Anthropic recently announced a powerful new model named Mythos, trained to identify critical security flaws in software. The model proved capable enough that Anthropic opted against a general release, concluding that AI has reached a point where it can match all but the most skilled human security experts at finding and exploiting software weaknesses.
In response, Anthropic launched Project Glasswing, a restricted-access initiative giving a select group of technology companies early access to Mythos so they can test and strengthen their defences ahead of the broader market.
Palo Alto Networks was a launch partner for Project Glasswing. Since then, the company has extended its testing to include Anthropic’s Claude Opus 4.7 and OpenAI’s GPT-5.5-Cyber as part of OpenAI’s Trusted Access for Cyber programme.
The scale of what these models can find is telling. Testing that previously took a full year can now be completed in days. In its most recent Patch Wednesday security advisories, the majority of findings resulted from frontier AI models scanning its own code for the first time, producing 75 identified security flaws across 26 vulnerabilities, compared to a typical monthly volume of fewer than five.
“A key question in the weeks following Mythos’ announcement was whether the industry was overstating the model’s capabilities. We were not. If anything, these models are more capable than first understood. We have moved from a world where AI assists attackers to one where AI can drive attacks autonomously, and the pace of change means traditional security approaches need to evolve quickly. We estimate a three-to-five-month window for organisations to get ahead of attackers before AI-driven exploits become more widespread,” says Justin Lee, regional vice-president: sub-Saharan Africa at Palo Alto Networks.
A South African perspective
This shift has clear implications for South Africa. The country ranked among the top 20 worldwide for cybercrime complaints in 2025, as global cybercrime losses surged to a record $20,8-billion, a 26% increase on the prior year. At the same time, AI adoption in South Africa reached 23,1% in the first quarter of 2026, up from 21.1% in the second half of 2025, making it the leading AI economy on the continent.
That rapid adoption expands the attack surface considerably if security governance does not keep pace.
“South African businesses have shown real resilience in the face of a difficult threat landscape, but AI-driven attack capability changes the economics for attackers. What once required skill, time and resources can now be done faster, more cheaply and at greater scale. We need to match that shift with equally modern defences,” adds Lee.
He sets out four immediate priorities for organisations:
- Find and Fix Weaknesses Before Attackers Do – Use AI to scan code and software for vulnerabilities before attackers can find and exploit them. Apply that same scrutiny to any external software the organisation relies on and move quickly to remediate what is found.
- Reduce Exposure – Limit what attackers can reach, and secure what cannot be hidden. Organisations should know their attack surface, understand where the greatest risks lie, and close the gaps.
- Ensure Defences Are Ready – Finding a weakness is rarely the end of an attack. Organisations need layered, real-time protections across every device, network and user. Zero trust principles, where no user or system is trusted by default, should underpin every connection.
- Respond at the Speed of the Threat – AI-driven attacks can unfold in minutes. Security teams need tools that detect and respond at the same speed, drawing on data from across the organisation and automating response where possible. A joined-up platform approach, rather than a patchwork of separate tools, is essential.
“The shift to AI-driven attacks is not a future scenario. It is already underway. Organisations that move quickly to understand their exposure and put the right protections in place will be best positioned for what comes next,” concludes Lee.