Three stories converged last week, and they tell one story about UK cybersecurity in 2026. First, Anthropic confirmed Mythos, its highest-capability model class, will roll out to all customers in “coming weeks” (Reuters, 28 May), exiting the small-circle Project Glasswing preview. Second, Cloudflare published a frank account of what happened when they pointed Mythos at live code across critical parts of their own infrastructure. Third, the BBC carried an interview with Valentina “Chompie” Palmiotti, the top performer at Pwn2Own Berlin and an IBM X-Force researcher, who said she competed this year because she thought it might be her last chance: Mythos and the unreleased GPT-5.5 Cyber are about to push elite human hackers out of routine bug-bounty work.
This is the cyber inflection. Frontier AI is now finding production-software vulnerabilities at a scale and speed that human red-teams cannot match, over 10,000 high- or critical-severity flaws surfaced through Glasswing in the weeks since the consortium went live. Anthropic CEO Dario Amodei has publicly described a six-to-twelve-month window in which Western organisations need to patch what Mythos has found before Chinese AI capability catches up and the same techniques get used offensively. For UK employers, this is not abstract. It changes what cybersecurity work looks like, who does it, and how it’s governed.
The numbers, on one page
10,000+ high or critical vulnerabilities surfaced through Project Glasswing since launch.
~50 partners with exclusive early access to Mythos in the preview.
6–12 months, Anthropic CEO’s public window to patch before offensive parity.
Coming weeks, Mythos availability extended from the Glasswing partner set to all Claude customers.
11 consortium partners, AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks.
What Mythos is actually doing inside Glasswing
Project Glasswing was set up earlier this year to give a small set of partners early access to Mythos for cybersecurity work specifically. Cloudflare’s post describes the pattern. They pointed Mythos at live code across critical parts of their infrastructure. The model surfaced classes of vulnerability the existing tooling didn’t catch, at meaningful speed. It also got things wrong, false positives, confidently asserted fixes that were subtly incorrect. The honest version of the story is the model is materially better than what came before AND still requires human-in-the-loop verification.
That “materially better but still needs verification” is the operational shape of frontier AI in cybersecurity. It isn’t replacing skilled cyber people. It IS raising the floor under what skilled cyber people are expected to deliver. The job is shifting from “find the bug” to “govern what the AI found, prioritise it, verify it, patch it, and audit the entire workflow.”
What Chompie’s BBC interview signals about the cyber labour market
Valentina “Chompie” Palmiotti was the most successful individual at Pwn2Own Berlin this year. She also told the BBC she expected this competition might be her last, because Mythos and the unreleased GPT-5.5 Cyber will likely push elite human researchers out of routine bug-bounty work. This matters for UK employers in two distinct ways.
First, the cyber labour market is bifurcating fast. Routine vulnerability discovery is moving to AI. Higher-order work, governance, prioritisation, response design, contextual judgement, regulatory interface, is becoming the human contribution. Second, this mirrors the same labour-market story we covered in our 1m NEET post and the HR department guide: AI compresses junior knowledge work and lifts senior knowledge work. The bridge across is structured, funded skills development. In cyber, that’s a particular combination of workshop-grade AI literacy plus formal governance training.
What UK organisations face this quarter
The honest read of the Cloudflare post + the 10,000 vulnerability figure + the Anthropic CEO’s 6–12-month window is that UK organisations of every size should be doing four things between now and Q4 2026. Not because their stack will get attacked tomorrow, but because the offensive parity Anthropic is warning about means Q1–Q2 2027 is when their stack might.
The four things are: run Mythos (or equivalent) against your own production code yourselves; build the governance frame for AI-assisted security work; train your team to verify, prioritise and patch what the AI surfaces; and document the entire workflow so it’s defensible to ICO/FCA/board oversight. Three of the four are training problems. UK funded training routes exist for all three.
Mythos doesn’t change the security job. It changes the standard the security team is held to. The team that has done the work, built the governance, and trained the people who can run AI alongside human verification is going to look very different in twelve months to the team that hasn’t. Rod Doyle, Director, TESS Group
Role by role: who in your organisation should do what
| Role | What changes | The funded route |
|---|---|---|
| CISO / Head of Security | Adopt AI-assisted vulnerability surfacing and build the governance framework that makes it defensible. | AU0010 (AI Adoption & Governance, £750), the explicit governance unit. |
| Security engineers | Stop finding routine bugs by hand; start verifying, prioritising and patching what the AI surfaces. Audit-trail every decision. | ST1512 (AI & Automation Practitioner L4) with a security focus, plus AI Audit Trail framework. |
| SOC analysts | Triage AI-flagged threats at higher volume; spot the false positives the model misses. | ST1512 plus the Cyber Awareness workshop. |
| Compliance & risk | Document AI-assisted decisions to a standard the ICO, FCA and (for EU operations) the AI Act will accept. | AU0010 plus the UK AI Compliance 2026 guide. |
| Software engineers | Triage Mythos-style code findings against their own codebase; integrate AI review into the CI/CD pipeline. | ST1512 + Build AI Agents workshop. |
| Board / SLT | Sign off the governance posture and the AI cyber spend. Document oversight to the same audit standard as financial control. | AU0009 / AU0010 / AU0011 as a stacked set. |
| Whole workforce | Baseline AI literacy + cyber hygiene. The phishing surface is about to change shape too. | AI Skills Boost + Cyber Awareness workshop for the wider population. |
The 30/60/90 plan for a 200-person UK organisation
Weeks 1–4: CISO + risk lead start AU0010 (4–6 weeks, £750 each). Workforce rolls AI Skills Boost foundation badge + Cyber Awareness workshop refresh.
Months 2–3: Commission 1–2 ST1512 apprentices into the security team to own the AI-assisted vulnerability workflow + audit trail. Run AU0009 (Leading AI Adoption) for the board.
By month 6: Documented AI cyber governance framework, audit-ready evidence trail, verified Mythos-class outputs against your own code, board sign-off in place. Ready for the Q1 2027 offensive-parity window Anthropic has warned about.
How TESS Group fits
TESS isn’t a cyber-specialist provider. We are an AI & automation apprenticeship provider whose programmes happen to be exactly what UK organisations need to build the AI-and-governance side of the cyber response. The pairing we’re recommending most often this week is AU0010 (AI Adoption & Governance) at the senior level for the governance framework, ST1512 (AI & Automation Practitioner L4) at the practitioner level for the workflow and audit-trail build, and the Cyber Awareness workshop for baseline workforce capability. All three carry funded routes. And if you want to sample the leadership-and-governance curriculum before committing anything, the free AI Adoption & Governance taster day on 6 August is the zero-risk way in.
For organisations already on a journey, the AI Audit Trail framework we published earlier in May maps directly onto what a Mythos-era security operation needs to log per decision. The UK AI Compliance 2026 guide covers the regulatory interface (ICO, FCA Consumer Duty, EU AI Act scope, sector overlays). Read together, they form a practical playbook.
The funded routes, in one place
• AU0010 (AI Adoption & Governance), £750 from the levy, 4–6 weeks. The unit purpose-built for this story.
• AU0009 (Leading AI Adoption), for the board/SLT layer.
• ST1512 (AI & Automation Practitioner L4), 100% funded for SMEs, 15 months, ships real workflows.
• Cyber Awareness workshop, whole-workforce baseline.
• Build AI Agents workshop, 1-day or 2-day closed cohort for technical teams.
• AI Audit Trail framework, the spec for what to log.
• UK AI Compliance 2026 guide, the regulatory interface.
Want us to map the Mythos response for your stack?
Tell us your security headcount, your current AI tool mix, and your regulatory exposure (ICO, FCA, EU AI Act). We’ll lay out the AU0010 + ST1512 + workshop combination on one page, with the funding maths and a realistic 90-day plan. 25-minute Teams call.
The wider context
This story sits next to two others we’ve covered this month. The Opus 4.8 launch showed how fast frontier capability is moving (~2-month cadence). The £725m apprenticeship reform package made the funded response materially cheaper. Mythos and Glasswing are why the response now needs to happen. The three together describe what 2026 actually looks like for UK employers: AI accelerating, funded skills routes expanding, security posture under pressure. The organisations that thread all three together, capability, training, governance, come out of 2026 in a different position to the ones that don’t.
Sources & further reading
Reuters: Anthropic to roll out Claude Mythos in coming weeks, launches Opus 4.8. Cloudflare: Project Glasswing, what Mythos showed us. BBC: Pwn2Own champion on Claude Mythos and her career. CNBC on Anthropic CEO’s 6–12-month warning. The Hacker News on the 10,000 vulnerabilities figure.
Anthropic's highest-capability AI model class, currently in limited preview through Project Glasswing for cybersecurity work. Anthropic confirmed on 28 May 2026 that Mythos will roll out to all Claude customers in “coming weeks”. It is the model class above Opus 4.8 and is described as having advanced cybersecurity capabilities. A consortium launched April 2026 by Anthropic with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, giving a small set of partners (~50) early access to Mythos for cybersecurity work. Since launch, the consortium has surfaced more than 10,000 high or critical severity vulnerabilities across widely-used production software. When it becomes available to all customers in coming weeks, yes, but only in a governed workflow. Cloudflare’s public post on their Mythos work makes clear the model is materially better than prior tooling AND still requires human verification. Use it inside a documented workflow with audit trails for every decision, ideally designed by someone trained on AU0010 governance. Dario Amodei has publicly warned of a six-to-twelve-month window for Western organisations to patch the vulnerabilities Mythos is surfacing, before competing AI systems reach offensive parity and the same techniques start being used for attacks rather than defence. UK organisations should treat Q1–Q2 2027 as the offensive-parity inflection point in their planning. Four routes pair well. AU0010 (AI Adoption & Governance) for the CISO and risk lead, £750 per learner from the levy, 4–6 weeks. ST1512 (AI & Automation Practitioner L4) for security engineers building the workflow and audit trail, 100% funded for SMEs, 15 months. The Cyber Awareness workshop for whole-workforce baseline. The Build AI Agents workshop for technical teams piloting now. All are funded routes. It’s bifurcating, not shrinking. Routine vulnerability discovery is moving to AI. Higher-order work, governance, prioritisation, response design, contextual judgement, regulatory interface, is becoming the human contribution and the senior layer of the cyber market is growing. UK employers should plan for net-zero on cyber headcount but materially changed cyber skills, with training as the bridge.Frequently asked questions.
What is Claude Mythos?
What is Project Glasswing?
Should UK organisations be using Mythos for their own code?
What is the Anthropic CEO’s 6–12 month window?
Which TESS programmes cover the Mythos-era security skill gap?
Is the cyber labour market shrinking because of this?