Anthropic built an AI model so capable at hacking that it won’t release it to the public.

Claude Mythos: an unreleased frontier model: has already found thousands of high-severity vulnerabilities in every major operating system and web browser. It can chain small flaws across millions of lines of code into massive exploits, outperforming all but the most skilled human security researchers.

So Anthropic formed Project Glasswing: a coalition of Amazon Web Services, Microsoft, Apple, Google, Cisco, NVIDIA, and a handful of others who get exclusive access to use Mythos for defensive testing. The idea is to find the holes before the bad actors do.

Australian banks and infrastructure providers aren’t in the coalition. And Australian small businesses? They don’t factor into the conversation at all.

Why this matters for your business

The threat isn’t that someone will use Mythos against your café or plumbing business. The threat is what comes after.

AI hacking tools don’t stay exclusive for long. The capabilities that make Mythos dangerous: finding vulnerabilities at scale, chaining them together, writing exploit code automatically: will be in the hands of criminal groups within months or years, not decades. Alastair MacGibbon, former national cyber security adviser, called the speed of this cycle “staggering.”

When that happens, the big end of town will have tested their defences using AI. Your business won’t have.

Small businesses are already the preferred target for cybercriminals. They hold valuable data (customer records, payment details, supplier contracts), they often run outdated software, and they rarely have dedicated security staff. AI-powered attacks make the economics even more lopsided: it costs almost nothing to scan thousands of small business websites for vulnerabilities simultaneously.

What you can actually do right now

You can’t access Mythos. You can’t afford a security team. But there are practical, affordable steps that close the most common gaps.

Use software that gets security updates. Running WordPress, Xero, or any cloud tool that updates automatically is meaningfully safer than software you maintain yourself. Keep everything current.

Turn on multi-factor authentication everywhere. Email, accounting software, your website admin, social media. This single step blocks the majority of account takeover attacks. It takes ten minutes per account.

Know where your data lives. If you store customer data, know which tools hold it and whether those tools are covered by Australian privacy law. Our guide to AI tools with Australian data residency is a useful starting point.

Back up your data offline. Ransomware attacks encrypt your files and demand payment to restore them. A recent offline backup: external drive, not just cloud: means you can recover without paying.

Check your cyber insurance. Many small business insurance policies now include basic cyber coverage. If yours doesn’t, it’s worth asking your broker. Premiums are lower than most people expect.

The bigger picture

Project Glasswing is a useful development: major tech companies pooling resources to find vulnerabilities before criminals do is better than the alternative. But it’s a reminder that the AI security conversation is happening at a level that excludes most Australian businesses.

The Australian Signals Directorate publishes the Essential Eight: a practical framework designed for exactly this kind of threat. It’s free, it’s written for Australian organisations, and most small businesses haven’t looked at it.

That’s the gap worth closing.

📬 The SmallBizAI Brief

One practical AI tip for Australian small business. Every Tuesday. Free.

Join business owners getting smarter about AI every week.

Subscribe free →