15MAY

AISI confirms Mythos 20-hour attack chain

3 min read

15:55UTC

The UK AI Security Institute's independent evaluation of Claude Mythos Preview found no single-task superiority over rival models, but confirmed a genuine autonomous capability: a 32-step attack chain equivalent to 20 hours of trained-human work.

← Back to GitLab signs the manifesto, Brussels backs out Jump to analysis ↓

EconomicDeveloping

Key takeaway

AISI confirmed Mythos can run 20 hours of trained-human work autonomously, the capability that most directly substitutes for salaried labour.

The UK AI Security Institute (AISI) published an independent evaluation of Anthropic's Claude Mythos Preview on 15 April 2026. On isolated capture-the-flag (CTF) tasks, Mythos scored above 85%, but rival frontier models, GPT-5.4, Claude Opus 4.6 and Codex 5.3, fell within 5 to 10 percentage points. No single-task superiority. In AISI's 32-step "The Last Ones" benchmark, however, Mythos autonomously completed a sequence the Institute estimates would take a trained human roughly 20 hours, without human prompting between steps.

AISI is the UK government body established to evaluate the safety of frontier AI models; its evaluation is the first external assessment of Mythos since Anthropic distributed restricted access to twelve founding partners under Project Glasswing on 8 April . Anthropic's marketing had emphasised thousands of zero-day vulnerabilities discovered by the model; Tom's Hardware on 9 April reported those claims rested on only 198 manual reviews . AISI's CTF findings partly vindicate that critique: Mythos is not dramatically more capable than competitors at short, bounded tasks.

The attack-chaining result is the capability that matters. Sustained autonomous execution over 32 steps and roughly 20 hours is the operational profile a trained human analyst, paralegal or junior engineer currently provides inside a bank, law firm or software team. It is also the profile the Scott Bessent and Jerome Powell emergency convening of Wall Street CEOs at Treasury on 8 April was called to assess . Treasury and the Fed convened promptly on a capability that federal agencies could not themselves verify; AISI's 20-hour-human-equivalent figure is the first external confirmation the convening was warranted on substance.

For the workforce implication, the relevant dimension is not Mythos's cybersecurity reach but its ability to replace trained-human throughput at chain-of-task scale. That capability is what JPMorgan CEO Jamie Dimon described in February when he told the bank's investor meeting that AI has led to internal redeployment, covered elsewhere in this update. Every original Glasswing partner, and the additional five named in Anthropic's 7 April system card, will have to integrate the attack-chain profile into internal risk frameworks during live deployment.

The evaluation was accessed via a third-party summary from Results Sense rather than AISI's primary publication, so specific scores should be verified against the Institute's direct release when it becomes available. The methodology point, however, is solidly established: Mythos's material advantage is durability, not speed, and durability is the AI capability that most directly substitutes for salaried human labour.

Deep Analysis

In plain English

A UK government body called the AI Security Institute tested Anthropic's most advanced AI model, Mythos, and found that it can independently complete a complex cybersecurity attack across 32 separate steps; work that would take a trained human about 20 hours. This confirms a capability distinct from the headline claims: chaining together a full 32-step attack sequence autonomously, rather than finding a single flaw. This matters for jobs because the same autonomous multi-step capability that can conduct a security attack can also conduct many complex knowledge-work tasks without human oversight.

Deep Analysis

Root Causes

The attack-chaining capability that AISI confirmed is structurally distinct from any prior evaluation framework because it is an emergent property of model scale rather than a designed feature.

Existing regulatory frameworks (including the EU AI Act's high-risk classification system and the US Executive Order 14110 reporting requirements) were designed around discrete capabilities such as facial recognition accuracy and loan decision bias. They have no measurement category for 'sustained multi-step autonomous execution' as a risk dimension.

The ASL abandonment in Anthropic's own system card (event index 6) formalises this: capability thresholds cannot capture emergent attack-chaining because the capability arises from combining individually non-dangerous steps. This is the same structural challenge that makes nuclear non-proliferation frameworks inadequate for dual-use biotechnology: the dangerous capability is not in any single component.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The UK's CESG (now NCSC) began independent evaluation of cryptographic products in the 1990s under the ITSEC framework, requiring commercial vendors to submit products for government testing before government procurement.

The framework revealed that several commercially certified products had fundamental weaknesses vendors had not disclosed. AISI's Mythos evaluation is structurally identical: government assessment revealing a capability (attack-chaining) distinct from the vendor's stated disclosure.

Counter-parallel: The US National Vulnerability Database's handling of the 2021 Log4Shell vulnerability produced a 72-hour window during which independent researchers had confirmed severity but patches did not yet exist. The 99%-unpatched vulnerability figure in the Mythos disclosure replicates this window at a much larger scale.

Consensus view: RUSI's cybersecurity programme assesses that independent government evaluation of frontier AI models (rather than vendor-led disclosure) is the structural requirement for meaningful oversight.

AISI's 32-step 'Last Ones' evaluation is the first instance of a state body producing an adversarial benchmark that contradicts a developer's own marketing framing while confirming a distinct capability the developer did not advertise: the attack-chaining dimension rather than the zero-day claim.

Counter-view: The Global Cyber Alliance, which tracks vulnerability disclosure timelines, argues that AISI's methodology itself introduces risk: publishing a benchmark that confirms a model's ability to complete 20-human-hour attack chains autonomously effectively provides a detailed capability specification to adversarial actors who would use it as a targeting guide.

Key tension: Whether independent evaluation regimes that confirm attack capabilities serve the public interest by informing policy, or undermine it by disseminating capability specifications to actors the evaluation was designed to protect against.

Sources:UK AI Security Institute (via Results Sense)

Mentions:Anthropic →Claude Mythos Preview →Scott Bessent →Jerome Powell →Tom's Hardware →RUSI →Jamie Dimon →Project Glasswing →Codex 5.3 →ChatGPT →Claude Opus 4.6 →JPMorgan Chase →UK AI Security Institute →

First Reported In

Update #6 · Three federal surveys, one 34-to-1 gap

UK AI Security Institute (via Results Sense)· 16 Apr 2026

Read original →

Causes and effects

Caused by

Fed and Treasury summon bank CEOs

The Bessent-Powell emergency meeting convened over Mythos sustained autonomous execution risk; AISI's 32-step evaluation is the first external confirmation the capability warranting that convening is real.

Occurred 8 Apr 2026

Read story →

Tom's Hardware challenges Mythos zero-day claims

AISI partly vindicates Tom's Hardware's critique of single-task superiority claims while confirming a distinct attack-chaining capability the Hardware review did not assess.

Occurred 9 Apr 2026

Read story →

This Event

AISI confirms Mythos 20-hour attack chain

The first external confirmation that the Treasury-Fed emergency convening on 8 April was warranted on capability grounds rather than on Anthropic's marketing. Attack chaining is the capability most directly relevant to autonomous task completion, and therefore to white-collar workforce displacement.

Led to

AISI: GPT-5.5 matches Mythos on 32-step attack

AISI's April evaluation of Mythos established the 32-step autonomous benchmark; the GPT-5.5 evaluation confirms the same threshold is now cleared by a second frontier lab.

Occurred 1 May 2026

Read story →

Different Perspectives

India IT services and global capability centre workforce

India's in-house GCCs added roughly 200,000 net staff in fiscal 2026, nearly double the 110,000 added by the IT services firms feeding the same companies. The shift moves work toward captive centres while squeezing entry-level hiring at the outsourcing firms, reshaping where Indian tech careers begin as US clients cut staff at home.

EU workers and European labour institutions

The 93-4 committee vote locked the diluted Omnibus literacy clause before plenary: EU workers in AI-augmented but non-high-risk workplaces have no statutory right to demand an explanation until December 2027. The European Trade Union Confederation called the shift from 'ensure' to 'support' a legal threshold collapse, not a drafting compromise.

UK workforce and labour market

UK 16-to-24 unemployment reached 16.2% in the latest ONS reading, above the 15.2% pandemic peak and the highest since 2015. Britain is among the most AI-exposed labour markets this desk tracks, yet the Office for National Statistics still publishes no AI-attribution layer, so young workers face the displacement without official data naming its cause.

Anthropic and frontier AI labs subject to US jurisdiction

Anthropic complied with the directive but publicly disputed its application, citing that OpenAI's GPT-5.5 carried the identical jailbreak vulnerability and remained on sale. For any US-domiciled frontier lab, the action demonstrates that regulatory compliance and political alignment are now distinct variables: Anthropic backed the pro-regulation PAC and was the first lab Washington reached.

US national-security and export-control apparatus

The Lutnick directive treats runtime inference access by a foreign national as legally equivalent to exporting Claude Fable 5 and Mythos 5 to that person's home country. It established that a deployed consumer AI product can be withdrawn globally by regulatory letter, with no appeal period and no customer notice.

European workers and regulators

NBER working paper w34995 found European workers use generative AI at 32% versus 43% of US workers, a gap driven by management practice rather than regulation. The EU AI Act's high-risk employment deadline stays at December 2027, leaving European workers facing the same displacement curve two to four years behind the US.