While the purportedly ultra-powerful AI model is poised to overhaul the way vulnerabilities are discovered and managed, the sweeping implications claimed for all of cybersecurity are overstated.
After recently spending a week speaking with top cybersecurity CEOs about AI, it’s safe to say I am as convinced as anyone about AI’s transformative implications for security.
But will it be the AI platform providers, such as Anthropic and OpenAI, taking the lead role in making that transformation happen?
That I am much less sure about.
[Related: The 20 Hottest AI Cybersecurity Companies: The 2026 CRN AI 100]
And yet, that is exactly what many investors seem to be taking away from a series of announcements by the AI platforms in recent months.
This is especially the case after Anthropic’s announcement this week about the purportedly ultra-powerful capabilities in its Claude Mythos frontier model.
Mythos is unquestionably a huge deal for cybersecurity—if only because of the way it will likely upend existing vulnerability management practices, as Forrester analysts detailed this week.
But after digesting Anthropic’s announcement post for a few days, I am still far from convinced by some of the broader claims about the potential of the technology.
Just one claim, actually. It’s the part where Anthropic touts Claude Mythos as offering capabilities that “we believe could reshape cybersecurity.”
That comes right in the second sentence of the post, and if I had to guess, that is what has most shaken investor confidence in cybersecurity vendors this week. Stocks in major security vendors fell sharply on Thursday and are plunging further as of this writing Friday morning.
Why do I think investors may have fixated on that claim? Because the rest of the post just plausibly details how Claude Mythos could overhaul the way vulnerabilities are discovered and managed.
In itself, that does not seem enough to make an informed investor lose faith in companies operating at the breadth and scale of a Zscaler, CrowdStrike or Palo Alto Networks. (While those cybersecurity giants have an offering in vulnerability and exposure management, it is far down the list of their business.)
In other words, to say that Claude Mythos could “reshape cybersecurity” seems like an overstatement. Arguably, a big one.
The implications for vulnerability management, and for the speed and scale of cyberattacks, are no doubt massive, as mentioned. But the vast majority of what cybersecurity vendors do today is not directly related to Claude Mythos’ capabilities—securing endpoints, networks, identities and clouds, not to mention enabling security operations.
And here’s another thing. If this was truly an existential threat to cybersecurity vendors, why on earth would they have agreed to take part in this exact announcement?
I’m referring of course to “Project Glasswing,” the new initiative announced simultaneously in the same post, which has Anthropic providing access to the Claude Mythos Preview version to numerous tech titans (including CrowdStrike and Palo Alto Networks).
As far as I can tell, our situation today is not fundamentally changed from prior announcements such as Anthropic’s Claude Code Security. If you recall, that disclosure in February similarly led to a panicky reaction from investors, which sank cybersecurity stock prices.
Further, if there is a basis to extrapolate from the capabilities in Claude Mythos to other segments of cybersecurity, I’m not seeing it right now. There are still just too many crucial things an AI model trained on public data will just never have (proprietary customer data and threat intelligence, going back years, for instance).
As I said, though, it seems clear that investors have interpreted the Anthropic announcement very differently. They seem to view it as “yet another sign that AI is bad for existing cybersecurity vendors.”
But I’ll say it again: I just don’t think that reaction makes any sense.
I also realize that predictions have a way of becoming self-fulfilling if enough people believe in them.
How the cybersecurity industry responds next could determine who truly gets to “reshape cybersecurity” and who will be sitting on the sidelines.
