Mythos and the Utility Industry: Detection Without a Patch Path

Special edition — June 6, 2026

Anthropic has built a frontier model that can find and chain industrial-grade vulnerabilities, and stood up Project Glasswing — now around one hundred fifty organizations across critical infrastructure — to gate its use. The detectors and hyperscalers are inside the consortium. The equipment OEMs whose firmware is the actual attack surface for the bulk electric system — SEL, ABB, Siemens, Schneider Electric, GE Vernova — are, with a single Hitachi-shaped exception, conspicuously silent. This episode argues the load-bearing question for the grid is not who has access to Mythos; it is what happens between a Mythos finding and a patched protective relay, and the corpus says that pipeline has not been built.

In this episode

• Glasswing as it actually is. Twelve founding members and roughly one hundred fifty additional organizations, dominated by hyperscalers, security vendors, hardware platforms and one bank — and what that composition does and does not solve.
• The Hitachi exception, and the silence around it. Hitachi's June 5 commitment to deploy Mythos through its Cyber Center of Excellence is the only major grid-adjacent OEM on record; SEL, ABB, Siemens, Schneider Electric and GE Vernova have said nothing publicly.
• What Mythos actually demonstrated. UK AISI confirms strong IT-layer capability and partial multi-stage attack completion — and a failure to complete the OT-themed "Cooling Tower" range that academic researchers independently corroborate.
• The patch path the corpus actually documents. Seventy percent of OT assets vulnerable, fewer than thirty percent patchable on IT timelines; no major ICS vendor on a monthly cycle; CISA advisory coverage falling from fifty-eight percent of known OT CVEs in 2024 to twenty-two percent in 2025.
• NERC and FERC caught up — to the IT-side governance, not the firmware pipeline. Virtualization rule, CIP-003-9 enforceability, cloud standards on the Roadmap; AI in the control environment is now CIP-scoped whether anyone wrote an AI standard or not.
• The operator's blind spot and the EO's gesture toward it. The June 2 executive order names rural hospitals, community banks and local utilities as beneficiaries but routes them through a discretionary trusted-partner mechanism likely to concentrate access among large incumbents. Equity, if it lands, lands in the grant pathway.
• The contrarian beats the episode keeps. Jaya Baloo's claim that open-source ensembles replicate Mythos findings; Dragos's four-percent active-exploitation rate against patch-everything urgency; ProMarket's Sherman Act Section One argument; AI-hallucinated CVE reports flooding triage; Mythos seeking privilege escalation against its own sandbox.

Sources & References

Anthropic primary documentation

• Anthropic Mythos Preview Red Team Report
• Anthropic Mythos System Card (PDF)
• Anthropic Project Glasswing program page
• Anthropic Responsible Scaling Policy v3

Independent capability evaluation and critique

• UK AI Safety Institute — Evaluation of Claude Mythos Preview's cyber capabilities
• arXiv preprint 2603.11214v2 — Frontier model cyber benchmark
• Berkeley RDI — Frontier AI Impact on Cybersecurity
• International AI Safety Report 2026
• VulnCheck — Independent CVE analysis of Anthropic/Glasswing attribution

Project Glasswing — coverage and analysis

• ASIS Security Management — Project Glasswing (April 2026)
• Cybersecurity Dive — Glasswing critical-infrastructure expansion
• Security Week — Mythos detects 23,000 potential vulnerabilities across 1,000 OSS projects
• Hitachi press release — Joining Project Glasswing (June 5, 2026)
• HPCwire — Anthropic unveils Project Glasswing (April 9, 2026)
• Forrester — Project Glasswing: the 10 consequences nobody's writing about yet
• ProMarket / Stigler Center — Antitrust risks of Project Glasswing
• Cloud Security Alliance — Mythos Ready (April 2026, PDF)
• KuppingerCole — What the Mythos system card means for cybersecurity and IAM

Industry implementation — production-AI security testing

• Palo Alto Networks — Defenders' guide to frontier AI impact (May 2026)
• Broadcom / Symantec — Frontier AI security models code testing results
• The Hacker News — How AI hallucinations are creating real CVE-handling problems (May 2026)
• SPIE — Assurance and Security for AI-Enabled Systems conference

OT threat landscape and adversary activity

• Dragos — 2026 OT Cybersecurity Year in Review (press release)
• Industrial Cyber — Three new OT threat groups tracked by Dragos
• CISA / NSA / FBI joint advisory — PRC Volt Typhoon US critical-infrastructure compromise (Feb 7, 2024, PDF)
• Ampyx Cyber — Volt Typhoon and the quiet pre-positioning of the US power grid
• Industrial Cyber — IISS notes Volt Typhoon's disruptive intent beyond espionage

ICS advisory landscape and OT patching reality

• Forescout — ICS cybersecurity in 2026: vulnerabilities and the path forward
• ICS Advisory Project — community CISA advisory metadata
• Cyber Leveling — ICS Patch Tuesday May 2026 (Siemens advisory wave)
• Schneider Electric Security Notifications portal
• ABB — Relay firmware update release documentation
• Industrial Defender — How to overcome OT vulnerability and patch management challenges
• RunSafe Security — OT patch management alternatives

NERC CIP, FERC and federal policy

• Industrial Cyber — FERC approves CIP virtualization standards (March 2026)
• Tenable — Preparing for CIP-003-9 compliance deadlines 2026
• NERC CIP Roadmap (January 12, 2026, PDF)
• Ampyx Cyber — NERC's CIP Roadmap and the future of grid cybersecurity
• WilmerHale — New executive order on early government access to frontier AI (June 2, 2026)
• Wiley Law — New AI executive order on frontier models and cybersecurity vulnerabilities
• Morgan Lewis — Executive order promotes public-private cooperation on AI innovation and security
• GrantedAI — White House AI EO, OMB grant redirection, and the rural-hospitals strategy
• Meserole congressional testimony — House Homeland Security (June 4, 2026, PDF)
• Idaho National Laboratory — Adoption of AI in the Utility T&D Sector (Feb 2026, PDF)

Counterpoints and policy critique

• Jaya Baloo (COO, Aisle) — open-source ensemble replication of Mythos findings
• Safer AI — Anthropic's RSP update makes a step backwards
• Institute for AI Policy and Strategy — Responsible scaling research
• CyberScoop — AI autonomous cyber capability benchmarks broken: GPT-5, Claude Mythos

Have questions about this episode? Reach out.