From Copilot to Agents: Why Agent 365 Is the Real Inflection Point for Enterprise AI
Why Agent 365 Is the Real Inflection Point for Enterprise AI
Anthropic’s announcement of Project Glasswing, giving select organisations access to Claude Mythos Preview, signals a profound shift in the cybersecurity landscape. The initiative provides access to an unreleased frontier model capable of surpassing human experts in identifying and exploiting software vulnerabilities. Mythos has already uncovered thousands of zero-day flaws, including a 27-year-old OpenBSD bug, a 16-year-old FFmpeg flaw, and multiple Linux kernel exploit chains.
We brought together our cyber thought leaders to give real-world context to Claude Mythos Preview and share their recommendations on how organisations can better defend against advanced AI-powered threats.
‘The Key Issue Isn’t Technology, It’s Readiness’
James Holton, Practice Director
Mythos Preview is an important moment in how vulnerabilities can be found and exploited at scale. This hasn’t suddenly changed the risk landscape overnight, but it does pose serious questions for the near term.
Access to this technology is, for now, still limited until it’s either released, leaked, or copied, or until threat actors innovate. Based on current levels of AI development, I take the pessimistic view that this will be sooner rather than later. That means we’re not far away from the real risk, when similar capabilities inevitably spread to less responsible actors.
However, it’s still worth pointing out that the computational requirements to run this type of AI at scale would prevent opportunistic use. It becomes truly dangerous once costs fall or when utilised at a nation-state level.
That’s why the real issue isn’t the technology itself, but whether organisations are ready. Regardless of whether the industry has a short or long window to get ready, the fundamentals are more important than ever. Patching, configuration, and good security hygiene remain the most effective defences, regardless of when or how these new technologies become conventional.
‘Is This a New Dawn? That Depends...’
Simon Bishop, Head of Governance, Risk, and Compliance (GRC)
The key issue surrounding Claude Mythos Preview is effective triage: understanding true exposure in the context of existing layers of control and prioritising remediation accordingly. Base scores are exactly that, base. In many environments, compensating controls will already reduce some of these to medium or even low risk.
Instead of showcasing a fundamentally new class of threat, my take is that this release simply highlights the acceleration of an existing problem.
We already know software contains significant latent vulnerabilities; we already know defenders struggle to keep pace; and we already know offensive capability scales faster than remediation and always will.
Mythos doesn’t introduce those issues; it simply makes them more visible.
So, the point to really focus on isn’t that AI can find flaws – we’ve been moving in that direction for years. Instead, it’s that the industry response to fixing them is still largely constrained to human speed. Until patching, change, ownership and risk acceptance scale accordingly, headlines like this will sound dramatic without materially changing day-to-day risk for most organisations.
Is this then an opportunity for a new dawn? Possibly, but only if it drives structural change in vulnerability management and resilience, not just another wave of tooling announcements and CISOs losing sleep.
‘UK Healthcare Will Need Support’
Elliott Morgan, Cyber Lead for NHS
To echo Trustmarque Ultima colleagues, Mythos Preview presents a rapid acceleration in the identification of vulnerabilities and development of exploits in critical systems. Looking at the most notable cyber incidents in the NHS, zero-day vulnerabilities are rarely the cause of breaches and their subsequent impact.
Whilst cited often due to its scale, WannaCry was to some extent a patching issue. The patch for this exploit was released in March 2017, with the subsequent incident occurring 2 months later. More recent events like the Synnovis incident are associated with insecure, outdated systems and poor identity hygiene concerning multi-factor authentication/two-factor authentication (MFA/2FA). These successful attacks were not spawned from the ingenuity of engineering exploits for zero-day vulnerabilities. Instead, they exploited known issues where the patch or update, which would otherwise close the vulnerability, is already available.
What this suggests in the big picture is that we’re dealing with a capacity problem. IT and security teams in the NHS are up against a colourful network of corporate IT, medical devices, operational technology (OT), and bring your own device (BYOD) policies against a backdrop of crippling legacy debt with no clear path to migration.
Though it may seem a somewhat prosaic solution in the face of such a fascinating example of cutting-edge technology, a lot can be said for implementing high levels of cyber hygiene, efficient patching programmes, and strong network segmentation design. It goes without saying that our NHS colleagues are experiencing more of a resourcing issue, not a technological one.
This isn’t all to dismiss the importance of what Mythos and Project Glasswing represent. Much the opposite. This is a landmark moment for both offensive and defensive security teams. The potential to prerelease products and coding efforts defensively is incredible. The same goes for the flipside of this coin, where the application of these technologies in offensive security testing and malicious operations could be staggering.
For now, the real-world experience for many of the NHS team we work with is a constant game of whack-a-mole with far too many moles and not enough hammers. In its infancy, Mythos Preview appears to be adding many more moles if this intelligence isn’t incorporated into development pipelines. NHS teams need additional resourcing and must look try to increase efficiencies in their patching and vulnerability management process. Regardless of how that is done – through automation, resource augmentation, or managed services – more support is required in UK Healthcare and, to varying degrees, other areas of critical national infrastructure.
In Summary: What Mythos Preview Means for Organisations
The Mythos Preview marks a step change in cybersecurity, shifting vulnerability discovery from human-paced processes to AI-driven speed and scale. The key factors to consider include:
The vulnerability discovery paradigm has changed. Traditional detection and patching cycles, predominantly built around human-paced discovery, are no longer sufficient. AI can now uncover deep, long-standing flaws that automated tools and human analysts have missed for years.
Critical infrastructure globally is a huge risk. Vulnerabilities found by Mythos have affected systems worldwide, across varying sectors including Government portal, financial platforms and open-source solutions.
AI-Driven exploitation compresses response windows. Given the speed of which exploits can be automated and chained at machine speed, defenders lose the luxury of triage and investigation, meaning more pressure and potential fatigue.
Attackers will eventually gain similar capabilities. Whilst we're in this luxury window of Mythos being restricted, quite quickly the attackers will obtain comparable tools, which is why Anthropic's controlled release underscores this inevitability.
Key Focus Areas for Cybersecurity Leaders
We foresee the importance of these key areas of investment for IT and security leaders:
|
Accelerate patching and prioritisation |
Move to continuous scanning and risk-based patching to keep pace with AI-driven discovery. |
|
Strengthen core controls |
Assume rapid exploitation. Enforce MFA, least privilege, micro-segmentation, and deploy EDR/XDR with behavioural analytics—aligned to Zero Trust principles. |
|
Address open-source risk |
Improve visibility and management of widely used components where vulnerabilities can scale quickly. |
|
Build AI-Aware governance |
Adopt frameworks such as ISO 42001 and introduce AI-specific threat modelling and red teaming. |
|
Prepare for regulatory change |
Expect increased requirements around patching speed, AI-assisted scanning, and transparency in vulnerability management. |
‘How can Trustmarque Ultima support you?’
Marc Simmonds, Head of Cyber & Networking Sales
Trustmarque Ultima offers over 30 years’ experience in service delivery, relationships with the world’s leading cyber vendors, and in-house expertise in cyber risk management. In the context of the key risks posed by advanced AI technologies like Mythos, and the focus areas above, there are many ways we can help you protect your organisation and prepare for the inevitability of security events.
Governance Risk & Compliance
We help customers understand their readiness for automated AI attacks and can support you across a means of industry regulations, gap analysis exercises, and strategy advisory services. We can even offer the safe hands of a Virtual CISO (vCISO).
Whether you need short-term reviews that get a stake in the ground or want to build a strategic, mature cybersecurity programme, we able to support and advise organisations of varying complexities, size, and regulatory demands.
Managed Vulnerability Management as a Service (VMaaS) and Patching
If you, like many others, are finding it difficult to keep up with vulnerabilities, we can help. We have already adopted AI into our methodologies to stay one-step ahead of the curve when it comes to AI-accelerated threats.
Managed XDR
Powered by Sophos Taegis, we can support organisations increase their visibility of threats by monitoring 24/7 and providing enhanced threat intelligence, while maintaining your existing Cybersecurity investments.
Penetration Testing
The NCSC and Anthropic themselves suggest good cyber hygiene remain your strongest defence. With over 10 years as a certified member of CREST and a team of security consultants, some of whom are the most highly qualified in the UK, we can provide the validation you need to build a strong, stable foundation to protect against new AI threats.
Technology Strategy
Whether you want to review your network architecture, potentially shift towards SSE/SASE and adoption of a Zero Trust Architecture, we have many health checks and workshops that can support you in a transformational project from start to finish across multiple vendors.
Summary
Claude Mythos Preview highlights a major shift in cybersecurity, with AI dramatically accelerating how vulnerabilities are discovered and exploited. While the technology is powerful, the real challenge lies in organisational readiness. Existing weaknesses, such as slow patching, legacy systems, and limited visibility, are now being exposed at greater speed and scale.
Although current access is controlled, similar capabilities will likely reach threat actors soon. Organisations must act now by strengthening fundamentals: improving patching and prioritisation, enforcing Zero Trust principles, managing open-source risks, and adopting AI-aware governance. Those that align security practices to AI-driven threat speed will be best positioned to remain resilient.
Get in touch to see how we can help. Contact us here.