By For years, the idea of a catastrophic, AI-fueled wave of cyberattacks has lived mostly in the realm of theory. This week, it started to feel a lot more real.
Anthropic, one of the leading AI companies in the world, announced it would not release its latest model—Mythos Preview—to the general public. The model’s advanced ability to find and exploit software vulnerabilities could cause unprecedented damage if it falls into the wrong hands. Instead, Anthropic is sharing it selectively with a small group of major tech companies to help strengthen their defenses.
The announcement reverberated throughout the cybersecurity community and reached Washington.
A Warning From the Top
Treasury Secretary Scott Bessent convened an emergency meeting with major financial institutions in the wake of Anthropic’s announcement, with an agency spokesperson citing the need to discuss “the rapid developments taking place in AI.” The concerns being raised are not small ones — some experts warn that AI of this caliber could be used to crash financial systems, lock hospitals and factories out of their networks, shut down critical American infrastructure, or trigger mass outages affecting travelers and everyday internet users.
“We have way more vulnerabilities than most people like to admit; fixing them all was already difficult, and now they are far easier to exploit by a far broader variety of potential adversaries,” said Casey Ellis, founder of Bugcrowd, a platform where cybersecurity researchers hunt down software flaws. “AI puts the kind of tools available to do this in the hands of far more people.”
The Arms Race Built Into Every Line of Code
Hacking has always been a complex and dynamic process. Attackers probe for weaknesses in software, and defenders scramble to patch them. But AI models that can code at a near-human — or superhuman — level are dramatically shifting the balance of power in that equation. They can discover vulnerabilities at a speed and scale that no human team can match.
Ellis put the fundamental asymmetry plainly: “A defender needs to be right all the time, whereas an attacker only needs to be right once.”
Logan Graham, who leads offensive cyber research at Anthropic, said the threat goes beyond just finding individual bugs. Mythos, he explained, is also capable of chaining multiple vulnerabilities together into sophisticated, devastating exploits—something that previously required elite hacking skills to accomplish.
Graham emphasized that even if Mythos remains unavailable to the public, it won’t be long before similar capabilities are widely distributed. He expects competitors — including AI developers in China — to release models with comparable capabilities within six to twelve months.
“We should be planning for a world where, within six months to 12 months, capabilities like this could be broadly distributed or made broadly available, not just by companies in the United States,” Graham told NBC News. “If you step back, that’s a pretty crazy time frame, where usually preparations for things like this take many years.”
Who Gets Hurt First?
Experts paint a vivid picture of the real-world consequences. Katie Moussouris, CEO of Luta Security, expects large-scale outages with cascading effects across industries — similar to when major cloud providers go offline and drag airlines, banks, and other services down with them.
“We absolutely are going to start to see big outages that have downstream effects on other industries, like the airline industry suffered in the CrowdStrike incident,” she said.
Perhaps even more alarming is the concern about who gains access to these tools. Cynthia Kaiser, a former senior cyber official at the FBI and now a senior vice president at ransomware prevention firm Halcyon, worries about the wave of would-be hackers who were previously held back only by their own lack of skill.
“The wannabes, this undercurrent of people who have not been capable of doing these operations just a year ago, now have some of the most powerful tools ever known to humankind in their hands,” she told NBC News. “Health care and critical manufacturing were the most targeted by ransomware attacks last year. I think that pattern would follow. They’re going to go after areas where there’s little tolerance for downtime.”
The National Security Dimension
The implications extend well beyond ransomware gangs. Since the U.S. conflict with Iran escalated, Iranian hackers have repeatedly targeted American systems — though they have largely overstated their impact. Their most significant confirmed attack was on Stryker, a Michigan medical technology company. Federal agencies confirmed this week that Iran has had some success breaching critical infrastructure targets, including water, wastewater, and energy sector systems, though the full extent of the damage remains unclear.
AI could dramatically lower the bar for such attacks. Jason Healey, a senior research scholar at Columbia University specializing in cyber conflict, noted that industrial systems—like those managing water treatment—often rely on obscure, specialized technology that historically required deep expertise to exploit.
“Instead of having to train up a generation of hackers that understand waterworks, AI should be able to help understand those systems and automate the process of intrusion,” he said.
How Bad Could It Really Get?
Not every expert is predicting a Hollywood-style disaster. Bryson Bort, founder of Scythe, a platform that helps industrial operators simulate cyberattacks, pointed out that much of the country’s most critical infrastructure is deliberately isolated from the internet, limiting exposure.
“Not all of these things lead to immediate, like, everyone starts dying like we’re in a Hollywood movie,” he said.
But persistent, repeated attacks — even on isolated systems — can still cause serious harm. A water treatment plant that keeps getting compromised may eventually be forced to halt operations entirely until control is restored.
“If it keeps getting compromised, I do need it to work, to actually produce water at some point,” Bort said.
The bottom line is clear: whether or not Mythos Preview lives up to its hype, experts broadly agree that a reckoning is coming. The only real question is how prepared defenders will be when it arrives.