Patchapalooza: Anthropic’s Mythos AI Triggers Urgent Global Security Scramble
Canadian companies are marshalling resources, setting up war rooms and assembling specialized teams to prepare for an onslaught of software fixes from tech giants trying out Anthropic’s powerful new artificial-intelligence model.
Organizations in sectors ranging from financial services to critical infrastructure are bracing for what experts are calling patchapalooza: a wave of software updates, or patches, set to be rolled out by the companies granted early access to Claude Mythos Preview.
San Francisco-based Anthropic opted not to release the AI model widely because its ability to exploit software vulnerabilities creates the potential for abuse. Instead, the tech company made a preview version available to a select group of digital infrastructure providers, giving them time to identify system weaknesses and devise patches in preparation for a new breed of AI-enabled cyberattacks.
Those companies, which include Amazon.com Inc., Microsoft Corp., Apple Inc. and Google, are expected to roll out a wave of patches over the next several months that could create staffing challenges for organizations, said Denis Villeneuve, cyberresilience and connectivity practice leader at IT services firm Kyndryl Canada.
“Burnout is something that’s top of mind,” Mr. Villeneuve said. “There’s only so much time in a day. … There is going to be a surge capacity that’s required, and people are definitely going to be working and feeling this for a bit.”
While some patches are automatically deployed, others aren’t. Organizations typically have to test software fixes to see how they will perform within their ecosystems, which can include highly customized software as well as older technology, said EY Canada’s Umang Handa.
“Patches can break things, especially in complex environments,” said Mr. Handa, national leader of cybersecurity managed services.
Software updates can cause outages, disrupt revenue-generating or safety-critical systems, and sometimes have to be rolled back, Mr. Handa said.
Participants in Project Glasswing, the Anthropic-led initiative to secure critical digital infrastructure, could start rolling out patches as early as June or July, Mr. Villeneuve said. It’s too early to say how many patches to expect, he noted, but a recent test involving Mozilla’s Firefox browser provides some indication.
Scanning the browser’s code with Claude Opus 4.6, an AI model released in February, led to the discovery and repair of 22 bugs. Claude Mythos Preview, meanwhile, identified 271 vulnerabilities.
“It has capabilities of exponentially changing the amount of vulnerabilities that need to be patched,” Mr. Villeneuve said.
Carl Virtanen, chief technology officer at University Health Network in Toronto, has been in a lot of meetings recently to discuss how the organization can deploy updates more quickly. Since AI can help bad actors find and exploit flaws in software faster and at scale, IT professionals will have less time to fix those vulnerabilities in their own systems.
“When you think of a big, complex system like health care, you have to do a lot of appropriate testing before you put those patches in,” he said. “It’s going to be all hands on deck, potentially.”
Mr. Virtanen is looking to reduce the time it takes to test patches and speed up the approval process, and to bring in people from other parts of the organization to pitch in, if necessary. “We want to make sure that we’re prepared,” he said. “We don’t want to have a situation where we feel panicked.”
The coming deluge of software fixes could be exacerbated by what some experts have described as a patching backlog.
“Everybody’s freaked out about patching and these new vulnerabilities that are coming, but they haven’t been patching vulnerabilities when it wasn’t a 10x problem,” said Adam Meyers, senior vice-president of counteradversary operations at CrowdStrike, a cybersecurity firm that is part of Project Glasswing. “The worst thing that can happen is that there’s a vulnerability with a patch, and you haven’t patched it,” he said.
Companies can be lax in that regard for a variety of reasons, but Mr. Meyers said the process can be difficult and time-consuming, and carry risk. “You might decide to defer for a little while, and let somebody else patch it first and see how it goes,” he said.
CrowdStrike knows the pain of a botched software update firsthand. In 2024, an update to its Falcon platform caused a global IT outage, knocking down millions of computers running Microsoft Windows and even grounding planes.
The heightened focus on cybersecurity is benefiting at least one constituency: consultants. “It’s basically all I’ve talked about for three weeks,” said Robert Moerman, a cybersecurity partner at KPMG Canada. “Business is booming.”
At Deloitte Canada, Daphne Lucas has been fielding calls from a wider variety of executives who are not well versed in cybersecurity and need to catch up. “They’re asking, ‘Can you explain to me what are the questions I should be asking? How can I tell if my organization is prepared?’” she said.
EY Canada’s Mr. Handa said he doesn’t have a single client who hasn’t asked him about the cybersecurity implications of Mythos and other frontier AI models.
“Many times, cyberincidents happen and there’s a lot of ambulance chasing, and there’s a lot of noise,” he said. “But it seems to be the other way around this time. Clients are actively coming to us and saying, ‘What can we do about it?
Can you help us assess what we will need?’”
But Ms. Lucas, national leader in cybersecurity at Deloitte, is skeptical that increased attention to the issue will translate into more hiring and bigger budgets at companies. Instead, she expects companies to automate more tasks. “There will be significant pressure to not increase budgets because of this, but to use the tools and people that are available,” she said.
Naren Kalyanaraman, partner of cybersecurity, privacy and financial crimes at PwC Canada, said some companies are treating the preparations “almost like a cyberincident,” bringing together resources and staff from across the organization.
“Typically, these types of cyberexposures are treated as a technology issue, but what we’ve seen in the last few days and weeks is that boards are asking the right questions. CEOs and management teams are heavily involved. They’ve made this an enterprise risk problem that they need to solve for, versus a technology problem, which is great,” he said.
This article was first reported by The Globe and Mail
