This month’s briefing pays special attention to agentic AI security, as it has become a critical topic in the industry.
Cybersecurity News
Anthropic’s Claude Mythos Upends Cyber Risk Calculations
On April 7, Anthropic announced Claude Mythos, a frontier AI model it describes as so capable on cybersecurity tasks that the company chose not to release it to the public. Instead, Anthropic made Mythos available to a small group of technology and infrastructure companies through an initiative called Project Glasswing, Dark Reading reported.
Project Glasswing is described as “A consortium of some of the biggest software providers in the world who will endeavor to use the model for cybersecurity defense first, putting it to work on their software before adversaries can get a hold of the tool.”
What Mythos Means for Agentic AI Security
According to Anthropic’s own research, Mythos has already identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. Many of the bugs it found had survived decades of human review.
The oldest confirmed example was a 27-year-old flaw in OpenBSD, an open-source operating system appreciated for its integrated cryptography. It found a flaw that humans had missed for years.
In separate testing, the UK AI Security Institute found that Mythos could execute multi-stage attacks on vulnerable networks.
Source: AI Security Institute, UK
The update “shows that rapid improvement on cyber tasks may be part of a more general trend,” the researchers said. “If cyber-offensive skill is emerging as a byproduct of more general improvements in long-horizon autonomy, reasoning, and coding, we should expect further increases in cyber capability from models in the near future, potentially in quick succession.”
Even Mythos May Have Limitations
However, experts who contributed to the DarkReading article said fears of Mythos’ capabilities might be overblown.
“If you have a network appliance that’s got out-of-date firmware, a human can exploit that if they know how to do so,” said Cybersecurity Dive’s Eric Geller. “It’s not as if AI has created new forms of attack. It’s made it easier for more kinds of people with less knowledge to launch those attacks.”
DarkReading’s Becky Bracken also mentioned that the Institute’s technical agentic AI security evaluation “found that maybe it’s not as potent [a tool] as they’re making it out to be.” Although capable, researchers claimed that the systems it was being used against were not well-defended to begin with, perhaps not “as well defended as even a mid-size organization would be.”
The Dual-Use Problem
What makes Mythos significant for financial firms isn’t just the model’s offensive potential. It’s also the speed at which those capabilities could shift the threat landscape.
In a recent article, the World Economic Forum noted that Anthropic’s decision to limit access reflects a broader shift in AI development. Constraints on deployment are now security-driven rather than commercial.
However, “This approach alone is not enough,” according to the WEF. “These capabilities are unlikely to remain confined to a single organization. Similar systems are expected to emerge across the industry, increasing the urgency for action.”
Anthropic itself warned that, given the pace of AI development, it will not be long before comparable capabilities spread to actors who may not use them responsibly. For investment firms and asset managers, that means vulnerabilities in their systems could surface faster than ever before, and potentially faster than organizations can patch them.
Remediating the issue will likely require applying agentic AI security technology defensively to protect systems and find vulnerabilities. Firms should consult with cybersecurity experts to determine their options.
CEO Warns That a Claude AI Agent Wiped Firm’s Database in Seconds
A CEO has gone public with a cautionary account of how an AI coding agent, powered by Anthropic’s Claude Opus 4.6, deleted his company’s entire production database and all of its backups in under 10 seconds, Cybernews reported.
A Permissions Error Leads to Deletions
The company, PocketOS, sells software that car rental businesses use to manage reservations and vehicle assignments. According to founder Jeremy Crane, the AI agent was working on a routine task when it encountered a permissions error.
The agent located an API token that had been created for a simple task but actually carried full access across the platform’s infrastructure, including the ability to execute destructive operations. Without warnings or safeguards, the agent used that token to delete storage volume along with all associated backups.
After the deletion, the agent acknowledged it had violated its own operating rules. “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify,” the agent stated in its own post-incident output.
Crane noted that Railway, the API platform involved, subsequently helped restore the data within an hour and placed additional safeguards on its API.
The Identity Problem at the Core
Cybersecurity professionals who commented on the incident pointed to a deeper systemic issue. Aarron Rose of Check Point said the incident reflects an industry problem in which AI capabilities are advancing faster than the access controls designed to manage them.
“An AI agent operating in your production infrastructure is not a tool, and it is not a service account,” Rose said. “It is a new kind of identity, one that thinks rather than executes, and one that requires its own discrete account, its own least privileged entitlements, its own behavioral baseline, and its own real-time audit trail.”
Darren Guccione, CEO of Keeper Security, added that behavioral safeguards such as instructions or prompts are insufficient for agentic AI security if an agent can access credentials: “If an agent can locate a token and call a delete function, it effectively has privileged access.”
Still, some commenters noted that the company might share some of the blame for the error. They said the system “relied on unsafe assumptions about permissions, access, safeguards, and backups, while overestimating the model’s ability to self-regulate.”
U.S. Government Agencies Release Zero Trust Guidance for Operational Technology
A multi-agency working group led by the Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance on applying zero trust principles to operational technology (OT) environments, Infosecurity Magazine reported. The publication, Adapting Zero Trust Principles to Operational Technology, is aimed at security practitioners and OT operators.
IT Security Doesn’t Translate Directly to OT
The publication’s central argument is that traditional IT security approaches cannot be applied directly to OT because industrial environments prioritize continuous operation and physical safety over flexibility. Legacy systems, limited visibility, and strict availability requirements create constraints that standard zero trust implementations don’t account for.
The agencies describe OT environments as an expanding target. Adversaries are exploiting weak segmentation, compromised credentials, and supply chain vulnerabilities to move from IT networks into OT systems. Malware families such as CrashOverride and BlackEnergy have demonstrated the ability to disrupt physical processes, while living-off-the-land techniques allow attackers to blend into normal operational traffic.
Practical Guidance for a Complex Environment
The guidance recommends a layered approach that includes the following steps:
- Establish comprehensive asset inventories using passive monitoring
- Enforce network segmentation and microsegmentation to limit lateral movement
- Implement identity and access controls adapted to legacy systems
- Secure remote access through jump hosts and multifactor authentication (MFA)
- Integrate supply chain risk management into procurement decisions
The agencies conclude that zero trust adoption in OT is about improving resilience through informed, context-aware decisions, rather than eliminating risk entirely.
Cybersecurity Tips
4 Ways to Prepare for the Future of Agentic AI Security
Security operations centers (SOCs) are already incorporating agentic AI security for tasks like alert triage, data correlation, and initial containment. According to a report by CSO Magazine, the harder question is how to prepare for the next phase, when AI agents begin taking on incident investigation, root cause analysis, and autonomous response.
1. Reskill Analysts to Work Alongside Agentic AI Security Measures
Human roles in the SOC are shifting from hands-on execution toward supervision, oversight, and handling the cases AI cannot resolve. According to Dov Yoran, co-founder and CEO of Command Zero, “Junior analysts who might not know how to start an investigation from scratch can become effective by learning how to extend and refine what the agent produced.”
“It’s a different skill set from traditional SOC work, and in many ways, a more accessible one.”
The critical new competency is what Ensar Seker, CISO at SOCRadar, describes as “adversarial review.” Using this concept, “adversarial reviewers” must understand how AI models reason, where they fail, and how to interrogate their conclusions.
“The goal isn’t to ‘trust AI faster,’ but to develop the instinct to ask: What would make this conclusion wrong?” Seker said.
2. Build Governance and Content Engineering Capabilities
Agentic AI in the SOC requires more than just reskilled analysts. Organizations need dedicated roles for what Yoran calls “content engineering,” the work of building and maintaining the investigation plans, questions, and knowledge bases that AI agents actually use to reason and act.
“This isn’t traditional security engineering,” Yoran noted. “It’s closer to knowledge management combined with threat intelligence.”
Separately, IDC analyst Frank Dickson highlighted the need for an orchestration platform engineer role. This role would be responsible for ensuring that the SIEM, EDR, SOAR, identity, cloud, and other security systems in a firm’s environment can communicate and operate together effectively as agentic workflows become more complex.
3. Redesign Playbooks for Agentic AI Security
Traditional SOC playbooks were written for human analysts following step-by-step procedures. Seker argues that playbooks must shift to intent-based guardrails.
In other words, they must define what outcomes are allowed, what actions are prohibited, and when human approval is required. Metrics need to change, too. Yoran cautions against optimizing for speed at the expense of investigation quality.
“An incomplete investigation that closes in two minutes isn’t better than a thorough investigation that takes 30 minutes,” he said.
Auditability becomes equally important. Any AI-driven decision that cannot be explained to a regulator or executive should not be permitted in the first place.
4. Establish Guardrails and Principles for Autonomous Action
Formal guardrails for agentic AI security are critical in any SOC where AI agents can initiate responses or influence decisions. Key areas include:
- Setting approval thresholds for autonomous actions
- Defining what agents are and are not permitted to do
- Testing agentic workflows against prompt injection attacks
- Ensuring Incident Response (IR) policies reflect the reality of AI-driven actions
Dickson noted that over-provisioned access has long been a problem with human accounts. More importantly, it is even more dangerous with AI agents.
“With agentic AI, permissions must start at least privilege, defined precisely from day one,” he said. “Agentic AI is enormously powerful. Constraining access correctly is non-negotiable.”
