Recent reports of a new AI model called Claude Mythos have triggered intense debate about whether AI could dramatically accelerate cyber-attacks. Anthropic has claimed the model can outperform humans at some hacking and cyber-security tasks and locate serious vulnerabilities faster than traditional methods. Whether Mythos ultimately proves to be as capable as early claims suggest, the direction of travel is clear: cyber attackers will increasingly use automation and AI to move faster.
For most organisations, this shouldn’t prompt panic, it should prompt focus.
The uncomfortable truth is that no business is currently 100% secure, and when new tools lower the effort required to find and exploit weaknesses, the organisations most at risk won’t be the ones facing “superhuman AI”, they’ll be the ones still relying on outdated systems, inconsistent patching, and unclear responsibilities when something goes wrong.
Faster attackers expose slow basics
AI may change the speed of vulnerability discovery, but it doesn’t change the fundamentals of defence.
If an attacker can identify weaknesses more quickly, it puts a spotlight on the areas where many organisations still struggle to keep pace: knowing what assets they have, keeping systems patched, controlling access, and spotting signs of compromise early.
These are not new disciplines, but they are exactly the ones that tend to slip when teams are busy and budgets are tight.
That’s why discussions about Mythos are a useful moment to revisit the practical controls that reduce risk regardless of what tool is used on the other side.
Three priorities to tighten now
A sensible response starts with three actions that are achievable for most organisations and aligned with well-established guidance such as the NCSC’s 10 Steps to Cyber Security.
1. Patch management: shorten the window of exposure
If AI makes it easier to uncover vulnerabilities, then patch latency becomes even more costly. Keeping operating systems and applications up to date isn’t glamorous, but it is one of the most effective ways to remove easy entry points.
This is also where clarity matters internally: who owns patching for endpoints, servers, network devices and cloud services? [MR1.1]What’s the SLA for critical updates? And what visibility do you have on exceptions, legacy systems or assets that are difficult to update? Crucially, how much of this can you automate and enforce through policy, so you’re not relying on busy employees to click “update” at a convenient moment, leaving avoidable exposure windows open.
2. Third-party applications: don’t inherit unnecessary risk
Many organisations now run on a patchwork of third-party tools, SaaS services and specialist applications. That increases capability, but it also increases exposure.
A common blind spot is assuming suppliers manage risk “by default.” In reality, you need a working understanding of their patching and vulnerability management processes, how quickly fixes are deployed, and what notification you receive when issues emerge. If you can’t answer those questions, you may be introducing additional risk without realising it.
3. Assume compromise: detection and response are part of the basics
Even with strong preventative controls, breaches can still happen. The organisations that recover fastest are rarely the ones with perfect defences; they’re the ones that detect issues earlier and respond with discipline.
That means having mechanisms in place to identify compromise quickly (logging, monitoring and alerting), and an incident response plan that’s understood, rehearsed and ready. When a serious incident hits, you don’t want to be deciding processes for the first time under pressure.
Why people still matter in an AI-driven threat landscape
Tools and controls are important, but cyber resilience ultimately depends on people making good decisions consistently, especially when the threat environment is changing.
That’s why security awareness and training remain so valuable. Not as a tick-box exercise, but as a way to build habits: spotting social engineering, reporting suspicious activity early, and understanding why controls exist in the first place. As threats become more automated and convincing, the “human layer” doesn’t become irrelevant, it becomes more critical.
Turning headlines into practical action
Mythos may turn out to be a leap forward, or it may be part hype, part capability. Either way, it’s a timely reminder that cyber security is not a one-off project, it’s operational discipline.
For businesses, the best response is to use this moment to tighten the fundamentals: reduce patching gaps, scrutinise third-party exposure, and make sure detection and incident response plans are real.
If you’d like to strengthen the human side of your cyber resilience, explore Sharp’s Security Awareness Training here.
