ChinaTalk Podcast Summary

Episode: "Claude Mythos and National Power"

Date: April 12, 2026
Host: Jordan Schneider
Guests: Ben Buchanan (AI policy advisor, ex-White House) and Michael Sulmeyer (former Assistant Secretary of Defense for Cyber Policy)

Overview

This episode explores the debut of Claude Mythos, an AI system from Anthropic with unparalleled capabilities in discovering software vulnerabilities and developing cyber exploits. The conversation centers on what this means for U.S. national power, the offense-defense dynamic in cyber operations, the analogy to historic technological leaps (e.g., the atomic bomb), challenges in defense and patching, and the broader implications for AI, cybersecurity, and future national security.

Key Discussion Points & Insights

1. What is Claude Mythos and Why is It Revolutionary?

• Automated Vulnerability Discovery: Claude Mythos uses a general-purpose capability, not a cyber-specific model, to discover and exploit software vulnerabilities—even those that have eluded decades of expert scrutiny.
  • Buchanan: "The evidence is very clear that Claude Mythos is by far the best automated system in the world ever to do this, and is better than even some of the best expert humans in the world..." [00:56]
• Historical Bugs Found: The model exposed vulnerabilities in longstanding codebases (including critical open-source libraries) overlooked for 20+ years.
  • Sulmeyer: "[Finding a 27-year-old bug], that's pretty wild. ...Silence on the other end because..." [02:27]
  • Buchanan: "The core credo of the open source software movement ... is with enough eyeballs, all bugs are shallow. ...We need to have machines look too." [03:33]

2. Nuclear Bomb Analogy—Exclusive Power and National Competition

• Mythos as a Strategic Advantage: The hosts compare gaining access to Mythos to the U.S. monopoly on the atomic bomb in 1945-1949, pondering what it would mean for a nation-state to have such a tool exclusively.
  • Buchanan: "My first thought was this is almost like u-boats like 1942... If you're the one person in the world who can use the offensive version of this..." [04:37]
• Offense vs. Defense: The acceleration of the “cyber kill chain” and shift in the offense-defense race. Both stress that with Mythos or its ilk, offense could enjoy a major, if temporary, asymmetric advantage.
  • Sulmeyer: "It's a race from when the offense or the exploiters know about a problem and how fast they can get at it compared to how fast the defenders can actually identify, fix it..." [05:24]

3. Transformation of Cyber Operations and Vulnerability Management

• AI Across the Exploitation Process: Each step of the offensive cyber operation process, from reconnaissance to attack, can be augmented by AI.
  • Buchanan: "At each step of that offensive operation process... AI could help. ...With something like Mythos, that conclusion is just far more robust." [06:41]
• Simulated Operations Speed: AI enables execution of complex cyber exploitations significantly faster than human operators (e.g., 10 hours’ work in minutes).

4. The Russia-Ukraine Cyberwar Analogy

• Pre-Mythos Standstill: In Russia-Ukraine, cyber capabilities did not prove decisive, possibly due to rough technical parity and lack of breakthrough tools.
  • Schneider: "When you're ranking the things of what is determining battlefield progress... it's pretty low on the list." [08:10]
• Game-Changer Potential: Mythos would tip the balance, especially in intelligence and covert access, opening new forms of slow, persistent cyber shaping.
  • Buchanan: “…Advantage of cyber ... is the sort of slow, insidious shaping of the environment and collection of information... Mythos would really help on that side." [10:00]

5. Project Glasswing: Controlled Rollout and the Vulnerabilities Equities Process

• Coordinated Defense: Anthropic’s Project Glasswing is designed to provide Mythos to critical software vendors first, patching widely before broader release.
  • Buchanan: “…Twelve name members and then a broader group of companies... all coming together and saying, look, this is a systemic threat...” [13:31]
• Private-Sector Vulnerability Process: Mirroring the government’s “Vulnerabilities Equities Process” in the private sector, Anthropic’s approach tries to responsibly manage disclosure and patching.
  • Sulmeyer: "One of the first efforts by a private sector company... to figure out its own almost multinational vulnerability equities process..." [14:46]
• Patching Urgency: The vulnerability-patching cycle must drastically accelerate in the post-Mythos era.
  • Buchanan: "The whole process, from discovery of the bug to... deployment of the patch, that's going to have to go so much faster in a post-mythos era." [17:26]

6. Critical Infrastructure & Patch Challenges

• Legacy and Unsupported Software: Many crucial systems run on legacy code whose maintainers are gone or cannot be patched easily. Mythos will find vulnerabilities in such unmaintained software as well.
  • Sulmeyer: "How you're going to manage the scale of vulnerabilities that's going to come through here... Whoa." [18:21]
• Critical Infrastructure Risks: Some sectors (e.g., electrical grids) cannot easily afford downtime for patching.
  • Buchanan: "[Critical infrastructure] is not meant to take ... down every week... if one of the effects of this new world is that AI systems find vulnerabilities... with a much higher cadence, that's going to be its own complexity." [18:56]

7. Offense-Defense Dynamics: Hope, Pessimism, and Urgency

• Offense Prevails Short-Term: Dropping Mythos into the wild would overwhelmingly favor attackers until defenders catch up.
  • Buchanan: "If Mythos were just dropped in the world... would clearly benefit the offense." [20:28]
• Long-Term Possible Optimism: If defenders can use the tech, systematically patch, and move toward 'formal methods,' a more secure landscape is possible—but not probable, given legacy software and institutional inertia.
  • Buchanan: "You can tell yourself a good news story... But you can imagine society using this tech to its fullest extent..." [20:28]
  • Sulmeyer: "Glasswing... is the best way at scale to give defenders a fighting chance..." [21:31]

8. Automation, Past Cyberattacks, and AI’s Step Change

• Automated Precedents: Even before AI, the most damaging cyberattacks (e.g., NotPetya, Stuxnet, WannaCry) were automated—AI takes this to new levels.
  • Buchanan: "There is an intuition... that automation in cyber operations, even before the machine learning era, can yield the power that manual operations can't." [23:46]
• Defensive Fundamentals Still Matter: The basics (e.g., air-gapping, network segmentation) still hold up, if rarely implemented with discipline.
  • Sulmeyer: "Foundational cybersecurity measures... is not something that goes away just because of Mythos." [25:54]

9. Societal and Non-State Threats

• Ransomware & Proliferation Risks: Mythos or similar models in criminal or state hands could lead to orders-of-magnitude increases in cybercrime, ransomware, and sabotage.
  • Buchanan: "A capability like this in the wrong hands would allow a lot of that... billions of dollars with damage..." [31:26]
• Non-State Actors: Criminals, terrorists, and rogue states could cause far more disruption, especially as AI tools lower the technical threshold for attacks.
  • Sulmeyer: "The terrorists have all the incentive in the world to screw things up..." [32:46]

10. The Future: Next Steps in AI-Cyber Evolution

• Exponential Advances Still to Come: There is significant headroom—future models may find classes of vulnerabilities not even legible to humans today.
  • Buchanan: "I have to assume there are vulnerabilities out there that Mythos does not find, cannot find, and that a better system would find..." [34:32]
• Defensive Milestones: Will collective patching (e.g., via Project Glasswing) really raise the cost for attackers at scale—or will legacy and slow institutional responses doom the effort?
  • Buchanan: "...If we sit here in six months, have they patched 10,000... high-severity vulnerabilities... that's a very open question..." [36:44]

11. Norms, Global Stakes, and Next Domains

• Cyber as Testbed for AI Risk: Cyber shows what’s ahead: similar AI leaps will transform other tech domains (e.g., biosecurity), where norms are weaker and risks higher.
  • Buchanan: "At some point we will have a Mythos moment for bio... Let's take AI risk seriously in cyber, yes, but also in things like bio..." [40:27]
• Norms Too Late?: Window to establish international norms may have closed, paralleling past warnings from cyber experts.
  • Sulmeyer: "You miss the boat on starting a normative effort... You start too late, everybody's so invested in trying to use the technology..." [41:37]

12. AI and Information Operations

• Deepfakes & Influence: Beyond classic hacking, AI systems are already adept at persuasive influence—convincing via text, audio, video—integrating cyber and information ops.
  • Buchanan: "...It's pretty clear that AI systems have only gotten better ... an AI system can be useful for a wide range of aspects of national competition." [46:08]
• Potential for Automated Propaganda: Automated, compelling messages (and future deepfakes) greatly lower the bar for sophisticated influence and espionage.

13. Strategic Recommendations

• Preserve Democratic AI Pre-eminence: U.S. (and allies) ought to invest, restrict, and lead in AI development for both defense and offense, to prevent adversaries from gaining the upper hand.
  • Buchanan: "Near and dear to my heart is building an American lead and a Democratic lead in AI... it would be so much worse for the world if China had this." [49:21]
• Adopt AI with Operational Autonomy: The U.S. national security establishment must get comfortable with machine autonomy in cyber defense and accept associated risks to maintain speed and resilience.
  • Sulmeyer: "There's going to be risk that has to be taken to lean on AI to keep us safe." [51:15]

Notable Quotes and Memorable Moments

• On finding ancient vulnerabilities:

  • Sulmeyer: "I ended up talking, I think, to one of the original developers of some of that software and it was just silence, silence on the other end..." [02:27]

• On fantasy versus reality in patching:

  • Buchanan: "Apple's figured out that if you give people new emojis, they'll update their iOS and they'll get some good security updates, security vegetables with it. There's a whole swath of software ... that is not subject to that kind of patch cycle..." [19:45]

• On offense/defense urgency:

  • Sulmeyer: "You can't give up. ...Glasswing... is the best way at scale to give defenders a fighting chance." [21:31]

• On cyber policy inertia:

  • Sulmeyer: "...[Banks] needed to be attacked first to be convinced [to improve security]. And I hope we can get over that hump." [27:48]

• Poetic endnote:

  • Narrator/Poet (poem about code and vulnerabilities): "Born in 99 in a library down the information highway road no one knew his name or his address he lived inside a function call... the outlaw tipped his hat to Mythos smiled and said amigo, well done but don't you cry for this Bundy though for his cousin cousins ride tonight..." [53:38-56:39]

Timestamps for Key Segments

• [00:56] - Buchanan on Mythos outpacing human experts
• [02:27] - Sulmeyer recounts the emotional impact of discovering old bugs
• [04:37] - Nuclear bomb analogy for cyberpower
• [08:10] - Russia-Ukraine cyberwar analogy
• [13:31] - Discussion of Project Glasswing consortium and patching
• [20:28] - Offense vs. defense with Mythos
• [23:46] - Buchanan describes how automation defined the worst cyberattacks
• [32:46] - Risks of proliferation to non-state actors and criminal groups
• [36:44] - Will Project Glasswing meaningfully raise the bar for attackers?
• [40:27] - Use cyber as the warning for future AI risks in bio and other fields
• [49:21] - Strategic imperative for U.S./ally AI leadership
• [51:15] - Sulmeyer: operational challenge of trusting AI with real autonomy in defense
• [53:38] - Poetic coda on the mythos of code

Tone and Style

Throughout, the tone is active, thoughtful, and often urgent—a mix of academic rigor, national security realism, and a frank assessment of technical limitations and policy gaps. The speakers combine technical specifics with broad analogies, often drawing links from cyber’s past to AI’s future. They also occasionally inject humor and memorable imagery (e.g., the “emojis as security vegetables” and the narrative poem at the end), keeping the discussion engaging as well as informative.

Conclusion

This episode paints a vivid, nuanced picture of the state of AI in cybersecurity as of 2026, marked by optimism about the tools' promise for defenders but deep uncertainty about institutional ability to keep pace and the ever-looming threat of malicious use. The analogy to the atomic bomb is not mere hyperbole: for the cyber domain, Claude Mythos is a watershed, and the window to patch the world before the offensive “exponential” wave crests is now. The lessons drawn extend well beyond cyber, serving as a warning for the proliferation of AI risk in every high-stakes technological domain.