ANTHROPIC MYTHOS · APRIL 2026 · THREAT LANDSCAPE
ANTHROPIC MYTHOS · APRIL 2026 · THREAT LANDSCAPE
Mythos changed the rules.
Now it matters how you harden your platform.
Mythos changed the rules.
Now it matters how you harden your platform.
Mythos changed the rules.
Now it matters how you harden your platform.
Mythos changed the rules.
Now it matters how you harden your platform.
An AI model finds in hours what attackers previously needed months for, and competitor models will follow within 6 to 18 months. The answer is not yet another scanner but the platform itself: continuously hardened, auditably automated, durably standardized. The Secure Platform Automation Suite (SPAS) by lennlay delivers this state as a platform capability, including Linux, Windows, JBoss EAP, IIS, Tomcat, Container, and Kubernetes; additional platform families available on request.
An AI model finds in hours what attackers previously needed months for, and competitor models will follow within 6 to 18 months. The answer is not yet another scanner but the platform itself: continuously hardened, auditably automated, durably standardized. The Secure Platform Automation Suite (SPAS) by lennlay delivers this state as a platform capability.
Linux
Linux
Windows
Windows
Tomcat
IIS
JBoss EAP
JBoss EAP
IIS
Tomcat
Container
Kubernetes
Container
Kubernetes
01 · THREAT LANDSCAPE
01 · THREAT LANDSCAPE
Not "another AI tool." A
shift in the attack vector.
Not "another AI tool." A
shift in the attack vector.
On April 9, 2026, Anthropic released the autonomous security research tool Project Glasswing, based on the Claude Mythos model. The documented results change the premise under which platform security has been understood until now.
On April 9, 2026, Anthropic released the autonomous security research tool Project Glasswing, based on the Claude Mythos model. The documented results change the premise under which platform security has been understood until now.
181
×
Firefox exploits in a single autonomous run, including 14 previously unknown Zero-Days. The predecessor found 2 exploits in a comparable run.
anthropic.com/glasswing
90
×
Improvement over the predecessor model. Autonomous exploit development through to a working proof-of-concept without human follow-up.
anthropic.com/glasswing
6-18
Mo.
According to Gartner's forecast, competitor models will reach Mythos capability levels within this window.
Gartner · Competitive Forecast
14
days
Deadline under the KRITIS-Dachgesetz for the structured initial report of a significant security incident. Full report within 72 hours.
KRITIS-Dachgesetz · NIS2UmsuCG
Upheaval in the handling of security vulnerabilities and the vulnerability landscape as a whole. A paradigm shift.
BSI · Claudia Plattner
Emergency meeting between the Bank of England, FCA, and the National Cyber Security Centre.
UK Finance · April 2026
Bessent and Powell briefing the heads of all systemically important US banks.
US Treasury · April 2026
AI risk moves from position 10 to position 2 among the world's largest business risks.
Allianz Risk Barometer 2026
181
×
Firefox exploits in a single autonomous run, including 14 previously unknown Zero-Days. The predecessor found 2 exploits in a comparable run.
anthropic.com/glasswing
90
×
Improvement over the predecessor model. Autonomous exploit development through to a working proof-of-concept without human follow-up.
anthropic.com/glasswing
6-18
Mo.
According to Gartner's forecast, competitor models will reach Mythos capability levels within this window.
Gartner · Competitive Forecast
14
days
Deadline under the KRITIS-Dachgesetz for the structured initial report of a significant security incident. Full report within 72 hours.
KRITIS-Dachgesetz · NIS2UmsuCG
Upheaval in the handling of security vulnerabilities and the vulnerability landscape as a whole. A paradigm shift.
BSI · Claudia Plattner
Emergency meeting between the Bank of England, FCA, and the National Cyber Security Centre.
UK Finance · April 2026
Bessent and Powell briefing the heads of all systemically important US banks.
US Treasury · April 2026
AI risk moves from position 10 to position 2 among the world's largest business risks.
Allianz Risk Barometer 2026
181
×
Firefox exploits in a single autonomous run, including 14 previously unknown Zero-Days. The predecessor found 2 exploits in a comparable run.
anthropic.com/glasswing
Upheaval in the handling of security vulnerabilities and the vulnerability landscape as a whole. A paradigm shift.
BSI · Claudia Plattner
90
×
Improvement over the predecessor model. Autonomous exploit development through to a working proof-of-concept without human follow-up.
anthropic.com/glasswing
Emergency meeting between the Bank of England, FCA, and the National Cyber Security Centre.
UK Finance · April 2026
6-18
Mo.
According to Gartner's forecast, competitor models will reach Mythos capability levels within this window.
Gartner · Competitive Forecast
Bessent and Powell briefing the heads of all systemically important US banks.
US Treasury · April 2026
14
days
Deadline under the KRITIS-Dachgesetz for the structured initial report of a significant security incident. Full report within 72 hours.
KRITIS-Dachgesetz · NIS2UmsuCG
AI risk moves from position 10 to position 2 among the world's largest business risks.
Allianz Risk Barometer 2026
181
×
Firefox exploits in a single autonomous run, including 14 previously unknown Zero-Days. The predecessor found 2 exploits in a comparable run.
anthropic.com/glasswing
90
×
Improvement over the predecessor model. Autonomous exploit development through to a working proof-of-concept without human follow-up.
anthropic.com/glasswing
6-18
Mo.
According to Gartner's forecast, competitor models will reach Mythos capability levels within this window.
Gartner · Competitive Forecast
14
days
Deadline under the KRITIS-Dachgesetz for the structured initial report of a significant security incident. Full report within 72 hours.
KRITIS-Dachgesetz · NIS2UmsuCG
Upheaval in the handling of security vulnerabilities and the vulnerability landscape as a whole. A paradigm shift.
BSI · Claudia Plattner
Emergency meeting between the Bank of England, FCA, and the National Cyber Security Centre.
UK Finance · April 2026
Bessent and Powell briefing the heads of all systemically important US banks.
US Treasury · April 2026
AI risk moves from position 10 to position 2 among the world's largest business risks.
Allianz Risk Barometer 2026
Bessent and Powell briefing the heads of all systemically important US banks.
US Treasury · April 2026
AI risk moves from position 10 to position 2 among the world's largest business risks.
Allianz Risk Barometer 2026
Upheaval in the handling of security vulnerabilities and the vulnerability landscape as a whole. A paradigm shift.
BSI · Claudia Plattner
Emergency meeting between the Bank of England, FCA, and the National Cyber Security Centre.
UK Finance · April 2026
What this situation means operationally for your platform is covered in the
What this situation means operationally for your platform is covered in the
What this situation means operationally for your platform is covered in the
02 · PARADIGM SHIFT
02 · PARADIGM SHIFT
From the patch cycle to
From the patch cycle to
continuous platform hardening.
continuous platform hardening.
When AI models deliver new CVEs in hours instead of months, the annual pentest is generally no longer sufficient as the sole form of evidence. Hardening becomes a runtime function of the platform. Here is the shift in concrete terms.
When AI models deliver new CVEs in hours instead of months, the annual pentest is generally no longer sufficient as the sole form of evidence. Hardening becomes a runtime function of the platform. Here is the shift in concrete terms.
Old World · before Mythos
Reactive, periodic, manual
×
Quarterly or annual pentest as compliance evidence
×
Hardening as a one-off project; implemented once, then drift
×
CVE response via ticket system; MTTR in weeks to months
×
Tools as primary external communication (scanners, SIEM)
×
Audit evidence through document collection and spreadsheets
×
Platform knowledge locked in the heads of a few specialists
New World · From Mythos onward
Continuous, automated, auditable
✓
Continuous Baseline Enforcement & Drift Detection
✓
Hardening as code; versionable, reproducible, rollback-capable
✓
CVE response pipeline-driven; MTTR in hours
✓
Platform perspective; modules as external communication
✓
Audit evidence generated automatically from the platform
✓
Platform knowledge in Collections and Baselines, not in heads
Old World · before Mythos
Reactive, periodic, manual
×
Quarterly or annual pentest as compliance evidence
×
Hardening as a one-off project; implemented once, then drift
×
CVE response via ticket system; MTTR in weeks to months
×
Tools as primary external communication (scanners, SIEM)
×
Audit evidence through document collection and spreadsheets
×
Platform knowledge locked in the heads of a few specialists
New World · From Mythos onward
Continuous, automated, auditable
✓
Continuous Baseline Enforcement & Drift Detection
✓
Hardening as code; versionable, reproducible, rollback-capable
✓
CVE response pipeline-driven; MTTR in hours
✓
Platform perspective; modules as external communication
✓
Audit evidence generated automatically from the platform
✓
Platform knowledge in Collections and Baselines, not in heads
Old World · before Mythos
Reactive, periodic, manual
×
Quarterly or annual pentest as compliance evidence
×
Hardening as a one-off project; implemented once, then drift
×
CVE response via ticket system; MTTR in weeks to months
×
Tools as primary external communication (scanners, SIEM)
×
Audit evidence through document collection and spreadsheets
×
Platform knowledge locked in the heads of a few specialists
New World · From Mythos onward
Continuous, automated, auditable
✓
Continuous Baseline Enforcement & Drift Detection
✓
Hardening as code; versionable, reproducible, rollback-capable
✓
CVE response pipeline-driven; MTTR in hours
✓
Platform perspective; modules as external communication
✓
Audit evidence generated automatically from the platform
✓
Platform knowledge in Collections and Baselines, not in heads
03 · SPAS REFERENCE ARCHITECTURE
03 · SPAS REFERENCE ARCHITECTURE
Seven core capabilities on
Seven core capabilities on
Seven core capabilities on
two levels.
two levels.
SPAS is not a tool, not a scanner, not a SaaS. It is a reference architecture with a principles framework that transitions platform hardening from a project discipline into a pipeline-driven operational state. Teh value comes from reproducibility, evience, and governance.
SPAS is not a tool, not a scanner, not a SaaS. It is a reference architecture with a principles framework that transitions platform hardening from a project discipline into a pipeline-driven operational state. Teh value comes from reproducibility, evience, and governance.
OPERATIONAL CORE · 01-04
OPERATIONAL CORE · 01-04
The operational core continously applies policies to the platform:
The operational core continously applies policies to the platform:
Policy → Golden Image → Deployment → Verification.
Policy → Golden Image → Deployment → Verification.
01
Security Standards, Baselines, and Policies
Machine-readable Baselines from CIS, STIG, BSI, and customer-specific requirements, stored as versioned machine-readable Baselines. Customer hardening policies are incorporated and built in.
02
Golden Images and Platform Baselines
Verified, reproducible system images as the defined starting state for all deployments. Every artifact is signed, versioned, and has a traceable derivation from upstream to production.
03
Automation, Deployment, and Platform Integration
Pipeline-driven delivery into existing infrastructure. For legacy VMs: Ansible Collections and CI/CD pipelines. For containers and Kubernetes: ArgoCD, Flux, or comparable GitOps tools.
04
Compliance Checks and Reporting
Continuous scans with automatically generated audit evidence. Deviation from the target state creates a ticket and enters the structured report. Audit evidence is generated during operations, not two weeks before the audit.
01
Security Standards, Baselines, and Policies
Machine-readable Baselines from CIS, STIG, BSI, and customer-specific requirements, stored as versioned machine-readable Baselines. Customer hardening policies are incorporated and built in.
02
Golden Images and Platform Baselines
Verified, reproducible system images as the defined starting state for all deployments. Every artifact is signed, versioned, and has a traceable derivation from upstream to production.
03
Automation, Deployment, and Platform Integration
Pipeline-driven delivery into existing infrastructure. For legacy VMs: Ansible Collections and CI/CD pipelines. For containers and Kubernetes: ArgoCD, Flux, or comparable GitOps tools.
04
Compliance Checks and Reporting
Continuous scans with automatically generated audit evidence. Deviation from the target state creates a ticket and enters the structured report. Audit evidence is generated during operations, not two weeks before the audit.
GOVERNANCE · 05-07
GOVERNANCE · 05-07
Governance (05-07) makes the impact path auditable and controllable.
It is only reliable when the core (01-04) runs continously.
Governance (05-07) makes the impact path auditable and controllable. It is only reliable when the core (01-04) runs continously.
05
Documentation, Traceability, and Auditability
Every change creates an audit entry. Every exception from the target state is recorded with justification and expiry date. The audit report is generated from platform data, not from an Excel collection.
06
Lifecycle and Update Management
Support end dates, versions, CVE status, and migration paths are attributes on the asset, not knowledge in people's heads. The end-of-support date appears in the dashboard; the migration pipeline is visible.
07
Drift Detection and Enforcement
Drift is detected and reported. Automatic Enforcement by risk profile: directly applicable for container clusters; controlled restart within the change window for mission-critical middleware.
05
Documentation, Traceability, and Auditability
Every change creates an audit entry. Every exception from the target state is recorded with justification and expiry date. The audit report is generated from platform data, not from an Excel collection.
06
Lifecycle and Update Management
Support end dates, versions, CVE status, and migration paths are attributes on the asset, not knowledge in people's heads. The end-of-support date appears in the dashboard; the migration pipeline is visible.
07
Drift Detection and Enforcement
Drift is detected and reported. Automatic Enforcement by risk profile: directly applicable for container clusters; controlled restart within the change window for mission-critical middleware.
05
Documentation, Traceability, and Auditability
Every change creates an audit entry. Every exception from the target state is recorded with justification and expiry date. The audit report is generated from platform data, not from an Excel collection.
06
Lifecycle and Update Management
Support end dates, versions, CVE status, and migration paths are attributes on the asset, not knowledge in people's heads. The end-of-support date appears in the dashboard; the migration pipeline is visible.
07
Drift Detection and Enforcement
Drift is detected and reported. Automatic Enforcement by risk profile: directly applicable for container clusters; controlled restart within the change window for mission-critical middleware.
04 · JBOSS IN FOCUS
The first deployment:
Secure JBoss EAP Platform Automation.
JBoss EAP carries mission-critical business applications in many DACH enterprises and simultaneously faces lifecycle, compliance, and support pressure. That is precisely where platform automation delivers the highest leverage: audit-capable Baselines, reusable Collections, continuous hardening.
lennlay-Policy
Baselines out-of-the-box
Ansible
lennlay.jboss Collection
< 4h
MTTR target for critical CVEs
NIS2
audit-capable from the platform
04 · JBOSS IN FOCUS
The first deployment:
Secure JBoss EAP Platform Automation.
JBoss EAP carries mission-critical business applications in many DACH enterprises and simultaneously faces lifecycle, compliance, and support pressure. That is precisely where platform automation delivers the highest leverage: audit-capable Baselines, reusable Collections, continuous hardening.
lennlay-Policy
Baselines out-of-the-box
Ansible
lennlay.jboss Collection
< 4h
MTTR target for critical CVEs
NIS2
audit-capable from the platform
lennlay-Policy
Baselines out-of-the-box
Ansible
lennlay.jboss Collection
< 4h
MTTR target for critical CVEs
NIS2
audit-capable from the platform
05 · PRODUCT ARCHITECTURE
05 · PRODUCT ARCHITECTURE
Platform families &
Platform families &
modules in the SPAS portfolio.
modules in the SPAS portfolio.
The suite covers platform families typical in regulated environments.
Modules are independently deployable and built on shared core capabilities.
The suite covers platform families typical in regulated environments.
Modules are independently deployable and built on shared core capabilities.
Middleware
Recommended
Secure JBoss EAP Platform Automation
Audit-capable Baselines, Ansible Collections, lifecycle management for mission-critical middleware.
Middleware
Secure Tomcat Platform Automation
Hardened Tomcat Baselines for web frontends and application servers in legacy architectures.
Operating System
Secure Linux Platform Automation
CIS/STIG-compliant RHEL, SLES, and Debian Baselines with continuous Enforcement.
Operating System
Secure Windows Platform Automation
Windows Server hardening with DSC/Ansible integration and audit-capable compliance reporting.
Web Platforms
Secure IIS Platform Automation
IIS hardening for classic .NET stacks, lifecycle management included.
Container
Secure Container Platform Automation
Image Baselines, runtime Enforcement, SBOM integration for Docker and Podman-based environments.
Orchestration
Secure Kubernetes Platform Automation
Cluster Baselines, policy-as-code, Drift Detection, equally applicable to on-prem and cloud K8s.
Upcoming
Pipeline
OpenShift · NGINX · Apache · Java Runtime
Further platform modules are in preparation and follow the same principles framework.
Middleware
Recommended
Secure JBoss EAP Platform Automation
Audit-capable Baselines, Ansible Collections, lifecycle management for mission-critical middleware.
Middleware
Secure Tomcat Platform Automation
Hardened Tomcat Baselines for web frontends and application servers in legacy architectures.
Operating System
Secure Linux Platform Automation
CIS/STIG-compliant RHEL, SLES, and Debian Baselines with continuous Enforcement.
Operating System
Secure Windows Platform Automation
Windows Server hardening with DSC/Ansible integration and audit-capable compliance reporting.
Web Platforms
Secure IIS Platform Automation
IIS hardening for classic .NET stacks, lifecycle management included.
Container
Secure Container Platform Automation
Image Baselines, runtime Enforcement, SBOM integration for Docker and Podman-based environments.
Orchestration
Secure Kubernetes Platform Automation
Cluster Baselines, policy-as-code, Drift Detection, equally applicable to on-prem and cloud K8s.
Upcoming
Pipeline
OpenShift · NGINX · Apache · Java Runtime
Further platform modules are in preparation and follow the same principles framework.
06 · ENTRY PATH
06 · ENTRY PATH
From platform check to
From platform check to
production module.
production module.
Free platform check, two-day onboarding workshop, then modular entry. Timelines vary with legacy depth, platform breadth, and approval processes; the outlined weeks are a reliable orientation framework.
Free platform check, two-day onboarding workshop, then modular entry. Timelines vary with legacy depth, platform breadth, and approval processes; the outlined weeks are a reliable orientation framework.
✓
Step 0
Platform Check
15-30 min. online. Assess platform landscape, compliance pressure, and SPAS fit. Free, no pitch.
0
Pre-Stage 2 Days
Onboarding Workshop
2 lennlay experts. Assessment of platform landscape, working practices, automation maturity. Output: a reliable entry proposal.
01
Week 1
Scoping and Baseline Selection
Refine platform inventory, fix compliance targets, define shared target state.
02
Week 2
Module Adaptation
Baselines tailored to the customer environment, Collections versioned (where Ansible is in use), test stage set up.
03
Week 3-4
Rollout and Audit Report
Production rollout against defined cluster set. Drift Detection active. Automated compliance report.
✓
Step 0
Platform Check
15-30 min. online. Assess platform landscape, compliance pressure, and SPAS fit. Free, no pitch.
0
Pre-Stage 2 Days
Onboarding Workshop
2 lennlay experts. Assessment of platform landscape, working practices, automation maturity. Output: a reliable entry proposal.
01
Week 1
Scoping and Baseline Selection
Refine platform inventory, fix compliance targets, define shared target state.
02
Week 2
Module Adaptation
Baselines tailored to the customer environment, Collections versioned (where Ansible is in use), test stage set up.
03
Week 3-4
Rollout and Audit Report
Production rollout against defined cluster set. Drift Detection active. Automated compliance report.
✓
Step 0
Platform Check
15-30 min. online. Assess platform landscape, compliance pressure, and SPAS fit. Free, no pitch.
0
Pre-Stage 2 Days
Onboarding Workshop
2 lennlay experts. Assessment of platform landscape, working practices, automation maturity. Output: a reliable entry proposal.
01
Week 1
Scoping and Baseline Selection
Refine platform inventory, fix compliance targets, define shared target state.
02
Week 2
Module Adaptation
Baselines tailored to the customer environment, Collections versioned (where Ansible is in use), test stage set up.
03
Week 3-4
Rollout and Audit Report
Production rollout against defined cluster set. Drift Detection active. Automated compliance report.
are asking now.
are asking now.
What
What
What
platform owners
platform owners
platform owners
07 · FREQUENTLY ASKED QUESTIONS
07 · FREQUENTLY ASKED QUESTIONS
What
platform owners
are asking now.
01
Is this not just "another security tool" with a different name?
02
We already have Ansible automation. What changes?
03
How does this relate to NIS2UmsuCG and the KRITIS-Dachgesetz (Critical Infrastructure Act)?
04
Why the focus on JBoss EAP first?
05
Do we need cloud infrastructure for this?
06
What does a realistic first step look like?
07
What changes if we do nothing now?
Is this not just "another security tool" with a different name?
We already have Ansible automation. What changes?
How does this relate to NIS2UmsuCG and the KRITIS-Dachgesetz (Critical Infrastructure Act)?
Why the focus on JBoss EAP first?
Do we need cloud infrastructure for this?
What does a realistic first step look like?
What changes if we do nothing now?
NEXT STEP
NEXT STEP
Architecture Brief:
Platform Hardening in the Mythos Era.
The preparation window until Mythos-class models appear on the attacker side is 6 to 18 months. Those who request it now begin the internal assessment with a worked reference framework rather than a blank page.
13-page PDF written for CISOs, platform leads, and IT governance. No signup for newsletters or marketing flows; only the brief.
01
Mythos changed the rules: threat model and regulatory context
p. 3-4
02
Seven core capabilities: foundation flow and governance
p. 5-8
03
Compliance mapping: NIS2UmsuCG, KRITIS-Dachgesetz, BSI IT-Grundschutz
p. 9-10
04
JBoss EAP: all seven core capabilities in deployment
p. 11-12
05
Entry path: platform check through production module
p. 13
Response typically within one business day. No follow-up call without prior agreement. The brief is sent without a marketing sequence. Business email addresses only, processed in compliance with GDPR.
Prefer to talk directly?
In the platform check we clarify in 15 to 30 minutes which platforms are under pressure, where compliance action is required, and whether SPAS is a fit. No sales meeting, no 40-slide agenda.
NEXT STEP
Architecture Brief:
Platform Hardening in the Mythos Era.
The preparation window until Mythos-class models appear on the attacker side is 6 to 18 months. Those who request it now begin the internal assessment with a worked reference framework rather than a blank page.
13-page PDF written for CISOs, platform leads, and IT governance. No signup for newsletters or marketing flows; only the brief.
01
Mythos changed the rules: threat model and regulatory context
p. 3-4
02
Seven core capabilities: foundation flow and governance
p. 5-8
03
Compliance mapping: NIS2UmsuCG, KRITIS-Dachgesetz, BSI IT-Grundschutz
p. 9-10
04
JBoss EAP: all seven core capabilities in deployment
p. 11-12
05
Entry path: platform check through production module
p. 13
Response typically within one business day. No follow-up call without prior agreement. The brief is sent without a marketing sequence. Business email addresses only, processed in compliance with GDPR.
Prefer to talk directly?
In the platform check we clarify in 15 to 30 minutes which platforms are under pressure, where compliance action is required, and whether SPAS is a fit. No sales meeting, no 40-slide agenda.
NEXT STEP
Architecture Brief:
Platform Hardening in the Mythos Era.
The preparation window until Mythos-class models appear on the attacker side is 6 to 18 months. Those who request it now begin the internal assessment with a worked reference framework rather than a blank page.
13-page PDF written for CISOs, platform leads, and IT governance. No signup for newsletters or marketing flows; only the brief.
01
Mythos changed the rules: threat model and regulatory context
p. 3-4
02
Seven core capabilities: foundation flow and governance
p. 5-8
03
Compliance mapping: NIS2UmsuCG, KRITIS-Dachgesetz, BSI IT-Grundschutz
p. 9-10
04
JBoss EAP: all seven core capabilities in deployment
p. 11-12
05
Entry path: platform check through production module
p. 13
Response typically within one business day. No follow-up call without prior agreement. The brief is sent without a marketing sequence.
Business email addresses only, processed in compliance with GDPR.
Prefer to talk directly?
In the platform check we clarify in 15 to 30 minutes which platforms are under pressure, where compliance action is required, and whether SPAS is a fit. No sales meeting, no 40-slide agenda.