1APR

AISI confirms Mythos 20-hour attack chain

3 min read

12:41UTC

The UK AI Security Institute's independent evaluation of Claude Mythos Preview found no single-task superiority over rival models, but confirmed a genuine autonomous capability: a 32-step attack chain equivalent to 20 hours of trained-human work.

← Back to Trump declares victory and withdrawal Jump to analysis ↓

ConflictDeveloping

Key takeaway

AISI confirmed Mythos can run 20 hours of trained-human work autonomously, the capability that most directly substitutes for salaried labour.

The UK AI Security Institute (AISI) published an independent evaluation of Anthropic's Claude Mythos Preview on 15 April 2026. On isolated capture-the-flag (CTF) tasks, Mythos scored above 85%, but rival frontier models, GPT-5.4, Claude Opus 4.6 and Codex 5.3, fell within 5 to 10 percentage points. No single-task superiority. In AISI's 32-step "The Last Ones" benchmark, however, Mythos autonomously completed a sequence the Institute estimates would take a trained human roughly 20 hours, without human prompting between steps.

AISI is the UK government body established to evaluate the safety of frontier AI models; its evaluation is the first external assessment of Mythos since Anthropic distributed restricted access to twelve founding partners under Project Glasswing on 8 April . Anthropic's marketing had emphasised thousands of zero-day vulnerabilities discovered by the model; Tom's Hardware on 9 April reported those claims rested on only 198 manual reviews . AISI's CTF findings partly vindicate that critique: Mythos is not dramatically more capable than competitors at short, bounded tasks.

The attack-chaining result is the capability that matters. Sustained autonomous execution over 32 steps and roughly 20 hours is the operational profile a trained human analyst, paralegal or junior engineer currently provides inside a bank, law firm or software team. It is also the profile the Scott Bessent and Jerome Powell emergency convening of Wall Street CEOs at Treasury on 8 April was called to assess . Treasury and the Fed convened promptly on a capability that federal agencies could not themselves verify; AISI's 20-hour-human-equivalent figure is the first external confirmation the convening was warranted on substance.

For the workforce implication, the relevant dimension is not Mythos's cybersecurity reach but its ability to replace trained-human throughput at chain-of-task scale. That capability is what JPMorgan CEO Jamie Dimon described in February when he told the bank's investor meeting that AI has led to internal redeployment, covered elsewhere in this update. Every original Glasswing partner, and the additional five named in Anthropic's 7 April system card, will have to integrate the attack-chain profile into internal risk frameworks during live deployment.

The evaluation was accessed via a third-party summary from Results Sense rather than AISI's primary publication, so specific scores should be verified against the Institute's direct release when it becomes available. The methodology point, however, is solidly established: Mythos's material advantage is durability, not speed, and durability is the AI capability that most directly substitutes for salaried human labour.

Deep Analysis

In plain English

A UK government body called the AI Security Institute tested Anthropic's most advanced AI model, Mythos, and found that it can independently complete a complex cybersecurity attack across 32 separate steps; work that would take a trained human about 20 hours. This confirms a capability distinct from the headline claims: chaining together a full 32-step attack sequence autonomously, rather than finding a single flaw. This matters for jobs because the same autonomous multi-step capability that can conduct a security attack can also conduct many complex knowledge-work tasks without human oversight.

Deep Analysis

Root Causes

The attack-chaining capability that AISI confirmed is structurally distinct from any prior evaluation framework because it is an emergent property of model scale rather than a designed feature.

Existing regulatory frameworks (including the EU AI Act's high-risk classification system and the US Executive Order 14110 reporting requirements) were designed around discrete capabilities such as facial recognition accuracy and loan decision bias. They have no measurement category for 'sustained multi-step autonomous execution' as a risk dimension.

The ASL abandonment in Anthropic's own system card (event index 6) formalises this: capability thresholds cannot capture emergent attack-chaining because the capability arises from combining individually non-dangerous steps. This is the same structural challenge that makes nuclear non-proliferation frameworks inadequate for dual-use biotechnology: the dangerous capability is not in any single component.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The UK's CESG (now NCSC) began independent evaluation of cryptographic products in the 1990s under the ITSEC framework, requiring commercial vendors to submit products for government testing before government procurement.

The framework revealed that several commercially certified products had fundamental weaknesses vendors had not disclosed. AISI's Mythos evaluation is structurally identical: government assessment revealing a capability (attack-chaining) distinct from the vendor's stated disclosure.

Counter-parallel: The US National Vulnerability Database's handling of the 2021 Log4Shell vulnerability produced a 72-hour window during which independent researchers had confirmed severity but patches did not yet exist. The 99%-unpatched vulnerability figure in the Mythos disclosure replicates this window at a much larger scale.

Consensus view: RUSI's cybersecurity programme assesses that independent government evaluation of frontier AI models (rather than vendor-led disclosure) is the structural requirement for meaningful oversight.

AISI's 32-step 'Last Ones' evaluation is the first instance of a state body producing an adversarial benchmark that contradicts a developer's own marketing framing while confirming a distinct capability the developer did not advertise: the attack-chaining dimension rather than the zero-day claim.

Counter-view: The Global Cyber Alliance, which tracks vulnerability disclosure timelines, argues that AISI's methodology itself introduces risk: publishing a benchmark that confirms a model's ability to complete 20-human-hour attack chains autonomously effectively provides a detailed capability specification to adversarial actors who would use it as a targeting guide.

Key tension: Whether independent evaluation regimes that confirm attack capabilities serve the public interest by informing policy, or undermine it by disseminating capability specifications to actors the evaluation was designed to protect against.

Sources:UK AI Security Institute (via Results Sense)

Mentions:Anthropic →Claude Mythos Preview →Scott Bessent →Jerome Powell →Tom's Hardware →RUSI →Jamie Dimon →Project Glasswing →Codex 5.3 →ChatGPT →Claude Opus 4.6 →JPMorgan Chase →UK AI Security Institute →

First Reported In

Update #6 · Three federal surveys, one 34-to-1 gap

UK AI Security Institute (via Results Sense)· 16 Apr 2026

Read original →

Causes and effects

Caused by

Fed and Treasury summon bank CEOs

The Bessent-Powell emergency meeting convened over Mythos sustained autonomous execution risk; AISI's 32-step evaluation is the first external confirmation the capability warranting that convening is real.

Occurred 8 Apr 2026

Read story →

Tom's Hardware challenges Mythos zero-day claims

AISI partly vindicates Tom's Hardware's critique of single-task superiority claims while confirming a distinct attack-chaining capability the Hardware review did not assess.

Occurred 9 Apr 2026

Read story →

This Event

AISI confirms Mythos 20-hour attack chain

The first external confirmation that the Treasury-Fed emergency convening on 8 April was warranted on capability grounds rather than on Anthropic's marketing. Attack chaining is the capability most directly relevant to autonomous task completion, and therefore to white-collar workforce displacement.

Led to

AISI: GPT-5.5 matches Mythos on 32-step attack

AISI's April evaluation of Mythos established the 32-step autonomous benchmark; the GPT-5.5 evaluation confirms the same threshold is now cleared by a second frontier lab.

Occurred 1 May 2026

Read story →

Different Perspectives

Markets

Brent crude rose 2.2 per cent to $96.34 on 10 June, reversing a 7 per cent weekly decline built on deal optimism, as the overnight exchange repriced the Strait of Hormuz risk premium in a single session. The move reflects transit-risk repricing rather than supply shock: Iran's exports had already collapsed to below 300,000 barrels per day.

Pakistan

Pakistan's Naqvi channel, the only mediation track carrying both civilian and military buy-in, was stress-tested by live ordnance within 48 hours of the 6-7 June Tehran visit. Whether Washington informed Islamabad of the imminent strike plan while Naqvi was in Tehran remains undisclosed, putting the channel's neutrality under scrutiny.

Kuwait

Kuwait hosted the third Iranian strike on its soil since the 3 June airport drone attack, with Ali Al Salem airbase targeted in the three-country salvo. Its recent $1.98 billion Anduril Anvil counter-drone purchase signals it is rearming rather than reconsidering its hosting posture.

Bahrain

Bahrain absorbed the IRGC barrage via PAC-3 intercepts with its magazine already at 87 per cent depletion and no resupply before 2027. Sounding air-raid sirens over Manama, it faced the intercept burden with the thinnest defensive stack in the Gulf coalition.

Jordan

Jordan reported all five incoming missiles intercepted with no injuries and no damage, a clean defensive performance that strengthens Amman's case for staying in the Western coalition without escalating its own posture. It now sits on Iran's target list for the first time despite not being a party to the Abraham Accords confrontation.

Iran / IRGC

Foreign Minister Araghchi posted on X that US forces should 'leave our region if you want to be safe' and framed the exchange as a US defeat, while the IRGC claimed 21 targets hit and an F-35 hangar destroyed. The claims serve a domestic and Arab-audience framing rather than a verified battle-damage assessment.