Last month, Anthropic announced its latest AI model, Claude Mythos Preview, which appears custom-built to terrify cybersecurity professionals.
The new model is exceptionally adept at computer security, capable of finding and exploiting both new and widely known software vulnerabilities. It can even reverse-engineer exploits when the original source code is hidden.
The concern though is that sooner or later, malicious actors will get their hands on Mythos Preview or a competitor of similar abilities and exploit these vulnerabilities at scale. So, what are the implications for cyber security, cyber insurance, and cyber catastrophe (cat) bonds?
So far, we have observed a benign insurance response, partly, we think, because there haven’t been any severe events yet, but it would be naïve to assume that these capabilities do not elevate the cyber threat level.
Most attackers don’t break in, they log in
We think the headline capabilities of Mythos are impressive, but they primarily address code exploitation. In the reality of cybercrime, most attackers do not break in, they simply log in. According to the European Union Agency for Cybersecurity, phishing remains the primary exploit in roughly 60% of cases. Mythos does little to worsen the threat of social engineering, misconfigured default credentials, or simple human error.
Even within the realm of code exploitation, society already operates in a dangerous environment. In the first half of 2025 alone (long before the Mythos launch), over 1,700 vulnerability discoveries were rated as critical according to the US National Institute of Standards and Technology’s National Vulnerability Database, with the average time between discovery and exploitation currently only about five days. This is not to diminish the significance of Mythos finding new vulnerabilities but, to be clear, society lives with plenty of critical vulnerabilities already.
Furthermore, finding a vulnerability in a lab is very different from executing an attack in the wild. During testing, Mythos operated with network access and without defensive tooling to navigate. A high technical severity score does not guarantee that a vulnerability is practical to exploit in a live, defended corporate network.
Achilles and the tortoise
Anthropic is aware of the risks and has restricted the release of the model. Their defensive strategy recalls the ancient Greek paradox of Achilles and the tortoise, where giving a slower runner a head start means the swifter pursuer can theoretically never catch up. Through an initiative called Project Glasswing, Anthropic is attempting to give software defenders that same critical lead.
The company is sharing Mythos exclusively with developers of systemically important code, including Google and Linux, backed by US$100 million in usage credits. The goal is to patch security issues before bad actors gain access to similar capabilities. Assuming identified vulnerabilities get fixed, it would become increasingly expensive in terms of token costs to find the next flaw, making future attacks increasingly expensive to execute.
What’s the impact on insurance?
Will Glasswing give the good guys the lead that they need? The question is probably oversimplistic. The initiative will definitely help, but we already swim in a sea of documented vulnerabilities. At the very least, attritional losses are likely to increase. This means underwriters will place even greater emphasis on corporate cyber hygiene, pricing risk based on a company's patching cadence and backups.
However, it is less clear that Mythos worsens the average loss per event. This could explain the calm reaction of the cyber cat bond market. The bulk of these deals are per-occurrence, and attachment levels are orders of magnitude bigger than the insured losses seen to date.
The industry will still need to grapple with two fundamental questions though. First, if an AI agent simultaneously attacks multiple institutions, insurers must determine if that constitutes a single event. Whether the 11 September 2001 attacks on the World Trade Center constituted one or two events was heavily litigated, and defining the cyber linkage of events is potentially more difficult. Second, as corporates integrate AI into their processes, the market must consider whether AI outages warrant sub-limits as is already the case for cloud service outages.
Best defence
We think one reason cyber risk has been attractively priced is a lack of very severe event history in a rapidly evolving landscape. The emergence of Mythos Preview represents a step change in threat discovery, exploit, and remediation speeds, effectively resetting the maturity-clock of these nascent risk models. The end result is likely to be a stronger global infrastructure, but there will be a risk of undesirable attacks along the way.
When models like Mythos Preview eventually become widely available, good software practices and staff trained against social engineering will remain the best defence.
For now, we believe the per-occurrence structure and high attachment points of existing cat bonds are likely to provide meaningful insulation from the turbulence ahead.
Author: This is an excerpt from our in-depth analysis by our AHL colleagues of the likely Mythos Preview impact on the cyber cat bond market which you can read here.
You are now leaving Man Group’s website
You are leaving Man Group’s website and entering a third-party website that is not controlled, maintained, or monitored by Man Group. Man Group is not responsible for the content or availability of the third-party website. By leaving Man Group’s website, you will be subject to the third-party website’s terms, policies and/or notices, including those related to privacy and security, as applicable.