Anthropic's Claude Mythos, an AI model that offers autonomous offensive cybersecurity capabilities, could have an outsized impact on vulnerable sectors like healthcare if it gets into the wrong hands, the Health Information Sharing and Analysis Center warned in a recent threat bulletin published in partnership with Quest Diagnostics.
Anthropic released the Claude Mythos Preview in April 2026 to a limited number of industry partners and open source developers under an initiative called Project Glasswing. The tool is not currently available to the public.
"We formed Project Glasswing because of capabilities we've observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity," Anthropic said at the time.
"Claude Mythos Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."
Claude Mythos could be a turning point for the cybersecurity industry, enabling defenders to identify vulnerabilities at record speed. However, the potential for Claude Mythos -- or competitor tools under development -- to fall into the wrong hands and be abused is a significant threat.
"For the health sector, this signals a systemic shift in risk as these autonomous tools are projected to proliferate globally by late 2026, lowering the barrier for sophisticated cyberattacks against critical infrastructure," Health-ISAC stated.
Healthcare is already a vulnerable sector given its reliance on legacy systems and the patient safety implications of a cyberattack.
Understanding Claude Mythos capabilities, risks
Anthropic has claimed that Claude Mythos has identified thousands of high-severity vulnerabilities, including a 27-year-old bug in OpenBSD, an operating system known for its security-first approach. Mythos Preview has also outperformed its predecessor, Claude Opus 4.6, on every benchmark.
Mythos Preview can also autonomously morph these vulnerabilities into working exploits, the Health-ISAC report noted. For example, an evaluation by the UK AI Security Institute found that Mythos could complete a 32-step corporate network attack simulation in its entirety, which would have taken an estimated 20 hours of expert human effort.
Project Glasswing consists of just 40 authorized organizations. But if access is expanded too soon, it could facilitate leaks and undermine cybersecurity.
Health-ISAC pointed to Cobalt Strike as a cautionary tale. The legitimate tool was originally created to defend against cyberattacks by simulating network intrusions. However, , threat actors have abused the tool since its inception in 2012 to carry out cyberattacks against healthcare organizations and other sectors.
It wasn't until 2023 that a collaboration between Health-ISAC, Fortra (the company that owns Cobalt Strike) and Microsoft made meaningful strides in seizing malicious domains and cracking down on Cobalt Strike abuse.
"Should the rollout of Claude Mythos follow a similar trajectory, it could jeopardize health sector security," Health-ISAC said. "Concerningly, there are already claims circulating of unauthorized parties gaining access to Mythos."
Anthropic has already revised its confidentiality rules around Mythos for Project Glasswing participants, news reports suggest. In late May, Anthropic said it would now allow Project Glasswing users to share cyber threat information and best practices with outside parties at their own discretion, Reuters reported.
The tool's success and risk levels hinge on how Anthropic manages the rollout and what happens when competitors reach a similar level of sophistication with their own AI models.
"With early unauthorized access claims already surfacing, a Chinese competitor potentially already operational, and open-source reconstructions gaining traction on public platforms, the window in which Mythos-level capability remains contained to vetted defenders may be narrower than its architects intend," Health-ISAC warned.
"Whether the technology ultimately strengthens global security or accelerates the threats it was built to prevent will depend entirely on how effectively that window is managed."
Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.
