Anthropic's announcement of Claude Mythos Preview and Project Glasswing has done what frontier-model announcements tend to do to Australian security conversations. Boards are asking whether they need access. Vendors are positioning around it. And a number of organisations that do not operate critical infrastructure, do not ship software, and do not have an in-house vulnerability research function are nonetheless asking whether they are now exposed because they do not have a Mythos-class model on their side.
For most Australian businesses is that the question is misdirected. Mythos Preview is, at time of writing, available to a tightly curated cohort — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, and roughly forty additional organisations that maintain critical software infrastructure — specifically because its cybersecurity capability profile makes broad release premature. The Glasswing programme exists to harden the software everyone else depends on. It is not a service offering for the average enterprise.
What the average enterprise can do is use the publicly available Claude Opus family — currently Opus 4.7 — against the attack surface it actually owns. The claim in Anthropic's own defender recommendations is that current-generation frontier models are already materially useful for vulnerability finding, triage, patch proposal writing, and response automation. The UK AI Safety Institute's evaluation of Mythos Preview's cyber capabilities reinforces the same point: the delta between Mythos and Opus is significant at the research frontier — novel bug discovery in mature codebases, multi-vulnerability exploit chains — but considerably smaller for the defensive workflows most organisations actually need.
This post is an attempt to unpack what those workflows look like by business type, because the right use of Opus in a twenty-person law firm is not the right use of Opus in a superannuation fund's internal platform team, and neither is the right use of Opus in an ISV.
If you are a small professional-services firm
You consume SaaS — a Microsoft 365 or Google Workspace tenant, a handful of line-of-business applications federated to it, a few endpoints, a website someone else builds. The question is not whether Opus can find a zero-day in Exchange Online; it cannot, and if it could, you could not patch it. The question is whether your tenant survives the next commodity adversary-in-the-middle phishing campaign.
Opus is useful here as a configuration reviewer. Export your conditional access policies, authentication methods, admin role assignments, licensing state, and recent privileged-action audit logs, and have Opus review them against the ASD Essential Eight and CISA's Secure Cloud Business Applications guidance. The same works for your DNS surface — SPF, DKIM, DMARC, MX records, subdomains, and certificate transparency logs are all plain text, and Opus will identify the dangling record pointing at a decommissioned marketing vendor before an attacker does. The hardening that would actually reduce risk for this type of business is tenant hygiene, identity hardening, and third-party review. None of it requires Mythos.
If you are a mid-market organisation with internal development
You run internal platforms, probably a customer-facing web application, a CI/CD pipeline, and a cloud estate that has grown organically. The blocker in your environment is not that nobody can find vulnerabilities — it is that your existing tooling produces four hundred findings a week and nobody has time to triage them.
Three workflows return outsized value. The first is SAST and SCA triage — SAST (Static Application Security Testing) scans your source code for vulnerability patterns, SCA (Software Composition Analysis) flags third-party libraries with known CVEs, and both share the same failure mode of generating more findings than any team can investigate. Feed the raw output of your existing tooling (Semgrep, CodeQL, Snyk, Dependabot) into Opus with the relevant source context, and have it produce a prioritised list with exploitability reasoning, suggested fixes, and a judgement on false positives. The second is pull-request security review — a lightweight CI step that runs Opus over the diff against your threat model and your team's list of forbidden idioms. The third is infrastructure-as-code review — Terraform, Kubernetes manifests, GitHub Actions workflows, and cloud IAM policies are prose that Opus reads fluently, and reviewing every change against the CIS Benchmarks is now achievable in a way it was not eighteen months ago. For organisations subject to CPS 234 or SOCI Act obligations, the artefacts this produces are also a defensible paper trail.
The honest question for this cohort is not whether Mythos would do these tasks better. It is whether you have finished doing them at all with the model you already have access to.
If you are an Independent Software Vendor
This is the cohort where the Mythos question is real. If you ship software that other organisations depend on — especially software that handles authentication, processes untrusted input, or runs in privileged contexts — the capability differential matters, because Mythos finds bug classes in your code that a well-funded attacker will eventually find too.
Two postures are defensible. Apply for Project Glasswing if your footprint warrants it; Anthropic has been explicit that the initial partner list is not the end state. Otherwise, do with Opus what Glasswing participants are doing with Mythos — run it continuously over your codebase with scaffolding designed for vulnerability discovery. Opus 4.7 identifies a substantial share of the vulnerability classes that matter in production software: memory safety, injection, access-control bypasses, authentication and session logic flaws, insecure deserialisation, and dependency supply-chain risk. Pair it with a patching cycle measured in days rather than months and an auto-update mechanism, and the operational risk to your customers from a Mythos-class discovery drops considerably. Accelerating patch deployment and publishing a disclosure policy that assumes faster-than-human discovery rates compounds with any model you use.
If you are a critical infrastructure operator
You are in the cohort the SOCI Act was written for, and you probably either have a relationship with a Glasswing participant already (through your hyperscaler, your EDR vendor, or your OT stack supplier) or are close to one. Mythos-class capability will reach your estate indirectly, as vulnerabilities in the upstream software you depend on get patched faster than they otherwise would have been. That is precisely the design of the programme.
What Opus does for you in the meantime is the unglamorous work that critical-infrastructure estates accumulate: legacy system review, vendor risk assessment, log analytics across OT and IT boundaries, incident response playbook drafting, table-top exercise scenario generation, and configuration drift detection across large heterogeneous estates. The Cyber and Infrastructure Security Centre's guidance under the SOCI Act does not require frontier vulnerability research; it requires demonstrable risk management. Opus produces auditable artefacts for the latter at a cost that makes doing the work at proper cadence feasible.
Where Opus genuinely will not substitute for Mythos
It is worth being specific about the ceiling, because overselling current-generation capability is a category of advice that ages badly.
Opus will not reliably find the 17-year-old NFS root vulnerability in a mature C codebase that eluded a generation of auditors. It will not autonomously chain four browser vulnerabilities into a working JIT heap spray. It does not produce exploit code at the sophistication level the Mythos evaluations report. For organisations whose threat model genuinely includes that class of discovery — nation-state-grade adversaries targeting custom low-level software — current-generation frontier models are not a substitute.
The set of Australian organisations for which that is the operative threat model is small. Much smaller than the set of organisations that are currently asking whether they need Mythos access.
The prioritisation that holds up
For every business described above, the sequence is the same.
First, identify what of your attack surface is actually yours to harden — tenant configuration, identity plane, application code you own, infrastructure you manage. That is the surface Opus can work on today.
Second, build the workflows that put Opus in front of that surface continuously rather than episodically. A one-off audit is useful; a tool integrated into pull requests, configuration deployments, and log review is transformative.
Third, shorten the patching cycle for the software you consume. The value Mythos delivers through Glasswing is that the software vendors you depend on will, over the next year, be releasing fixes faster than they historically have. Your ability to consume those fixes is the rate-limiting factor on whether that capability reaches you.
Fourth — and only then — consider whether your threat model genuinely requires Mythos-class capability. For most of the Australian market, the answer is that it does not, and the right investment is not lobbying for access to an unavailable model but finishing the hardening work that the model you already have access to is capable of.
What if it turns out to be another Y2K?
It is worth sitting with the uncomfortable version of this question. What if the thousands of zero-days Anthropic claims to have found are not, in aggregate, the systemic threat the announcement makes them out to be? What if most of the vulnerabilities are low-severity, hard to exploit in context, or already guarded by compensating controls? What if Mythos turns out to be a capability demonstration wrapped in a marketing strategy — another Y2K, a problem extensively catastrophised and quietly absorbed, where the industry mobilised and the predicted failures never arrived?
That outcome is not the most likely one, on the balance of the independent evaluations and the partner list, but it is not an outcome that can be ruled out, and an honest advisor should not pretend it can be.
The argument for doing the Opus-assisted hardening work anyway survives that possibility intact, and this is the point that deserves some weight. The workflows described above — tenant configuration review, SAST and SCA triage, pull-request security review, infrastructure-as-code review, legacy system audits — are not reactions to Mythos. They are the security work that is already overdue in most Australian estates, work that has historically been deferred because it is labour-intensive and produces incremental rather than headline-grabbing gains. Opus lowers the cost of doing it. Whether or not Mythos turns out to be as transformative as the announcement suggests, the organisation that used the moment to finish a piece of genuine hardening is better off than the one that waited to see how the story resolved. The downside case for this exercise is a materially better security posture. That is an acceptable downside.
Putting this into your own environment
If you are looking at the Mythos announcement and trying to work out what it actually means for your organisation's cyber posture — as distinct from your AI strategy — the honest answer usually starts with an assessment of what Opus-assisted hardening could already do across your identity, code, and configuration surface. Our advisory team works with Australian organisations on exactly that scoping. If that is useful, the DFIR and advisory services page is the place to start a conversation.
Threat actors don't pause while you find a firm.
Artificer Cyber maintains active readiness across DFIR, legal privilege, and threat intelligence. When something happens, we're already briefed — and we can be engaged within the hour.