Is Claude Mythos the End of Cybersecurity?

Added: 2026-05-13

[00:00:00]Claude Methos completed a 32-step cyber attack simulation, finding real vulnerabilities with almost no human help. In this video, I'm going to show you what Claude Methos means for cyber security jobs, and how it's going to influence real world cyber security attacks, cuz you could end up spending years mastering a skill that AI is just going to take away. I'll break down what Claude Methos actually does, it scariest capability, and what it means for cyber security careers. Hi, my name's AJ. I've been in cyber security for the last 10 years and on this channel I teach all things cyber security for beginners. So let's get into it. So first of all, what is actually different from what we currently have in things like tools like chat GPT and even claude themselves where Claude Methos is clearly showing that we're moving from the kind of AI assistants like these kind of chat GPT models and obviously the claude models as well more into AI operators that actually going to be actioning and actually making decisions themselves.

[00:00:50]You can imagine that past AI was more kind of like your autocomplete where Mythos is moving into something that is more like an autonomous cyber operator actually making decisions based on the information that it has and without any human control. So what does Claude Mythos actually do then? So it isn't just chat. You can imagine this is kind of AI that's actually answering completing missions. And what it's able to do then, so it's able to kind of plan out, set goals, define different objectives, and actually decide on kind of the best attack path of getting into a particular network or a particular company. And it's going to start to kind of be able to follow current methodologies that we already have. So the kind of penetration test methodology, it's going to be able to kind of follow that and use that as a kind of baseline. and it's going to have all of the information that us humans already have already, but it's obviously going to be able to do it at a much faster pace. It's then going to be able to once it's planned out as possible golden attack. It's going to be able to perform its own reconnaissance and map out what attack it's going to actually try to attempt. It's going to try and find vulnerabilities, potential weaknesses. Again, this is all in the reconnaissance phase of the kind of penetration testing life cycle where you want to understand the target before you can actually understand what attacks you're going to move forward with. It's then going to have the ability to execute on its own. So, actually carrying out the attacks, exploiting vulnerabilities, finding particular vulnerabilities, moving laterally, and then ultimately trying to achieve the objectives or whatever it has defined as objectives as in the the initial planning phase. And like I said, these are the type of things that penetration testers already do. Red teamers, ethical lackers, these are the type of things that they will do and the kind of framework they will work around. But ultimately, Claude Methos is going to be able to do that a much more rapid pace.

[00:02:34]And it has proven that it's been able to do that already. And then it's going to look to adapt as well. So this is probably one of the biggest things that this is not just like a script where it's just going to go through step by step. This is going to be able to adapt on its own and it's going to be able to review the results that it's got. So they say maybe one vulnerability uh wasn't exploitable, it'll be able to adjust his strategy and pivot to potentially another vulnerability and it's going to be able to perform and as I'll show shortly kind of the full attack chain and I think like I've got noted here you can imagine it often like a pen tester potentially like a pentester who never sleeps where it's constantly working 24/7 doesn't kind of burn out or fatigue it can kind of learn and adapt as it goes and it goes through uh this actual cycle. I think one of the scariest parts of what we are seeing from Claude Mythos is that it ability to actually perform kind of chain exploitation and it's able to kind of perform the full attack path and chain different vulnerabilities together to ultimately achieve its goal. So it will be able to uh look at the kind of fishing to perform the initial foothold and then look to chain vulnerabilities together to move across the kill chain uh to ultimately achieve it objective.

[00:03:42]you know, it'll be able to look at doing privilege escalation. Maybe it finds a vulnerability, uh, remote code execution in the email client that the victim is using. Uh, maybe it then once it has managed to actually get onto the system, it's going to look to try and gain higher permissions through privilege escalation. It might find a particular privilege escalation flaw in the system and it has already found new vulnerabilities, for example, in the Linux kernel that we haven't discovered.

[00:04:09]So it's going to be able to find vulnerabilities that we humans haven't found yet. And again, this is obviously nothing new. Like humans have already gone through these phases. Hackers, red teamers, they always they currently that's how vulnerabilities are found.

[00:04:22]But obviously, it's going to be able to do this at a much rapid pace. It's then going to be able to perform things such as lateral movement. Maybe it finds a weakness in a remote service. Uh maybe it finds RDP exposed. They find some SSH keys, AWS keys for example on a system and it's able to move to other systems and ultimately then start to get to a sensitive data systems and actually bypass maybe authentication. This has the ability then access sensitive data and perform full system compromise and whatever the objectives that it defined in its plan at the start is then able to execute on those and potentially even exfiltrate data. So these probably obviously do sound scary, but remember these are the kind of things that attackers are doing already. So there's nothing too new here. It's just the fact that AI is probably going to have the ability to be able to perform a lot of this on its own with a lot without a lot of human interaction, which I think potentially is what is seen as the scariest part. But ultimately, it is currently just doing what a red teamer, an ethical hacker, or an actual threat actor would be doing. I think the ability to chain multiple vulnerabilities together and if it's able to discover new vulnerabilities on a system extremely quickly, then it's potentially going to be able to move through this attack path very quickly.

[00:05:36]It's starting to kind of mirror elite attacker behavior. There are some actual tests that were performed. Uh there was independent valuation from the UK AI security institute and I'll keep a link to the article. I'm going to show the article now and it was an external validation of the tools itself and what they did discover is that models in 2023 did struggle with your kind of beginner tasks. Uh but now Mythos is able to handle advanced cyber challenges and they effectively put it through a CTF kind of capture the flag and it was able to actually perform multi-step cyber attack simulation and because of that as we can see here they put it through a 32step corporate network attack and the end completion rate. So it was able to complete the full 32step attack chain three out of 10 times. You can see the other models made it 12 steps on average. GPT4, Gemini, eight steps on average and other models eight steps on average, but they didn't complete the full 32step attack chain. But Claude Mthos was able to do that. So this is a big development on what we currently have. You can imagine the 32step attack chain like what we were just seeing about kind of the chain exploitation where it was able to go through each one of the phases and actually achieve it objective of full system compromise. So this is the article. So from the AI security institute, I recommend that you go in and read this. I can show you it now, but ultimately it's a really good evaluation of Claude Mythos's capabilities. They had a kind of preview version, reviewed it to start to understand its cyber capabilities and they put it through different capture the flag challenges which are ultimately kind of tests and simulations of cyber attacks and they put it through different phases of the kind of multistep phases through the cyber security attack and like I mentioned able to actually complete it. But there's some really good information in here. I definitely would come and have a look at this. They did compare it against other models, AI models in here as well. And they were able to actually, like I said, complete the 32-step attack chain that they were calling the last ones. Uh, that was the name of the campaign that they were that they'd actually built. And you can see here then it was a 32step corporate network attack simulation spanning initial reconnaissance all the way to full network takeover. And they mentioned that it would require humans 20 hours to actually complete it. And it looks like here Claude Mythos is the first model to solve it from start to finish in three out of 10 attempts. And across all its attempts, it completed an average of 22 out of 32 steps. So it did manage to complete it and on average it was getting 22 out of 32. Three out of 10 times it was able to actually complete the full attack chain. So what does this actually mean for attackers then? So we're going to be able to see faster exploitation. they're going to be able to move much quicker through the attack chain and it's potentially going to make it easier for them to compromise networks and systems. We're definitely going to see a lower skill barrier. So if you think about your kind of nation states and elite hackers, they're obviously even at today's standards, some of the best hackers that are out there, but we're going to see probably lower level threat actors and maybe more kind of your wannabe hackers able to kind of enter and not just enter but at a high level because of tools like Claude Mythos and ones that will potentially get released at some point.

[00:08:53]We're probably going to see more automated attacks. So the attacks are going to be able to be conducted without human intervention. and they're going to be automated and there's going to be much more targeted attacks that are going to be automated as well. And we're going to see a much higher attack volume. So, because they can perform the attacks without human intervention, they're just going to be automated.

[00:09:14]They're just going to be targeting certain infrastructure than attackers can kind of potentially even focus on targeting multiple companies at the same time. There's a chance that we're going to see a much higher attack volume, which I think is going to be very interesting. But what does this mean for us defenders then? So currently on a daily basis now I work in instant response kind of senior cyber security analyst and kind of consultant and what I am seeing as well is that AI is definitely improving detection and response. It's making us much easier for us to respond much faster. And I think we're going to need this cuz if we've got a kind of red team AI targeting us 24 hours a day, we're going to need a very similar um AI kind of blue teamer who is also helping us analyze attacks as well. we're going to actually see that the I think the attackers are obviously going to be able to scale as quick as we're able to scale with AI. Um I think security workload is going to increase. This is why I think potentially there's going to be an increasing need for cyber security professionals. But I do think the basics will matter more than ever. I think that we forget that what these AI tools are going to be targeting and what we're trying to defend. We should still follow the basics with your kind of MFA, your security baselines, security baseline configurations, making sure that we've got visibility into our endpoints, for example, using endpoint detection systems. Um, what we are seeing is like I've got here, AI is making defense much smarter, but it's also making the battlefield much faster because if these tools like Claude Methos get released, and at some point they will, it's going to make threat actors allow them to operate at a much faster pace. So there's good and bad that's coming with AI, but we're not going to be able to stop it. We're going to need to be able to use it. But ultimately, I think this is very key that the basics will matter more than ever. So key thing then, what jobs going to be most affected? So this is obviously my opinion and ultimately the way that I see it is that I actually think things like application security are going to get much harder to get into. I these titles are probably maybe a bit more extreme, but I do see application security at risk because things like code review, bug discovery and reverse engineering, AI is going to have the cap capability and it already can do this at a very high level. So I think you're going to have to be an application security engineer that very much heavily uses AI and kind of pivots towards understanding how to protect these AI tools. So I think maybe the kind of the baseline of application security will get done which I think it will get done by many of these jobs but I do see like your application security reviews, code reviews potentially at risk there. So the next one is actually ethical hackers. We've kind of already explained it is able to go through the full attack chain is a going to be able to perform everything that an ethical hacker would do. But ultimately again what I see is that what you're going to have to be is an ethical hacker that understands how to use AI, also how to exploit AI as well. I think is where the opportunities will be. I think ultimately these threat actors are going to need to understand cuz as companies implement more of these AI tools.

[00:12:15]They're just going to be avenues for exploitation and they're just going to increase the ability for a threat actor to get into a network. So I think if you're an ethical hacker who understands how to target these kind of AI tools but also use them, these are the kind of things I think will will help stand out.

[00:12:30]So sock analysts and cyber security analysts, I think this is a bit misunderstood. I think the assumption is that all of this is just going to get automated. It's all going to get done by AI. But the way that I see it again, your kind of level one, level two roles, they will begin to get automated. But I think the roles will go there more senior roles. I think we're going to need more individuals and help with combating the obviously effects of tools like Claude Methos who can perform a lot more attacks and can actually perform them in such an automated way that it's going to increase the amount of attacks that we start to see. So I actually think we're going to need more people in in the blue team in the kind of cyber security analyst world. But I do think the kind of level one and two roles will get automated. They already starting to.

[00:13:14]But don't let this scare you off cuz I do still think this is the best entry point into cyber security. And ultimately the reason for that is that it usually has a lower barrier of entry to get in. What I'm seeing now with the students that I work with and the people that I've helped land jobs, like just last week, I helped somebody land a job at CrowdStrike. And what I'm seeing is that you need to be at a higher level now. So, like I said, the level one and level two roles looking like they're being automated. What you need to do now is start to learn the kind of more senior analyst skills to actually make you stand out. So, next one then potentially one of the safest is GRC. So as and again I still think this is going to be affected by AI like all of them are going to be but ultimately I think this is safe because I see that as these AI tools are adopted there's going to be new compliance frameworks around these AI tools and what is actually being adopted and brought on board. I think we're going to need more GRC and compliance professionals to understand the landscape, understand how these AI systems are affecting compliance standards like a GDPR for example cuz these AI tools is going to start to hold a lot of data. Um so I do think that GRC should be okay but again I don't think it's not going to be affected. I think there is going to be parts of the role that will also be automated by it as well. So identity and access management.

[00:14:32]So I am I think this will continue to be stable and the reason for this is that you often need a lot of human interaction to kind of work in in this role. Of course this role is going to get automated and parts of it will be done by AI as well. But I do think the kind of world of AI is probably a bit too messy to fully automate. And I think what we're going to see is that the AM analysts are going to be using AI to actually perform certain tasks. uh but I don't know if they're going to be completely replaced. Again, this is my complete opinion. So, this something just to keep in mind. And finally, then security engineers. So, I actually think this is a bit mixed. I think your roles like your dev sec ops are going to become very very popular. So, building the secure infrastructure around these AI systems. So, of course, these AI tools need infrastructure to ultimately be able to actually operate. So like things like cloud security, cloud engineering, I think these are going to stay hugely important for the long term.

[00:15:28]But maybe your kind of lower level engineering just performing basic code coding for example I think things like that is going to get automated even parts of building infrastructure AI can actually do that at the moment but I don't think it can often build it securely which is why I think the security engineers will again need to use AI to be able to operate more efficiently. But I don't think the role is completely going to get automated by a AI. So the key thing here then is that cyber security has always adapted and it has always changed and you now trying to get into cyber security need to do the same thing. Personally for me, I would probably focus on your kind of blue team roles like your cyber security analyst and your AM and security engineers.

[00:16:11]Especially if you want to be kind of more technical and on the defensive side. If you think that you prefer compliance and auditing and you think that's going to be something more for you, then you probably want to look into GRC. So ultimately then, what can organizations do now? So they're going to want to make sure that they're staying up to date, patching systems as these are the kind of basic things that I've mentioned before. They want to make sure that they're continuing their vulnerability management program, trying to stay up to date with the latest software patches, for example, strong access control, multiffactor authentication, setting up strong passwords. Um, everything here thinks that they should already be doing anyway. But now, as soon as these models begin to get released at some point, then you're probably going to have to stay on top of this much quicker because if a vulnerability is discovered by one of these AI tools, you're going to want to make sure that your systems are patched and the ability to exploit that vulnerability is much lower on your networking system than it is compared to compared to others. For example, logging and monitoring. So, making sure that everything is being logged. There's detection rules, monitoring the systems that your employees are accessing every day. monitoring the systems that these ai tools that claude methos could potentially compromise and then configuration hygiene. So making sure that you're not leaving things like for example S3 buckets open to public access and making sure that you've got security baselines for your endpoints. So there's a minimum security baseline that there that is in place to ensure that these tools like claude methos aren't just exploiting simple configuration issues because ultimately you want to make it as difficult as possible for threat actors and now for these tools like claw methos to even compromise your network in the first place. So continuing with the basics is what companies need to do.

[00:17:54]And if you want to now try and future proof your career, what I would look to do is focus more on I would think on your defensive security. Um I think there's going to be a lot more jobs in the defensive side of security and there always has been compared to your more kind of red team and ethical hackers. I know people usually want to become ethical hackers when they speak to me about getting into cyber security, but I personally would look more on your defensive security, more kind of cloud security, cloud engineering, security engineering, more around your kind of dev sec ops, building the infrastructure securely. I think these kind of roles, we're definitely going to see an increase in demand and we do already have a lot of demand for these roles as well. And a big part of it is integrating AI tools and AI agents into your workflows in the kind of defensive side of cyber security. These are the kind of things that I'm currently working on on a daily basis with the companies that I work for. And ultimately adaptability is everything.

[00:18:47]Cyber security has changed so much over the 10 years that I've been in it. It's going to change over the next 10 years now. And if you get into cyber security and you're wondering that your job is going to be obsolete in a few years, well, you should be excited by that because it creates more opportunities.

[00:19:02]And also the same if you're a beginner trying to get in. If you see that things are changing, don't just think AI is taking everything and don't be in that mindset. Think about how you can capitalize on the opportunities that AI is actually bringing. And if you do that, these are the kind of things that are going to actually allow you to stand out. To conclude then you now have a better understanding of what claude methos is and how AI is actually impacting the cyber security industry and how things are potentially going to change in the future. Of course this is only my opinion. Nobody can really see what's going to happen in the future.

[00:19:30]But I personally think the need for humans will always exist. But ultimately you need to understand if cyber security is the area that you want to go into.

[00:19:37]And now that you've watched this video I want to say thank you for watching it. I recommend that you go and watch this video next which explains some of the dark truths behind actually working in cyber security so you can start to think if this is an area of a career area that you actually want to work and