Cybersecurity looks like proof of work now

April 15, 2026
aisecuritybusinesslaw
A close-up image showcasing a laptop keyboard with ambient lighting highlighting the keys.
Photo by Dmitry Kharitonov on Pexels

What happened

It has been reported that Anthropic developed a new LLM called Mythos that is “strikingly capable at computer security tasks,” and that the company allegedly did not release it publicly, instead limiting access to a handful of critical software makers. It has been reported that the AI Security Institute (AISI) ran third‑party tests and concluded Mythos outperformed previous frontier models in simulated corporate network attacks — completing a 32‑step “Last Ones” scenario in 3 of 10 runs, it has been reported. Shocking? A little. Terrifying? For defenders, very.

The token calculus

Here’s the kicker: it has been reported that AISI budgeted 100 million tokens per attempt — roughly $12,500 per Mythos run, or about $125,000 for ten runs — and allegedly saw no clear diminishing returns within that range. In plain English: finding exploits looks like throwing compute (and cash) at a well‑defined search problem. You’re not solving philosophy; you’re poking a live system until it coughs up a hole. That changes the game. Want to harden a system? Spend more than whoever wants to break it.

Why it matters

Call it proof of work for security. Success becomes a function of who can burn more tokens, not who’s cleverer. That’s a bitter pill. It favors deep pockets and raises painful questions about fairness and resilience — especially for small companies and open‑source projects that are high‑value targets but low on budget. It has been reported that some in the community, including Karpathy, have argued for rethinking dependencies and even “yoinking” functionality with LLMs; suddenly Linus’s Law — “given enough eyeballs…” — feels like it needs a price tag attached.

What comes next

If these reports hold up, defenders will have to add an explicit token‑based hardening phase to software lifecycle playbooks: run the agents, burn the cycles, patch the holes. Expect more budget battles, revamped bug bounty markets, and a renewed emphasis on open source hygiene — because the more eyes (and tokens) on widely used code, the better the chances of staying ahead. Sound bleak? Maybe. But it’s also a solvable arms race, and we’ve seen worse go to work.

Sources: dbreunig.com, Hacker News