jump from “I can privilege-escalate” to “I can survive your security team noticing me” is the single largest qualitative shift in the history of the AISI cyber benchmark.

What the milestones actually involve in practice:

On the AISI chart, Mythos is the only model whose line clearly crosses into milestones M6 through M8. Every other model plateaus halfway up the attack chain or earlier.
GPT-5.4 ran on an identical protocol (10 attempts at 100-million-token budget) and still flatlined well below Mythos. Model quality is doing work that raw compute alone cannot replicate.
Milestone M4 targets internal wikis such as Confluence, Sharepoint, and Notion. Those systems commonly store passwords, API keys, and sensitive client documents in plain text.
Milestone M6 requires reverse engineering of custom command and control binaries, a task historically handled by professional malware analysts with years of training.
Older-generation models like Sonnet 3.7 and GPT-4o were not even tested at the 100-million-token budget. They plateau below step 6 regardless of compute.

Why AI Cyber Attacks Are Now About Compute Spend, Not Model Smarts

Performance on AISI's cyber ranges depends on two things together: the model itself, and the compute budget given to that model at inference time. For Mythos Preview, the budget was 100 million tokens per attempt. That is equivalent to a model reading and reasoning through roughly 75,000 pages of material for a single attack attempt.

Illustration of token compute budget scaling for AI cyber attacks from 2.5 million to 100 million tokens

At current Anthropic Opus-tier API prices, a 100-million-token run would cost roughly $1,500 to $7,500 in compute. Mythos-specific pricing is not yet public. Industry rates for a comparable human red-team engagement typically land in the $4,000 to $20,000 range for 20 hours of expert time. Ten Mythos attempts to produce the three successful compromises AISI reported would run into the $15,000 to $75,000 range in compute alone.

The economic picture behind those numbers:

The 40x gap between AISI's beginner token budget (2.5 million) and the full range budget (100 million) shows that cyber capability now scales with compute, not purely with new model versions.
Wall-clock time for a 100-million-token agentic attack depends on throughput and parallelism, but a single-thread run lands in the order of days of continuous model runtime.
Attack economics cross over when AI compute costs drop or success rates rise. Both trends are moving in that direction each quarter.
AI vendors cannot solve this through usage policies alone, because comparable capabilities will likely reach open-weight models within 12 to 18 months.

What Autonomous AI Attacks Mean for Your Business Data in 2026

The Last Ones is not a theoretical puzzle. Almost every milestone in the attack chain is about stealing, reading, or exploiting data: browser passwords, internal wikis, client records, and admin credentials. The attack chain exists because sensitive business information keeps accumulating on corporate networks and inside cloud AI tools.

Illustration of corporate business data flowing from a company laptop to a cloud AI provider creating breach risk

Cloud AI vendors typically store prompts, uploaded files, and sometimes entire conversations on their servers. Those logs act as a breach multiplier. A single compromise at a cloud AI provider exposes the data of every customer on the platform, including contracts, research notes, health records, and source code that employees quietly pasted in during busy days.

Where the risk falls unevenly across business types:

Small and mid-sized businesses are the economic sweet spot for automated attackers: high data value per target, low defender budget.
AISI expects more models with these capabilities to follow Mythos, which means the same pressure on weakly defended targets will grow with every new frontier release.
The test ranges AISI used lacked active defenders. A properly configured SIEM in a real company should catch many of the noisy signals Mythos generated during its runs.
Data that never leaves an employee's device cannot be stolen in a cloud breach, regardless of how capable the attacker becomes.

How Local-First AI Like Elephas Reduces Your AI Attack Surface

Security teams call the simplest defence against data theft “data minimisation.” It means keeping sensitive information off systems an attacker can reach. Applied to AI, it means not sending confidential text, files, or client records to cloud assistants that keep them on servers outside your control.

Elephas Mac app showing Smart Redaction detecting sensitive information before a cloud AI call. Privacy friendly AI knowledge assistant.

Elephas is a Mac-native AI knowledge assistant built on a local-first architecture. Notes, drafts, research libraries, and knowledge bases live on the user's machine. When a task benefits from a frontier model like GPT-5.4 or Claude Opus, Elephas uses a feature called Smart Redaction before anything is sent out.

Here is how Smart Redaction actually works:

Sensitive data is automatically detected and redacted before anything reaches a cloud AI model, your content is never used to train AI models, and nothing passes through a third-party reviewer's screen.

Practical details on the product:

Elephas runs on Mac, iPhone, and iPad from a single account. Visit elephas.app to see current plans, start a trial, and watch Smart Redaction in action.
Smart Redaction is currently in beta and rolls out to top-tier subscribers first.
Elephas also provides built-in local LLM models for users who want zero cloud dependency on any task.
The design intent is straightforward: a privacy friendly AI knowledge assistant built for professionals who cannot afford to paste client data into a public chatbot.

Elephas is not a cybersecurity product. It will not stop a network attack in progress. What it does is shrink the data surface an AI attacker can reach. Files that never touched a cloud server cannot be stolen from that server.

3 Cybersecurity Basics Every Business Needs Before AI Attacks Scale

AISI's final guidance is plain. Most companies compromised by AI-driven attacks will lose data because their patching was late, their logging was sparse, and their access controls were loose. None of those problems require AI to exploit. AI only makes them faster and cheaper to find.

Three-step cybersecurity checklist for small and mid-sized businesses facing AI-driven attacks in 2026

Three concrete actions for this week:

Follow the NCSC Cyber Essentials checklist. The UK National Cyber Security Centre publishes a free five-item framework covering security updates, access control, firewall configuration, malware protection, and secure device setup. Most real-world breaches fail at least one of these five items.
Audit your AI data trail. List every AI tool any team member uses. For each tool, answer three questions: what data is being sent to it, where is that data stored, and how long does the vendor retain it. Cancel or replace the tools where the answers are unclear.
Move sensitive work local. For contracts, client notes, financial drafts, medical records, and research in progress, use a local-first AI assistant such as Elephas. Content that stays on an employee's Mac cannot be harvested in a cloud provider breach.

AI attackers are improving faster than defenders are patching. The boring security basics your IT team has been asking you to fund for the last two years just became the business-critical decisions of 2026. Start with the checklist, audit the cloud exposure, and keep what matters on your own machine.

Keep Your Sensitive Work Off the Cloud

Elephas is a privacy friendly AI knowledge assistant for Mac. Local-first architecture, Smart Redaction for cloud calls, and built-in local LLM models for zero cloud dependency.

Try Elephas Free

Sources

Back to News

Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.