UK AI Safety Institute confirms Claude Mythos finds more exploits as token spend increases

The UK's AI Safety Institute (AISI) published an independent evaluation of Anthropic's Claude Mythos Preview, confirming the model's capabilities in identifying security vulnerabilities. The evaluation, titled "Our evaluation of Claude Mythos Preview's cyber capabilities," validates Anthropic's claims about the model's security testing effectiveness.

Token spend correlates with vulnerability discovery

The AISI report reveals a critical finding: Claude Mythos continues discovering exploits proportionally to token expenditure. According to analyst Drew Breunig, this creates a straightforward economic equation for cybersecurity: "to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them."

This transforms security testing from a qualitative practice into a quantitative proof-of-work problem, where defensive spending must exceed offensive spending to maintain system integrity.

Open source economics shift

The findings have significant implications for open source software development. Because token investments in securing open source libraries can be amortized across all users of those libraries, shared security costs make open source projects economically more attractive.

This counters recent arguments that AI-powered "vibe-coding" — rapidly generating custom code replacements — would diminish the value of established open source libraries. The security economics now favor reusing well-tested shared libraries over custom implementations.

What this means

Cybersecurity now has a measurable cost floor: the token expenditure required to match potential attacker budgets. Organizations must budget not just for security tools, but for the computational cost of thorough AI-assisted vulnerability discovery. This creates a stark divide between well-funded projects that can afford extensive security testing and under-resourced projects that cannot.

The shift also strengthens the economic case for open source infrastructure, as communities can pool resources for security audits rather than each organization bearing the full cost independently. Security becomes a shared computational expense rather than duplicated effort.