ByESTI PESHIN

When I turn on my kitchen tap, I do not think about cholera; I assume the water is clean. This assumption is the product of an invisible system - reservoirs, filtration, chlorination, pressure monitoring, and a regulator that can shut the whole thing down if a sample fails. Safety is engineered upstream so that you get clean water without even thinking about it.r

We have never had anything like that in cybersecurity. The Internet, our mobile networks, and the software and applications we develop and use - were all built on the opposite assumption. Security is something each organization is expected to bolt on afterward, at its own expense, with its own people, hoping its competitors and adversaries are no more diligent than it is.

In this analogy, the water has always come out of the tap unfiltered, and we have been told to boil our own water.

A development at the AI company Anthropic over the past two months suggests, for the first time, that the tap-water model might be within reach for cybersecurity. It also suggests why getting there is genuinely dangerous. Executives need to understand both halves of this sentence.

Anthropic, an AI safety and research company, has dedicated teams to rigorously stress-test their models for potential risks and to design protective safeguards, but these defenses often remain fragile.
Anthropic, an AI safety and research company, has dedicated teams to rigorously stress-test their models for potential risks and to design protective safeguards, but these defenses often remain fragile. (credit: SHUTTERSTOCK)

What Anthropic did

In April, Anthropic disclosed that it had built a frontier model, Claude Mythos Preview, capable of autonomously finding previously unknown software vulnerabilities (zero-days) and writing working exploits for them. This is not an incremental improvement on the vulnerability scanners your security team already uses. The model has reportedly found flaws in every major operating system and web browser, including bugs that were undiscovered for decades.

Anthropic chose not to release Mythos to the public. Its reasoning was blunt. A tool that can find and exploit weaknesses in the world’s major software at scale is as useful to an attacker as to a defender, and the world’s critical software is not yet hardened enough to survive that capability being handed to everyone.

Instead, the company launched Project Glasswing - a controlled program giving Mythos Preview to a vetted set of partners so they could find and fix vulnerabilities before the capability proliferates. The initial cohort of roughly 50 included AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and the Linux Foundation. On June 2, Anthropic expanded it to around 150 more organizations across more than 15countries, deliberately adding sectors that had been absent - power, water, healthcare, communications - alongside the maintainers of open-source code that millions of other systems silently depend on. The selection criterion is important: a successful attack on each partner’s code could affect more than 100 million people.

In the first weeks alone, partners used Mythos Preview to identify more than 10,000 high- or critical-severity vulnerabilities in the world’s most systemically important software.

Mythos and Fable: the same brain on two different leashes

Here is the part most relevant to the tap-water question.

Mythos is one of two models in a new top capability tier Anthropic calls Mythos-class, sitting above its public Opus models. The second member is Claude Fable. Fable and Mythos share the same underlying model. What separates them is governance. Fable ships with extensive additional safeguards designed to block its most dangerous outputs, which is why it can theoretically be released publicly. Mythos - the unleashed version - is held back precisely because those safeguards cannot yet be made both strong enough and precise enough to allow safe general release.

That asymmetry is the entire story. We now possess the engineering capability to filter the water. What we do not yet have is a filter we trust enough to put on every tap.

This is not abstract. On June 9, Anthropic released the first public models in this top tier: Claude Fable 5 for everyone and Claude Mythos 5 for Glasswing partners only. The two share one underlying model. What sets Fable apart is a set of safeguards that wall off its most dangerous cyber and biotechnology capabilities.

Within three days, the filter sprang a leak. We will return to what happened, because it is the most instructive event in this entire story.

Why this points toward ‘potable’ infrastructure

The optimism is real. For the first time, the bottleneck in security has moved. Anthropic’s own framing is striking. Progress used to be limited by how quickly we could find vulnerabilities. Now it is limited by how quickly we can verify, disclose, and patch the enormous number of flaws the model surfaces.

That’s a profound shift. It means the dream of an inherently secure infrastructure is no longer science fiction. Glasswing partners are already using the model to find flaws, write the patches, and prevent flaws from appearing in the first place. Mozilla alone reported resolving hundreds of vulnerabilities this way. If that capability can be safely generalized, the Internet, 5G cores, operating systems, and the open-source supply chain could, over years, become something closer to treated water: cleaned upstream, before it reaches your organization’s tap.

The filter sprang a leak

Three days after Fable 5 went public, Anthropic disclosed that the safeguards separating it from its dangerous twin had been compromised. Its own reading is that someone found a way to jailbreak the model, coaxing out the very capabilities Fable was built to suppress. In tap-water terms, the contaminant had slipped past the treatment plant.

What happened next is the part executives should study. On June 12, the US government issued an export-control directive, citing national security authorities, ordering Anthropic to suspend access to Fable 5 and Mythos 5 for all foreign nationals, including the company’s own foreign-national employees. To comply, Anthropic disabled both models globally, for everyone, including paying enterprise customers. Sessions now fail or fall back to older models. 

For any organization that had begun building on Fable, the lesson is stark. A capability you depend on can vanish overnight, not because the vendor failed or discontinued the capability, but because the relationship between a frontier lab and a national government broke in a way you had no visibility into. The water was shut off at the main.

Bottled water was also found to be such that contains more particles compared to tap water or filtered water
Bottled water was also found to be such that contains more particles compared to tap water or filtered water (credit: SHUTTERSTOCK)

The risk executives must not look away from

The tap-water analogy also contains a warning. Treated water depends on a closed, regulated system. The danger arrives the moment anyone can build their own treatment plant, or their own poison plant, in a garage.

Anthropic has been explicit about the clock. It expects that within six to 12 months, other AI developers will have Mythos-class models, and some may release them without any of the safeguards that distinguish Fable from Mythos. In that world, the same capability now being used by 200 vetted organizations to defend critical infrastructure becomes available to ransomware groups and hostile states to attack it, cheaply, quickly, and in forms our current defenses have never seen.

This is the strategic reality executives should be absorbing now:

  1. The defender’s window is open but closing. Glasswing is essentially a race to patch the world’s critical software before the offensive version of this capability proliferates. Organizations that are not already modernizing legacy code, eliminating known-vulnerable dependencies, and accelerating their patch cycles are losing an advantage.
  2. The bottleneck is now organizational. If the constraint is how fast you can verify and deploy patches, then your patch-management maturity and your ability to act on a disclosure in days rather than quarters are now frontline security controls. A flood of newly discovered vulnerabilities is worthless to a defender who cannot move.
  3. Concentration and governance are themselves risks. The capability to secure, or breach, the world’s infrastructure sits with a handful of AI labs operating their own filtration plants by their own rules, subject to government interventions that can arrive without warning or explanation. The latest events prove this is not hypothetical. A single directive removed a major model from every customer worldwide in an evening. The question of who runs the water utility, and under which rules, now has a partial and unsettling answer. A lab and a government, negotiating in private, with the rest of us downstream.

So, can we hope for cybersecurity as dependable as tap water? For the first time, yes, the engineering exists. However, the latest events were a reminder that clean water never came from better pipes alone. It came from public-health institutions, standards, enforcement, and the hard-won trust that the supply will be there tomorrow. The technical breakthrough is here. The institutions and the governance are not yet here.

For executives, the task is threefold: assume that the water is about to get cleaner, but far more easily poisoned; build the internal speed and discipline to benefit from the first before being caught by the second; and never let a capability you cannot replace become a single point of failure, because the entity that can switch it off may not be your vendor, and may not ask first.