Black Arrow Cyber Advisory 10 April 2026 – Frontier AI and the Changing Cyber Threat Landscape
Executive summary
Anthropic’s new Mythos AI model and Project Glasswing initiative are an important moment for the cyber security of all organisations across the globe. Anthropic says the model has identified large numbers of serious software vulnerabilities and has chosen not to make the model generally available. Instead, access is being tightly controlled while selected organisations work to address weaknesses in critical software and infrastructure.
For most organisations, the main point is not Anthropic or the Mythos model itself. It is that AI is making advanced vulnerability discovery and exploit development exponentially faster and more broadly accessible. As those capabilities spread, firms should expect less time between a serious weakness being identified and attackers trying to use it, as well as a sharp increase in the number of zero-day vulnerabilities that require organisations to prioritise resilience and defence-in-depth.
This does not mean every business is suddenly facing a completely new threat overnight. It does require that organisations have good visibility of their exposure through internet-facing systems, fast patching, strong identity controls, and deeper oversight of key suppliers.
Black Arrow Cyber’s view is that this should be treated as an imminent warning. This is not a reason to panic. It is a reason to make sure the basics are strong and that your organisation can move quickly and effectively when a serious issue emerges.
What’s the risk to me or my business?
The biggest change here is speed. AI reduces the time and effort needed to find and validate vulnerabilities, so organisations may have less time to understand whether they are exposed and put protections in place before attacker’s act.
That risk is not limited to software you build yourself. It can sit in technology your business depends on every day, including operating systems, browsers, identity platforms, remote access tools, cloud services, open-source components, and third-party applications. In practice, this means cyber risk may increasingly come from shared dependencies that, until now, have been secure, as much as from your own internal environment.
It is also worth noting that attackers do not need entirely new types of weaknesses for this to matter. A more likely concern is that existing bugs, misconfigurations, weak access controls, and poorly managed dependencies become easier to find and combine in new ways. Organisations that already struggle with asset visibility, patching discipline, or privileged access management are likely to be the most exposed.
From a leadership perspective, this is not just a technical issue. It is a governance issue. The organisations that respond well will be the ones that know what assets they have, know what is exposed, know who owns important systems, and can make decisions quickly when a serious vulnerability affects the business.
What can I do?
Review patching timelines for your most important systems. Internet-facing services, identity platforms, remote access tools, and systems used to administer the environment should be treated as priorities. Where quick patching is not possible, there should be clear compensating controls and clear ownership.
Improve visibility of exposed assets and key dependencies. Most organisations still do not have a complete picture of internet-facing systems, inherited software dependencies, privileged accounts, and unmanaged or shadow technology. That becomes more dangerous if attackers can move faster.
Strengthen identity and privilege controls. Phishing-resistant multi-factor authentication, least privilege, admin segregation, and rapid removal of access all matter even more if a vulnerability can be exploited quickly.
Make sure there is a clear process for triaging and escalating serious vulnerabilities. This should include technical ownership, business decision-making, supplier engagement, and communications where needed. If a critical weakness emerges, the organisation should not be working this out for the first time under pressure.
Test and strengthen incident response resilience through regular exercises. Run scenario‑based exercises to validate roles, decision‑making, communications, and escalation under pressure. These exercises help identify gaps in preparedness, improve coordination between technical and leadership teams, and ensure the organisation can respond quickly and effectively when a serious incident occurs.
Questions leadership teams should be asking
Do we know which internet-facing and critical systems would create the most risk if a serious vulnerability were exploited quickly?
How quickly can we confirm whether we are affected by a newly disclosed high-severity issue?
Do we have clear visibility of key suppliers and software dependencies?
Are our identity and privileged access controls strong enough to limit damage if an attacker gets in?
Do we have a clear process for making decisions quickly when a serious software weakness affects the business?
Black Arrow Cyber’s assessment
Mythos and Project Glasswing should be viewed as a sign of where the threat landscape is heading rather than as a single vendor story. The main risk for most organisations is not one model on its own. It is the wider direction of travel: advanced AI capabilities are quickly becoming more accessible, making sophisticated cyber activity faster and cheaper.
The most effective response is operational discipline: know what you have, know what is exposed, reduce time to remediate, tighten identity controls, understand your key dependencies, and make sure the organisation can respond at speed when it matters.
Further details and references
Anthropic Project Glasswing announcement: https://www.anthropic.com/project/glasswing
Anthropic Mythos Preview research note: https://red.anthropic.com/2026/mythos-preview/
UK NCSC guidance on frontier AI and cyber defence: https://www.ncsc.gov.uk/blogs/why-cyber-defenders-need-to-be-ready-for-frontier-ai
Need help understanding your gaps, or just want some advice? Get in touch with us.