In April 2026, Anthropic published Claude Mythos Preview and quietly disclosed something that should reshape how every commercial firm thinks about cyber risk: in testing, Mythos identified thousands of previously unknown zero-day vulnerabilities across every major operating system and every major web browser. In over 83% of cases the model produced a working exploit on the first attempt. It found a 27-year-old vulnerability in OpenBSD — an operating system whose entire reputation rests on hardening.
Anthropic is rolling Mythos out under a controlled programme called Project Glasswing: around 40 institutions get early access, with a 90-day public report to follow. Over 99% of the discovered vulnerabilities haven’t been patched yet, which is why Anthropic isn’t naming them.
That’s the headline. Here’s what it means for your cyber insurance.
The threat model just changed
Until Mythos, finding zero-days was bounded by human talent and time. Skilled researchers, well-resourced state actors and a handful of criminal groups had the capacity. That’s what kept severity, at least at the long tail, finite.
A frontier model that can find and weaponise zero-days at scale removes that bound. The asymmetry — attackers need one vulnerability, defenders need to cover all of them — becomes structural. The patch window, the period between disclosure and exploitation, compresses to days or hours.
Project Glasswing puts the defensive use of Mythos in the hands of 40 organisations. The offensive equivalent is going to be in the hands of every well-funded threat actor within a renewal cycle.
What this means for cyber insurance
Three things are already moving in the underwriting market:
1. Severity assumptions are being re-rated
The actuarial models behind cyber premiums assume a certain frequency of “catastrophic” loss events. Mythos-class capability raises the ceiling on what a single breach can cost — because exploitation becomes cheaper, faster, and broader. Carriers re-rating in 2026 are quietly raising loss-cost assumptions across the book.
For buyers, the math is straightforward: limits that were defensible a year ago need a fresh look.
2. “Failure to patch” exclusions are tightening
Most cyber forms already exclude loss arising from failure to apply known patches. As exploit weaponisation accelerates, that exclusion language is being expanded — narrower patching SLAs required as a condition of coverage, broader carve-outs for known-vulnerable software, and in some markets, exclusions tied to specific CVE severity scores.
If your patch cadence is “we get to it within the quarter,” your cover may not respond when it matters.
3. AI-discovery affirmative endorsements are emerging
A handful of carriers are now writing affirmative endorsements that explicitly cover loss arising from AI-discovered vulnerabilities — both your own use of AI-assisted security tooling and your exposure to AI-armed attackers. Premium for these endorsements is modest today. It won’t be modest for long.
What to do in the next 30 days
- Pull your current cyber form and read the patching language. Specifically: what’s the patching SLA tied to coverage? Does failure to patch within X days void cover for the affected system?
- Confirm the AI exclusion status. Is there an affirmative AI endorsement on your policy, a silent exclusion, or no language at all? Each has different implications.
- Re-test your limit adequacy. Limits sized to 2024 threat models almost certainly under-protect against 2026 severity.
- Talk to your broker about the markets pricing this thoughtfully. Some carriers are treating Mythos-era cyber risk as a step change. Others haven’t moved. The premium difference between them will widen.
Mythos isn’t a generic AI release. It’s a capability disclosure that changes how cyber loss is modelled, how policies are worded, and how high the limits need to go. The buyers who adjust early get cleaner cover at better pricing. The ones who wait will pay both more and later.
