The UK government doesn’t do panic. Measured language, careful committees, a healthy distrust of melodrama. So when Technology Secretary Liz Kendall publishes an open letter telling Britain’s business leaders that AI is fundamentally changing the cyber threat landscape—and they need to start acting like it—you should probably pay attention.

The letter, published April 15th, was sparked by one thing: Anthropic’s new frontier model, Mythos. The UK’s AI Security Institute (AISI) got early access and ran it through their evaluation gauntlet. Their verdict, relayed by Kendall, was stark—Mythos is “substantially more capable at cyber offence than any model we have previously assessed.”

That’s not marketing copy. That’s a government assessment.

What Mythos Actually Does

Project Glasswing—the accompanying capability Anthropic announced alongside Mythos—is designed to find software vulnerabilities and generate working exploit code. Not theoretical. Not proof-of-concept. Working. The kind of thing that previously required a small team of highly skilled, highly expensive criminals. Now apparently reproducible by a model anyone can access.

Kendall’s letter put it plainly: “AI models are becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago.”

The AISI’s own data shows frontier model capabilities doubling every four months. That used to be eight months. The acceleration is real, and it’s getting faster.

Why This Isn’t Just a Government Problem

The instinct might be to file this under “critical infrastructure” and move on. Kendall addressed that directly: “Criminals will not just target government systems and critical infrastructure. They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.”

That’s the uncomfortable bit. The companies most at risk aren’t the banks and utilities everyone’s focused on. It’s the mid-size business with outdated systems, no dedicated security team, and an IT department that’s already stretched thin. The attack surface is enormous and largely undefended.

The government is pointing businesses toward Cyber Essentials certification, the NCSC’s Cyber Action Toolkit, and the new Cyber Governance Code of Practice. All reasonable advice. Whether it’ll land with the people who need it most is another question.

The Honest Reality

There’s a gap between “here’s what companies should do” and “here’s what companies will do.” Cyber security has always suffered from the latter—until something goes wrong. The UK government is hoping to shortcut that lesson by sounding the alarm before the wave hits, rather than after.

Whether businesses are actually listening is unclear. But the government has at least done its part: the Cyber Security and Resilience Bill is coming, the National Cyber Action Plan is in development, and the AISI is operational and actively testing frontier models. The infrastructure is there.

The question now is whether the private sector treats this as a genuine existential risk or just another item on a compliance checklist.