Japan Orders Cybersecurity Overhaul Amidst Skepticism Over Anthropic’s 'Mythos' AI
Japanese Prime Minister Sanae Takaichi has ordered a national cybersecurity review in response to the emergence of Anthropic’s "Mythos" AI model, even as industry experts dismiss the tool's capabilities as largely marketing-driven.

Japanese Prime Minister Sanae Takaichi has ordered a cabinet-level review of the nation’s cybersecurity strategy, citing concerns that advanced AI models like Anthropic’s "Mythos" could be weaponized to accelerate attacks on critical infrastructure The Register. The directive, issued during a Tuesday cabinet meeting, tasks cybersecurity minister Hisashi Matsumoto with assessing the government's ability to detect and remediate vulnerabilities, while establishing a framework to ensure private sector infrastructure operators can do the same The Register.
The government's urgency stems from fears that frontier AI models—which Anthropic debuted in early April—could enable attackers to find and exploit security flaws at an exponential scale The Register. While the Japanese government views this as a critical inflection point, the actual capabilities of Mythos remain a subject of intense debate among security researchers. Some experts argue that while the model can identify bugs quickly, it does not necessarily uncover vulnerabilities that would remain hidden from human researchers or existing open-source tools The Register.
The skepticism surrounding Mythos was recently amplified by Daniel Stenberg, the creator of cURL, who described the hype surrounding the model as "primarily marketing" rather than a genuine security breakthrough The Register. Stenberg, who gained access to a Mythos scan of the cURL codebase through the Linux Foundation’s Project Glasswing, reported that the model identified only a single confirmed vulnerability. Of the five "confirmed security vulnerabilities" initially reported by Mythos, three were dismissed as false positives related to existing API documentation, and one was categorized as a simple bug The Register.
The lone confirmed vulnerability identified by Mythos is a low-severity issue, which the cURL team plans to address in the upcoming version 8.21.0 release in late June The Register. Stenberg noted that while Mythos provided well-written explanations for several non-security bugs, it failed to demonstrate any performance advantage over other AI-driven tools like AISLE, Zeropath, or OpenAI Codex Security. These existing tools have already facilitated between 200 and 300 bug fixes in the cURL project over the past 8 to 10 months, including over a dozen confirmed CVEs The Register.
Despite the underwhelming performance in real-world testing, the global regulatory response to AI-driven security threats continues to grow. Beyond Japan’s cabinet-level review, other international regulators—including India’s securities authority—have begun ordering similar security audits for the organizations they oversee The Register. These initiatives reflect a broader, ongoing trend where governments are attempting to reconcile the rapid evolution of AI-assisted vulnerability research with the need to protect critical infrastructure from potential automated exploitation The Register.