Something strange happened with the release of Anthropic's newest AI model a couple of weeks ago. They didn't release it. Mythos is apparently so capable at finding security holes that Anthropic kept it to themselves and a handful of critical software vendors, giving them a head start to patch things up before it leaked into the wild.
A few days ago we got the first independent look at what Mythos can actually do. The UK's AI Security Institute ran it against a 32-step corporate network attack simulation, something they reckon takes a skilled human around 20 hours to complete. Mythos walked the full path from reconnaissance to total takeover three times out of ten. No other model managed it at all.
The interesting number is the cost. Each attempt came in at about $12,500 in compute. Ten attempts, $125,000. And the researchers noted no signs of diminishing returns. The more budget they threw at it, the further it got.
Attacks Now Have a Price Tag
For decades, attacking a business meant you needed an attacker. Someone with time, skill, and motivation. That's why "we're too small to bother with" was a reasonable, if shaky, hope for a lot of small businesses. The attacker's attention was the scarce resource.
That's not true anymore. An attacker doesn't have to sit at a keyboard picking your network apart. They hand a model a budget and let it run. The question shifts from "is my business interesting enough to attack?" to "is my business worth more than the attacker's compute bill?"
A single ransom payment of $200,000 justifies a lot of $12,500 attempts.
"Too Small to Target" Stops Working
This is where most owners get caught out. Mass scanning isn't new. Every public IP on the internet gets poked at around the clock. The difference now is that the scans are followed up. Previously, most of those hits turned up noise that wasn't worth a human's time to chase. Now a model can chase every promising signal for hours at a stretch, without anyone needing to approve the time spent.
Your 40-person firm in Sydney was probably safe when a person had to decide you were worth breaking into. Once that decision is automated and cheap, you become one of millions of affordable targets.
Defence Needs to Be Continuous
If attackers are limited by compute spend rather than attention, the same calculus applies on the defence side. A penetration test every couple of years was never really enough, and it's certainly not enough against a budget that grows every time someone decides your data is worth ransoming.
We've written before that security is a process rather than a state, and that's still the shape of it. If the Mythos results hold up, the process needs to run more or less continuously: alerts being watched in real time instead of piling up, patching on a schedule rather than whenever someone remembers, backups that have actually been restored at least once so you know they work, staff trained on the phishing that's hitting inboxes now rather than the phishing from three years ago. None of that is novel advice. Most of it has shown up in one form or another across dozens of posts on this site. But the cost of skipping any of it is going to climb fast.
Where an MSP Fits
The advantage of having a managed provider is that the cost of continuous defence gets spread across a lot of businesses instead of sitting entirely on yours. We run the monitoring across our client base, so you get the benefit of seeing what's hitting other businesses while it's still fresh. Patches go on, backups get restored, and when an alert fires, someone actually picks it up instead of letting the notification scroll past a screen nobody's looking at, which, you might remember, is exactly the gap FIIG Securities got fined $2.5 million for.
Good security still looks about the same as it did last year. Attacking the businesses that haven't bothered with it though, is getting a lot easier and a lot cheaper. Attackers who used to need years of experience now just need a credit card and some patience, and the businesses still standing in a few years will be the ones that scaled their defence spend accordingly.
We've been looking after Sydney businesses for over 20 years. If you want to talk through where your defences sit in all of this, get in touch. No sales pitch, just a straight conversation.
WhatsApp 