Cybersecurity is usually debated a world of jargon, much of it not understandable to the general public. We generally only notice when something goes wrong. But the latest artificial intelligence (AI) advances threaten to bring the threat faces from criminals and “bad actors” to a whole new level. This has significant implications for companies, regulators, the State and the wider population and is an issue which is set to break out from the world of cyber security into a national and international debate. What are we talking about? American AI company Anthropic has developed an AI model, Claude Mythos Preview, which in the words of the company itself, shows how “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities”.Humans can hunt down coding errors in programmes, in other words, but AI can do it a whole lot quicker. The programme has found “thousands of high-severity vulnerabilities, including some in every major operating system and web browser” used across the world. And if Anthropic can develop this type of technology, others can – sooner or later – develop or get access to it as well, including so-called “bad actors”, states or criminal organisations intent on disruption and theft, or, in extreme cases, attacks on vital national infrastructure.Claude Mythos Preview shows that AI models can find vulnerabilities and exploit them at a hugely accelerated speed. Photograph: Gabby Jones/Bloomberg Why is this different? In essence, this is about the speed at which system vulnerabilities can be uncovered and exploited. According to Puneet Kukreja, head of cyber at EY Ireland: “Risk has not changed, speed has.”Companies are aware of some of their software vulnerabilities – or the risks of ones emerging – and have processes to issues fixes, or patches and plans to deal with disruption. But Claude Mythos Preview shows that AI models can find these vulnerabilities and exploit them at a hugely accelerated speed, often linking a number of vulnerabilities in a system to get access.It is a question of “human speed versus AI speed”, according to Dani Michaux, EMA cyber leader at KPMG. The whole speed, scale and regularity of attacks is shifting, she said, bringing a “new type of risk” and the kind of systemic issues which surfaced during the Y2K debate – when there were concerns that a date change to the year 2000 could upend systems – but on a vastly different level. Will new pay transparency rules close the gender pay gap for good? Listen | 28:55Y2K was related to the core threat of predictable coding flaw, says Michaux. Mythos and other new models will, in contrast, be unpredictable and can cross all systems and types of code. They therefore challenge the traditional human driven software patch cycles – “fixes” used to address vulnerabilities – with the added threat of models being “weaponised” by bad actors. A kind of Y2K on steroids.As well as acting to exploit areas where companies may have “patched” and hoped for the best, the Anthropic programme can also uncover new vulnerabilities.According to the Irish Information Security Forum (IISF), a group of cybersecurity professionals, the model “represents a material jump in AI capabilities, specifically in its ability to autonomously identify and exploit zero-day vulnerabilities – security flaws unknown to software developers.” In one key system it found a vulnerability which no one had spotted for 27 years. According to Kukreja ” When vulnerabilities can be identified and exploited at machine speed, the window between exposure and impact collapses,” he said. The risk is not just of company problems but of wider issues such as emerged from the hacking of the HSE system in 2021, which led to the organisation contacting 90,000 people whose data may have been accessed, or the attack on software developed by US company Collins Aerospace in 2025, which disrupted check-in at a number of European airports. There was also a major attack which caused production to cease at Jaguar Land Rover in the UK last year for around a month. The worry is that AI can make this type of wider disruption more common – and disruption, rather than profit, is often the name of the game for state-backed actors looking to cause upheaval for political reasons. Criminals typically seek to raise money, for example via ransomware which ties up systems and puts pressure on companies to pay a “ransom” to free them. But cyber security worries are now increasingly focused on state-backed actors intend on disruption.What is Project Glasswing? Anthropic has not released its latest programme generally, instead releasing it to “vetted partners” including Amazon, Microsoft, Google, Cisco, chip manufacturer Nvidia, cyber security firm CrowdStrike, JP Morgan Chase, the Linux Foundation – which supports non profit open source software – and 40 others. This is to allow them to find weaknesses in their system and patch them before attackers find them. “Every partner must share findings with their broader industry” Anthropic says. It argues that the AI capability to attack software systems and find coding vulnerabilities was going to exist whether it developed it or not and its actions allow the “defenders” to get their first. Anthropic may have a point. But its work shows the huge power of AI in this area. It is only a matter of time, according to Michaux at KPMG, before other companies develop similar systems and “bad actors” get access to them.This will multiple the increasingly sophisticated AI-based scams. In one case reported last year a finance director of a multinational company almost fell victim to a deep fake video designed to look like it was from his chief financial officer and telling him to transfer $670,000 (€577,000). When the scammers upped the demand further red lights flashed at his banker HSBC and the transfer was stopped.While Anthropic is restricting the release of its programme, it is a profit driven corporation and the debate about co-ordinated international oversight of AI development is growing quickly – as shown by this week’s comments by Pope Leo. Last week US president Donald Trump cancelled a proposed executive order which would have meant big AI companies submitted so called “ frontier models” on a voluntary basis for checks in relation to national security and other cyber threats. For now, the private sectors calls the shots and the public sector is trying to catch up. The European Central Bank (ECB), for example, called an urgent meeting with banks this week to urge them to act more quickly to see off this threat and to ask US banks to which Anthropic had given access for information on what is involved. “Guardrails” from regulation may limit the use of technology by the private sector, says Michaux, but criminals or State-driven actors will clearly not be subject to these. Again, the need to react much more quickly was underlined. Frank Elderson, vice-chair of the ECB supervisory board that oversees banks, told the Financial Times, that In terms of the sectors respond to cyber threats: “In musical terms, I would say andante may have been good enough, but we need to go to presto.” For cyber security professional, the world has changed. “It shows that as AI grows more capable of complex reasoning and software engineering, the risk of it acting outside its intended scope increases, ” according to the IISF. “For end users and professional organisations, this emphasises a shift in the industry: cybersecurity is no longer just about defending against humans, but about racing to secure systems against autonomous AI agent.” What does it mean for Irish companies?Big companies are already subject to a range of national and European Union (EU) regulation – for example the financial sector operates under the EU Digital Operational Resilience Act (DORA) which tries to ensure it can withstand, respond to and recover from cyber attacks. This has required banks to do regular work on how they would respond to attacks and maintain vital services. However, the threat level has now increased and both Michaux and Kukreja talk of the need for “resilience” in companies – requiring a new level of preparation and response to cyber threats, an ongoing assessment of links with suppliers and business partners, including software suppliers, and where this can create vulnerabilities and serious consideration of how a business can maintain vital operations if an attack does happen. “The annual business continuity review will not longer cut it, ” according to Kukreja.In turn companies will rely on the ability of third parties who supply their systems to “patch” them at a much greater speed. With AI driving attacks, companies will need to use the technology to respond, says Michaux of KPMG. “ AI has moved the lens”, she says and companies need to consider their ability to respond at the required speed.Previously clunky spam text messages are now turning into much more plausible attempts at fraud. Photograph: Getty Images Resilience needs to be engineered and regularly checked, says Kukreja of EY and companies need to consider what their minimal viable operational state is if an attack is successful. Both also talk about the need for wider consideration across industry groups and at a national level. A key fear is that AI tools could take down vital parts of the national infrastructure, possibly by attacking multiple areas at once. As the technology spreads, consumers will also have to be on their guard to increasingly sophisticated attacks. AI is allowing “ hyper personalisation”, says Michaux, with previously clunky spam text messages now turning into much more plausible attempts based on your personal circumstances, as AI allows different pieces of information to be put together. Safety requirements on the public – and employees – by the systems and services they use are also going to increase. More serious disruption will be an ongoing threat. Anthropic’s programme is just one of the early shots in the coming cyber security wars.