The most interesting thing Anthropic did this month wasn’t announce a new AI model. It was refuse to sell it.

Claude Mythos, revealed on 7 April under the working name “Mythos Preview”, can (according to Anthropic’s own red team) read decades-old software, find the security flaws nobody ever spotted, and write the code to break in. Not theoretical vulnerabilities. Working exploits, produced at scale. Thousands of flaws. Across every major operating system and browser. One bug was twenty-seven years old.

Anthropic decided that was too dangerous to put in a customer’s hands. Instead, twelve companies are running it privately under Project Glasswing: AWS, Apple, Microsoft, Google, JPMorganChase and a handful of others, all pointing it at their own codebases to patch what it finds before anyone else gets there. The Bank of England’s governor has been briefed. The IMF has held meetings. You have probably seen the headlines.

If you run an SME, you are going to be asked what you are doing about it.

This is not about you. That is exactly the problem.

No criminal gang is going to rent AI compute to hunt bugs in your specific accounting software. Mythos-class tools will be used first against the stuff that pays: the operating systems and cloud platforms that sit under every business on earth.

Those platforms are also your software. Equivalent capabilities will end up in the hands of ransomware crews. When they do, the bugs they find in Windows, in a common router, in a popular open-source library, become bugs in your systems. You don’t need to be a target. You just need to be running what the target runs.

The historical parallel that matters here is not the CrowdStrike outage. It is what happened after EternalBlue leaked in 2017. A single NSA-grade exploit, set loose on the open internet, gave the world WannaCry and NotPetya, attacks that took down hospitals, shipping giants and logistics firms for weeks. The businesses that stayed up were the ones that had already applied an update available for two months. The ones that went down were the ones that hadn’t.

Mythos doesn’t change the shape of that game. It makes new EternalBlues cheaper to find.

The conversations that will land on your desk first

The first call won’t come from a hacker. It will come from procurement.

Any large customer or public-sector buyer that noticed the Mythos headlines now has a CISO who wants to tighten supply-chain questions. “Do you have Cyber Essentials?” is about to become a hard gate, not a polite checkbox. Expect a new clause on next year’s contract renewal about “AI-enabled vulnerability assessment.” Vague, but legally binding.

The second call will be your insurer. Cyber cover has been hardening for three years. Insurers now have a new, very marketable reason to exclude whatever they already wanted to exclude. If your policy contains the phrase “state-of-the-art” anywhere, read it properly before you assume a claim is covered.

Neither of these is a technical problem. Both are contracts, paperwork and prep.

Five things, in priority order

Forget the long guides. Do these five, in order, and you have done more than most businesses your size.

• Turn on multi-factor authentication everywhere. Email, banking, the CRM, your accountant’s portal, the admin page of your website. Not optional. Not later. Account takeover is still how most of these stories start, and MFA ends most of them.
• Restore a backup. Not “check the backup ran.” Actually restore one, to a spare machine, and watch whether the files open. You will learn something uncomfortable. Better now than during an incident.
• Get, or renew, Cyber Essentials. It is the cheapest certification in the world that buyers actually ask about. Treat it as a sales asset, not a compliance chore.
• Ask your IT supplier one question, in writing. How fast do critical Microsoft, Apple and Google updates land on our systems, and who signs off on exceptions? If they cannot answer in an email, that is the answer.
• Time yourself. Pick an afternoon. Unplug the office from the internet. See what still works. The gaps you find are your investment plan.

The three questions your CFO will actually ask

Not “will AI hack us.” Three real ones.

How long can we trade without our systems? If the answer is “a few days,” that is your single largest capital priority this year.

Would we pass a customer’s 2026 security questionnaire as written today? If you don’t know, you will find out, painfully, when you lose a bid.

What is the directors’ exposure if the worst happens? ICO enforcement has been sharpening year on year, and “we didn’t know” stopped being a defence some time ago.

The part nobody wants to say out loud

Strip the drama out and Mythos is not a new kind of threat. It is an old one with the economics changing. The internet has always run on unpatched software. What’s different now is how quickly new holes will be found. Less obviously, how quickly they will get fixed inside the platforms you depend on.

The twelve firms inside Project Glasswing are doing that fixing on your behalf. The Windows update you apply next Tuesday is the one you are paying for, indirectly, with the research credits Anthropic is handing out. That is a genuine upside, and it accrues automatically to businesses that keep their house in order.

It does not accrue to businesses that don’t.

So the board question is not “what do we do about Claude Mythos.” It is the harder one: does this business, on paper, look like it keeps its house in order? If the answer is yes, you are in a better position than you were a week ago. If the answer is no, you are in a worse one.