What Mythos Reveals About Why Cybercrime Is Winning

Finding Every Vulnerability Doesn’t Help If the Burglars Never Go to Jail.

In April 2026, Anthropic released Claude Mythos Preview to a select group of security partners as part of Project Glasswing. The announcement was quietly extraordinary. A single AI model had autonomously discovered thousands of previously unknown vulnerabilities across every major operating system and every major web browser, including flaws that had survived decades of human security review. Among the findings: a 17-year-old critical flaw in FreeBSD that can grant an unauthenticated attacker complete root access to any machine running NFS. The model then developed working exploits, without human guidance, at a scale and speed no human team could approach.

Here at PYXIS Culture Technologies, we work at the intersection of culture and technology, and when we encountered the Mythos findings, we reacted with equal parts of amazement and concern. Not troubled by the technology. Troubled by what the technology reveals about the world it operates in.

The Whack-a-Mole Economy

More than 99% of the vulnerabilities Mythos has already discovered remain unpatched. Let that number sit for a moment. The AI has done its job. The gap is not detection. The gap is remediation capacity and, more fundamentally, the asymmetry of the game being played.

This is the cybersecurity version of whack-a-mole, played on a machine with a thousand holes and a mallet built for ten. Defenders must find and fix every vulnerability. Attackers need only find one. The median time from vulnerability discovery to weaponized exploit has already collapsed from 771 days in 2018 to under four hours in 2024. By the end of 2026, analysts project that window will reach under one hour. Mythos, for all its brilliance, is accelerating the rate at which the field of targets grows.

At the same time, global cybercrime damages have surpassed $10.5 trillion annually, a figure that now ranks cybercrime as the third-largest economy on earth, trailing only the United States and China. Organizations are spending $240 billion a year on cybersecurity in 2026, a 12.5% increase over 2025. Ransomware payments have risen 500%, with average payments now reaching $2 million per incident. The legitimate cybersecurity industry is growing. Cybercrime is growing faster.

The Legal Cage We Built for Ourselves

Here is where the conversation becomes genuinely uncomfortable and where corporate boards and leaders have abdicated their responsibility to lawyers and IT departments.

Under the Computer Fraud and Abuse Act (CFAA), the primary US federal statute governing cyber conduct, private companies are effectively prohibited from any active countermeasures against attackers. No hacking back. No pursuit. No disruption. The moment a company crosses the line from passive defense to any form of offensive countermeasure, it becomes the criminal. The law designed to protect systems applies with equal force to the victim.

For decades, the safe harbor for companies has been: detect, report, patch, and hope law enforcement handles the rest. But law enforcement cannot handle the rest, because the rest lives in Moscow, Beijing, Pyongyang, and Tehran, and none of those governments have extradition treaties with the United States. The US lacks extradition agreements with Russia, China, and other major cyber threat nations.

Operatives connected to Russian intelligence walk free because they are the sons of Duma members. Cryptocurrency launderers convicted in absentia are traded back in prisoner swaps. The most sophisticated ransomware gangs operate in plain sight, protected by the implicit or explicit endorsement of the states that host them.

The Budapest Convention on Cybercrime theoretically requires signatories to prosecute offenders who refuse extradition, but Russia and China are not signatories, and even among those that are, the enforcement gap is vast. We have a global legal architecture built for a pre-digital age of physical borders, sovereign territory, and visible crimes. Cybercrime fits none of those categories, and our legal frameworks have not caught up.

A recent US cyber strategy shift, funded through the One Big Beautiful Bill Act, allocated $1 billion for offensive cyber operations while simultaneously cutting $1.2 billion from civilian defensive budgets. More offense, less defense. But those offensive tools remain in government hands, not available to the private sector, and CISA, the primary body defending civilian networks, has seen its workforce reduced by roughly one third. The strategy is contradictory. The burden falls asymmetrically on the private sector.

Defense Alone Is a Losing Strategy

The C-suite needs to internalize this: no amount of defensive investment will solve a problem that is fundamentally a law enforcement and international diplomacy failure.

Boards are right to invest in detection, zero-trust architecture, incident response, and tools like those emerging from Mythos-era security platforms. Those investments are necessary. But they are not sufficient.

Imagine running a business in a city where the police could not arrest anyone committing a crime who lives outside the city limits, and the criminals know it. You would add locks. You would hire security. You would install cameras. And every morning, you would find that the criminals had adapted and were back. That is the environment in which every enterprise CISO currently operates.

The data supports this bluntly. Cybercrime costs are growing exponentially while cybersecurity spending grows linearly. No industry, no government, and no technology can build its way out of that gap from the defensive side alone.

A Call for a More Forceful Conversation

The technology, as Mythos demonstrates, is increasingly capable.

What is lagging is the will, at every level of governance, to treat cybercrime with the same seriousness we would apply to any other form of organized, international theft at this scale.

First, private sector legal standing needs to be revisited. The absolute prohibition on any form of active response by private parties deserves serious legislative reconsideration. This does not mean endorsing reckless retaliation. It means creating carefully defined frameworks in which companies with the capability and evidence can participate in the coordinated disruption of criminal infrastructure, as Microsoft has done through court-authorized domain seizures.

Second, international cyber law needs teeth. The Budapest Convention is inadequate. A successor framework that creates binding prosecution obligations with real enforcement mechanisms and that isolates nations that actively harbor criminal organizations is overdue.

Third, attribution and sanctions need to be faster and more costly. The current timeline from attack to attribution to sanction to any tangible consequence is measured in years. In that time, criminal organizations evolve, rebrand, and strike again. The speed of the threat must be matched by the speed of the legal response.

Fourth, boards need to stop treating this as an IT department problem. Cybersecurity is now a geopolitical and economic risk category at the level of trade policy and regulatory compliance. Directors who cannot speak to the legal and diplomatic dimensions of cyber risk, not only the technical dimensions, are not adequately governing their organizations.

It's Choice Time

The Mythos announcement was a milestone.

It demonstrated that AI can now surface vulnerabilities at a scale and depth that fundamentally changes the security landscape. The PYXIS view is that this milestone makes the underlying policy failure more urgent, not less. We now have tools capable of identifying the open doors. We still lack the legal authority to pursue the criminals walking through them.

The choice is not between good security and bad security. The choice is between continuing to lose trillions of dollars annually to an organized criminal ecosystem operating with near-total impunity, or demanding the legal and diplomatic reforms that would allow the private sector and governments to actually go on offense. Technology has done its part. It is time for the law to do its.

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.

By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between people, process, and technology.

The PYXIS approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.

• We link organizational culture to business and financial metrics, demonstrating clear ROI from strengthening alignment and performance. 

Connecting the dots

If the ideas above resonate with what your organization is facing, it may be worth exploring what a structured diagnosis of your cybersecurity culture would reveal.

About the Author

Christiane Wuillamie OBE is an advisor to senior leaders on cybersecurity culture and IT transformation.

She has decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. Christiane is a successful entrepreneur and business executive who founded a pioneering IT services company and grew it 100% year on year into a multimillion-pound enterprise, achieving a successful trade sale in 2001. Christiane’s passion is blending technology, agile tools, and cross-functional business processes with culture change to drive business transformation projects that deliver greater business agility, speed to market, and a significant competitive advantage.