The Emperor's Vanishing Clothes - Cybersecurity in the Age of Frontier AI

We all know the story. An emperor, two clever conmen, a suit of clothes "so fine that only the wise could see them." The emperor parades through the streets naked. The courtiers fawn. A child shouts the obvious.

Let me tell a different version.

Imagine the clothes are real. Beautifully tailored, expensive, the genuine article. The emperor wears them every day with complete confidence. Then one morning, without warning, they vanish. Mid-procession, in front of the entire kingdom, he is suddenly, visibly, undeniably exposed.

What does he do?

If he is sensible, he adjusts. He stops pretending. He lives in the new reality where his fabric defences are gone.

Now suppose he knew it was coming. He knew the clothes would one day disappear, and he could not stop it. My guess is that he would stop spending time with tailors and start spending it in the gym. He would build a body that could stand on its own, with or without the clothes.

That, in short, is where cybersecurity now finds itself.

The clothes are still on. For now.

In April 2026, Anthropic announced Project Glasswing and gave around fifty hand-picked partners preview access to Claude Mythos, an unreleased frontier model. The partners included AWS, Apple, Microsoft, Google, CrowdStrike, JPMorgan Chase, and the Linux Foundation.

Within a month, Anthropic reported the initiative had surfaced more than 10,000 high- and critical-severity vulnerabilities. They spanned operating systems, browsers, cloud platforms, enterprise software, and open-source projects. Some were decades-old bugs that generations of expert reviewers had walked past.

Anthropic chose not to release Mythos publicly. That is the responsible call. But the genie does not care about responsible calls. The capability now exists. Other labs are building toward it. State actors and well-resourced criminals will not hold back on ethical grounds. Whether Mythos itself ever lands in a public API, or whether something Mythos-class arrives from a competitor first, the outcome is the same.

Here is what makes this moment categorically different from every previous shift in offensive tooling. Metasploit, automated scanners, ransomware-as-a-service: those gave attackers leverage. They compressed time. Mythos-class systems give attackers something else: patience and creativity at machine scale. A model that can sit in front of a codebase for a week and try a million plausible attack paths is a different category of opponent than anything we have planned for.

That reality became even clearer when Anthropic expanded Project Glasswing beyond its initial cohort. The company is now extending access to approximately 150 additional organisations across more than fifteen countries, including operators of critical infrastructure in healthcare, energy, communications, water, hardware, and other sectors where a single software vulnerability can have national-scale consequences. Every participant must meet strict security requirements before gaining access, but the broader signal is unmistakable: capabilities once confined to a small circle of elite technology companies are beginning to spread through the wider security ecosystem. Anthropic has argued that trusted defenders need a head start because comparable systems may become widely available within the next six to twelve months. Whether they emerge from competing frontier labs, open-weight releases, or actors with fewer safety constraints, the direction of travel appears clear.

The walls we built (perimeter firewalls, signature-based detection, the patch-quarterly-and-pray model) were designed for human attackers working in human time. They will not hold.

This is the strongest objection, and it deserves a straight answer. Yes. They will.

In principle, the asymmetry could even favour defenders for the first time in a generation. The ground a defender has to hold is finite and, in theory, fully mappable. The attacker's space of possible attempts is not. The same machine-scale analysis that finds one way in can be turned around to find every gap first.

In practice, three things make me doubt the symmetry will play out evenly.

First, proliferation speed. A single Mythos-class jailbreak, or an open-weights model anyone can download and run, puts the offensive capability into anyone's hands overnight. The defensive equivalent needs budget approval, integration, training, and a procurement cycle that still measures in quarters.

Second, the talent gap. The labs and the front-rank product companies will adopt fast. The long tail of mid-sized banks, hospitals, utilities, and local government will not.

Third, the arithmetic does not change. Defenders still have to succeed everytime. Attackers still only have to succeed once. AI does not rewrite that. It just speeds it up.

The optimist's case is real, but it is a case for the few, not the many. For the median enterprise, the threat curve is steeper than the defensive curve, and it will stay that way for several years.

Security frameworks are not a finish line. They are a defensible starting point, and the post-frontier-AI era is not going to grade us on compliance with a 2019 maturity model. With that in mind, a short list of what should already be on every CISO's whiteboard.

Lose the dead weight: shrink the attack surface. You cannot defend what you do not know exists, and the average enterprise has no idea how much of itself is exposed to the internet. Forgotten subdomains. Development environments left in storage buckets. SaaS accounts spun up by the marketing department two reorganisations ago. A Mythos-class system does not need to be clever to exploit those. It just needs to find them, and it is exceptionally good at finding them. Continuous external attack-surface discovery is the new asset inventory.

Build core strength: treat identity as the perimeter. Most breaches still start with a credential. Targeted phishing is no longer hypothetical: an AI can write a perfect, contextually relevant email to your CFO, in your CEO's writing style, on the day of your quarterly close. Password-plus-SMS is the security equivalent of leaving the front door unlocked because the neighbourhood feels safe. Phishing-resistant authentication (FIDO2 keys, conditional access, just-in-time privilege elevation) is the wall that actually matters now.

Segment ruthlessly. Flat networks are a gift to any attacker, AI-assisted or otherwise. Micro-segmentation where you can manage it, hard zone boundaries where you cannot. The goal is no longer to keep attackers out. The goal is to ensure that when they get in, they cannot move. Internal segmentation is the difference between a contained incident and a company-ending event.

Hunt yourself before they do. The annual penetration test was always a thin defence. Against a Mythos-class adversary that can probe your environment for a week at machine cost, an annual test is a snapshot from a world that no longer exists by the time it is read. The category that replaces it is CART (Continuous Automated Red Teaming): agentic systems that chain reconnaissance, exploitation, lateral movement, and privilege escalation against your live infrastructure the way a real adversary would. Continuously, not once a year for the compliance file. CART finds the gaps your architecture diagram says are not there, because agents reason and scheduled scanners and pen-test scripts do not. Either you run an agent that thinks like the attacker, or you accept that the attacker is running one against you.

Rehearse the bad day. Cyber resilience is what is left when prevention fails, and prevention will fail more often. That means backups that are immutable and actually tested. Incident response retainers signed before the incident, not during. A communications playbook that is not being drafted at 2am during a ransomware negotiation. If your last tabletop exercise was a PDF circulated for sign-off, that is not a programme. That is a folder.

Five things. Not nine. Not twenty. None of them are new. What is new is the urgency, and the loss of the comforting illusion that our walls are higher than they really are.

I am genuinely, perhaps oddly, optimistic about this moment. We have been warned. The capability exists, the proliferation is predictable, and the defensive playbook is largely known. Most of what I have written above has been in the textbooks for a decade. What changes now is that we no longer have the option of skipping leg day.

The emperor whose clothes are about to vanish has a choice. He can keep parading in his finery, hoping nobody notices the fabric thinning. Or he can quietly, deliberately, start lifting some weights.

The clothes are coming off. Time to get in shape.

ScruteX runs continuous external attack-surface discovery and automated red teaming against your live environment, the way a real adversary would. See how it works.