Image generated by Deeptech Times using ChatGPT
Anthropic’s disclosure of Claude Mythos, an AI system that reportedly uncovered thousands of new vulnerabilities in major operating systems and browsers, signals a shift towards more dynamic cybersecurity risks. Rapid AI-driven identification and potential exploitation of vulnerabilities is a growing concern for businesses.
This is particularly significant for Singapore, a highly digital economy and financial hub. Critical sectors like finance, healthcare and logistics are exposed to evolving cyber threats.
We spoke with Joey Lim, country manager at Exclusive Networks Singapore, on what capabilities organisations should prioritise in the near term.
What does the new Claude Mythos mean for businesses and the public sector?
Anthropic built a general-purpose frontier model, not one designed specifically for security. Yet during internal testing, it proved so capable at finding and exploiting software vulnerabilities that Anthropic chose not to release it publicly. That decision alone tells you a great deal about the capability jump we are looking at.
According to Anthropic’s own disclosure, Claude Mythos autonomously found thousands of critical vulnerabilities across every major operating system and browser, generated working exploits without human guidance, and enabled autonomous attack orchestration at a speed and scale that outpaces any prior capability.
AI scientists have warned that this class of capability could be used to penetrate critical infrastructure: banking systems, government networks, hospitals and energy supplies, many of which still run on legacy software never designed for today’s threat environment.
For businesses and the public sector across Southeast Asia, this is an important moment to take stock. The region has made remarkable progress in digitalisation, and cybersecurity frameworks are advancing alongside that. But as CrowdStrike’s 2026 global threat report found, attacks by adversaries using AI grew 89 per cent year-over-year, and Mythos could represent a further acceleration of that trend.
Even Singapore, an advanced cybersecurity market, is not insulated from this. Critical infrastructure, government systems and healthcare networks have historically been targeted by well-resourced threat actors. What Claude Mythos signals is that the sophistication bar for launching those kinds of attacks is lowering. That changes the risk calculus for every organisation, regardless of size or sector.
Why are many current security and compliance frameworks struggling to keep pace with multiplying autonomous AI attack techniques?
Most security and compliance frameworks were designed for a fundamentally different threat environment. They assume human-paced attacks, human-paced discovery and human-paced exploitation. That assumption no longer holds. A framework mandating annual penetration testing or 30-day patch cycles was built for a world where the window between a vulnerability being discovered and weaponised was measured in weeks or months. That window has now collapsed to hours.
The deeper problem is structural. Compliance frameworks are inherently backward-looking. They codify what the industry agreed was best practice at a given point in time. By the time a standard is ratified, consulted on, published and adopted, the threat landscape it was written for has already moved on. Organisations following the letter of their compliance obligations may still be deeply exposed.
Autonomous AI attacks ultimately expose the gap between compliance and actual resilience. Passing an audit creates a sense of protection that may not reflect genuine readiness. When the threat environment was relatively stable, this gap between what compliance requires and what security actually demands was manageable. In a world where AI can autonomously chain together multiple unknown vulnerabilities overnight, it is not. The frameworks will catch up eventually, but the question for risk leaders today is whether they are willing to wait for that.
What should boards, risk leaders and CISOs be prioritising now as the threat environment becomes less predictable?
The first thing any board or risk leader should do is to stop treating this as merely a technology problem. Claude Mythos has already prompted the US Federal Reserve to brief bank executives on security implications. That tells you this conversation has moved well beyond the IT department.
For boards, the priority is understanding actual exposure. The right question to be asking your CISO is not “are we compliant” but “what is our attack surface today, and how quickly can we detect and respond to something we have not seen before”. Those are very different questions and the answers are often uncomfortable.
For CISOs, the immediate priority is compressing response timelines. Patch cycles need to be shortened. Access controls need to be tighter. Logging and visibility need to be comprehensive because in an environment where attacks move at machine speed, the ability to detect and contain quickly is the difference between a serious incident and a catastrophic one.
CISOs also need to run realistic response exercises that include legal, communications and board representatives, in addition to the security team. A technical response plan that falls apart the moment a board member asks for an update is not a response plan.
How could organisations without large in-house security teams strengthen their preparedness as the gap between attacker capability and defender readiness widens?
Trying to build a comprehensive in-house capability is not realistic for most organisations. The talent shortage is structural and not resolving quickly.
Last year, Bitdefender’s cybersecurity assessment report found that 53 per cent of cybersecurity professionals in Singapore were already planning to leave their roles within the following year, well above the global average of 40 per cent. Building a security team in that environment is exceptionally difficult, and smaller organisations should not measure themselves against a standard they cannot realistically meet.
What they can do is focus on the fundamentals. Comprehensive logging and monitoring. Strong identity controls and MFA without exceptions. A clear, tested incident response plan that includes non-technical stakeholders.
And critically, knowing in advance who you will call when something goes wrong. Figuring that out during an incident is too late. For instance, our BridgingMinds tackles this head-on by crafting bespoke, vendor-specific training modules that are continuously mapped to the current AI threat landscape, ensuring relevance from day one.
The mindset shift that matters most is treating security as an ongoing operational discipline. The threat environment is not going to stabilise. Organisations that cannot internally match attackers’ capabilities need to be honest about that gap and make deliberate choices on how to close it, whether through external expertise, government-backed resources or sector-specific information sharing. Singapore’s Cyber Security Agency provides a strong foundation through its advisories and programmes that many smaller organisations are not fully utilising. That needs to change.
