Agencies warn models speed attacker timelines

Singapore’s cyber agency says the newest artificial intelligence systems could shrink vulnerability hunting and exploit building from months to hours. (csa.gov.sg) The Cyber Security Agency of Singapore published that warning on April 15, 2026, days after Anthropic announced Claude Mythos Preview on April 7. Singapore urged companies to patch internet-facing flaws, turn on multi-factor authentication for admin systems, and tighten user access. (csa.gov.sg) (channelnewsasia.com) A vulnerability is a software weakness; an exploit is the method attackers use to turn that weakness into access or damage. Singapore’s advisory said frontier models can scan large codebases, spot subtle logic errors, reason about exploitability, and suggest fixes faster than manual review. (csa.gov.sg) Anthropic said Mythos Preview can identify and exploit zero-day flaws — previously unknown bugs — in every major operating system and every major web browser in its testing. The company said it has withheld details on more than 99% of the bugs it found because they were still unpatched. (red.anthropic.com) The United Kingdom’s AI Security Institute said on April 13 that Mythos outperformed earlier frontier models on cyber tests it has tracked since 2023. In one 32-step corporate network simulation that the institute estimates would take humans 20 hours, Mythos completed the full chain in 3 of 10 attempts. (aisi.gov.uk) Singapore’s advisory said it has no indication these capabilities are being misused yet. But it told organizations to assume faster attack cycles, secure or disconnect exposed development and test environments, and review cloud configurations and attack paths. (csa.gov.sg) That changes the old patching timetable. BankInfoSecurity reported on April 16 that Equifax chief technology officer Jamil Farshchi said some companies still take at least two months to patch vulnerabilities while attackers can move within hours, pushing teams toward risk-based prioritization instead of static severity scores alone. (bankinfosecurity.com) Anthropic has limited Mythos access through a program called Project Glasswing, saying the model should be used to secure critical software and prepare the industry for stronger defenses. Singapore’s warning lands in that same gap: the tools that can help defenders find bugs faster can also help attackers weaponize them faster. (red.anthropic.com) (channelnewsasia.com)