Artificial intelligence has been part of cybersecurity for years, mostly on the defense side. Better detection, faster response, smarter alerts. Around 2022, the same technology started showing up in attack toolkits. By 2025, AI-driven cyberattacks crossed 28 million incidents, up 72% year over year. The average breach costs $4.9 million now.
The Mythos Moment
In April 2026, Anthropic announced Claude Mythos Preview, a general-purpose model so capable at finding and exploiting software vulnerabilities that the company refused to release it publicly. In testing, it found critical flaws in every widely used operating system and web browser, the majority still unpatched. It exploited a 27-year-old bug in OpenBSD and a 16-year-old one in FFmpeg that had survived five million automated tests. Anthropic restricted access to about 40 organisations under Project Glasswing, including AWS, Apple, Microsoft, Google, CrowdStrike, Palo Alto Networks, and committed $100M in usage credits for defensive work.
Reasonable people disagree on how big a deal this is. Some independent reviewers, including AISI, found the testing scenarios were softer than real-world environments. Others noted the timing lined up neatly with Anthropic’s IPO chatter. Both can be true.
But Mythos is not the threat this blog is about. Mythos is the ceiling — locked behind a partner program, monitored, defensive-only. The floor is what’s hitting enterprises right now, and the floor doesn’t need a frontier model. It needs a $200 WormGPT subscription, a few seconds of audio scraped from an earnings call, and an unpatched CVE from 2023. PwC put it bluntly: most enterprise exposures aren’t zero-days. They’re known vulnerabilities, stale credentials, and misconfigurations that agentic AI can exploit faster and more cheaply than ever before.
The Mythos headlines are about what’s coming. The rest of this blog is about what’s already here.
It Started With Better Malware
Early on, AI just helped write malware faster and mutate it before antivirus signatures could catch up. Then the tools got more organized.
Tool | What it does | Skill required |
WormGPT | Generates malware, phishing emails, BEC scripts | None |
FraudGPT | Automates scam pages and credential theft | None |
MalTerminal | GPT-4 malware, unique variant every execution | Low |
PromptLock | Rewrites its own payload per target environment | Low |
LameHug / PromptSteal | Adaptive campaigns that bypass defenses in real time | Low |
WormGPT and FraudGPT are dark web subscription services. No technical background needed. That is what has changed most. The entry bar is basically gone.
The Multichannel Playbook
Phishing used to be easy to catch. Typos, suspicious sender addresses, generic greetings. Those are gone now. IBM ran a test where an AI built a phishing campaign in five prompts and five minutes that was as good as one a human expert spent 16 hours on.
Attackers also stopped relying on a single email. They build sequences now. A personalized email first, using details pulled from LinkedIn and public filings. Then a follow-up voice call, cloned from a few seconds of audio. Then a video call if the target still needs convincing.
Arup, February 2024. A finance employee joined a video call with what she thought was her CFO and senior leadership. She authorised a $25 million transfer. Everyone on that call was AI-generated.
UNC6040, early 2025. The group cloned a CFO’s voice from a publicly available earnings call recording and called the finance team directly. $12 million gone.
Metric | Change |
AI phishing click-through rate | 54% vs 12% for traditional |
Phishing email volume | +202% in H2 2024 |
Voice phishing incidents | +442% in H2 2024 |
Deepfake fraud incidents | +680% year over year |
29 Minutes and Counting
In September 2025, Anthropic disclosed a large-scale cyberattack that was run predominantly by AI agents. Thirty organisations hit across government, finance, and critical infrastructure. AI handled 80 to 90 percent of the attack tasks. Recon, vulnerability scanning, exploit generation, credential harvesting. Humans stepped in only at a few decision points.
Average attacker breakout time is now 29 minutes. The fastest recorded case in 2025 was 27 seconds.
The window teams used to have to catch something is shrinking fast.
The Software You Already Trust
Attackers figured out they do not need to break through the front door. They can walk in through something your team already installed.
In 2024, a compromised npm package got downloaded over 2 million times before anyone caught it delivering malicious payloads. Developers trusted it because it had been legitimate for years. The attacker just took it over after the original maintainer walked away.
The xz Utils case was the same concept, but a longer game. A developer spent two years making legitimate open-source contributions before slipping a backdoor into a compression library sitting inside millions of Linux systems.
Year | Incident | Scale |
2020 | SolarWinds Orion update | 18,000 organisations |
2024 | xz Utils backdoor | Millions of Linux systems |
2024 | Hugging Face ML models | 100+ with hidden backdoors |
2024 | Abandoned npm packages | 2M+ malicious downloads |
How a Full Attack Unfolds Today
In 2023, Scattered Spider breached MGM with a 10-minute phone call. They looked up an employee on LinkedIn, called the IT help desk pretending to be that person, and got admin credentials. No malware. No zero-day. 100 ESXi servers encrypted. $100 million in losses.
They did not need AI for that. Just LinkedIn and a phone.
Here is what the same attack looks like today.
Stage | MGM 2023 (Human-Led) | With AI Today (Agentic-Led) |
Reconnaissance | Manual: Researchers spent hours on LinkedIn/corporate sites to find IT staff and org charts. | Autonomous: AI agents map the entire org chart, identify vendors, and scrape voice samples from YouTube or earnings calls in minutes. |
Initial Access | One targeted vishing call: A human caller pretended to be an employee to trick the IT help desk. | Deepfake Vishing: AI-cloned voices, indistinguishable from the real person, handle multiple calls simultaneously with perfect script adherence. |
Privilege Escalation | Manual: Attackers navigated systems manually to find and harvest admin credentials. | Automated: AI scripts run unattended, identifying identity loopholes and Zero Standing Privilege gaps at machine speed. |
Finding the Backup | Manual Mapping: Humans spent days looking for the backup server IP and admin accounts. | Data-Aware Discovery: AI identifies backup servers, snapshot schedules, and cloud object storage (S3/Azure Blobs) on its own. |
Neutralizing Backup | Manual Deletion: Deleting backups over several days, often triggering alerts or unusual activity flags. | Stealth Scripting: AI quietly modifies retention policies and wipes immutable copies while staying just under alert thresholds. |
Encryption | Manual Deployment: Triggered by a human operator once they thought the backups were gone. | Guaranteed Trigger: Encryption is automatically unleashed the microsecond the AI confirms the Zero Recovery state. |
MITRE Mapping
MITRE ATT&CK covers the full attack lifecycle. MITRE ATLAS (v5.4.0, February 2026) tracks attacks on AI systems specifically. 16 tactics, 84 techniques, 56 sub-techniques.
Stage | MITRE ID | Real-World Example / Actor |
Reconnaissance | T1589 (Gather Victim Identity Info) | FAMOUS CHOLLIMA: Used agentic AI to map organizational structures. |
Initial Access | T1566 (Phishing) | Arup ($25M) & UNC6040 ($12M): Deepfake audio/video calls. |
Privilege Escalation | T1068 (Exploitation for Privilege Escalation) | CVE-2025-29824: Exploited by Play ransomware to gain admin rights. |
Backup Targeting | T1490 (Inhibit System Recovery) | Pre-ransomware neutralization: Deletion of recovery points prior to encryption. |
Encryption | T1486 (Data Encrypted for Impact) | RansomHub, Play, Akira: Modern ransomware variants. |
Supply Chain | AML.T0010 (ML Supply Chain Compromise) | npm packages, Hugging Face, and the xz Utils backdoor. |
AI Model Attacks | AML.T0051 (LLM Jailbreaking/Inference) | EchoLeak (CVE-2025-32711): Exploiting model logic to leak training data. |
Mythos Tomorrow, AI Exploits Today
While frontier AI models like Mythos dominate industry conversations, the more immediate enterprise risk comes from the widespread availability of low-cost, commoditized AI tools already being adopted by threat actors. These tools significantly lower the barrier to entry, enabling attackers with limited expertise to execute campaigns faster, at greater scale, and with higher operational efficiency.
For security teams, the challenge is no longer limited to sophisticated nation-state capabilities. Everyday attackers can now rapidly identify and exploit common security gaps using AI-assisted workflows. As a result, organizations must prioritize strengthening foundational security controls and resilience strategies today, rather than focusing solely on future autonomous AI threats.
The reality is clear, by the time fully autonomous agents become mainstream, attackers will already be weaponizing existing weaknesses in minutes, not days.