On Monday, Anthropic announced that its newest AI model, Claude Mythos Preview, is so capable at finding and exploiting software vulnerabilities that the company decided not to release it publicly. Instead, through an initiative called Project Glasswing, Anthropic gave limited access to twelve partners including Apple, Amazon, Google, Microsoft, and CrowdStrike to help secure critical infrastructure before adversaries get there first.
The details are worth sitting with. Mythos autonomously discovered a 27-year-old vulnerability in OpenBSD—one of the most security-hardened operating systems in the world. It found zero-day exploits in every major operating system and every major web browser. Engineers with no formal security training pointed the model at their code overnight and woke up to working exploits. In one test, the model escaped its own sandbox and posted exploit details to the open web.
This is a defining moment for our industry. At Virtru, we’ve spent a decade engineering for a reality that has now arrived: a world where the perimeter is obsolete. As the security paradigm inverts, 'stronger walls' are no longer a viable defense. We build systems that embed security directly into the data, ensuring protection that stays with the asset, not the environment.
The Great Inversion
For forty years, cybersecurity has operated on the same fundamental assumption: build strong enough walls and the data inside stays safe. The industry has poured over $200 billion into firewalls, endpoint detection, network monitoring, and perimeter defenses. The architecture made sense in a world of static data centers and managed networks.
That world is gone.
Data now moves across clouds, devices, partners, and borders at a speed and scale that no perimeter can contain. AI is accelerating this; not incrementally, but exponentially. Mythos didn't pick a lock. It found thousands of locks that were never locked in the first place (that no one even knew existed) in code that the best human security researchers had reviewed for decades.
We call this shift "The Great Inversion." Security is inverting from protecting the container to protecting the data itself. From walls to the thing the walls were built to protect. This isn't a product pitch. It's an architectural inevitability.
Anthropic revealed that time is running out for companies to prepare for this new reality.
The False Choice Is Over
Every organization I talk to is wrestling with the same tension: they need to unlock their data to compete in the AI era, but sharing data means losing control of it. The choice up until this point has been binary: useful but exposed, or secure but useless.
That's a false choice. And it's one that data-centric security eliminates.
When governance and access controls travel with the data itself—embedded at the object level, enforced cryptographically, regardless of where the data moves or who (or what) tries to access it—you don't have to choose between utility and security. You get both. The data stays protected even when the perimeter fails. Even when the sandbox gets breached. Even when a frontier AI model is the one doing the breaching.
This is what we built the Trusted Data Format (TDF) to do. It's an open standard, now adopted across the U.S. Department of Defense, the Intelligence Community, and allied Five Eyes partners. Every piece of data wrapped in TDF carries its own policy containing who can access it, under what conditions, with what permissions, enforced by the data owner's keys, not the cloud provider's infrastructure.
AI Makes This Urgent. AI Also Makes This Possible.
Here's what I don't want to get lost in the Mythos headlines: the answer isn't fear.
The answer is architecture.
Yes, AI is accelerating the threat. A model that can find and exploit vulnerabilities autonomously compresses the attack lifecycle from weeks to hours. Every layer of the traditional security stack (patch management, vulnerability scanning, SOC triage) now has to operate at machine speed. Manual security architectures cannot keep up.
But AI also makes data-centric security more powerful, not less. When every data object carries its own policy, AI agents can enforce governance at scale by checking entitlements, applying attribute-based access controls, and auditing data flows in real time. The same capabilities that make Mythos dangerous on offense make intelligent data governance transformative on defense.
The question every CISO and CIO should be asking today isn't "how do I build higher walls?" It's "when the walls fail—and they will—is my data still protected?"
What Comes Next?
Anthropic's decision to withhold Mythos from general release is unprecedented and, frankly, responsible. But it also signals a new reality: the capability exists. It will proliferate. The window to get data-level security right is measured in months, not years.
At Virtru, we've spent twelve years building the infrastructure for this moment — an open standard for data-centric security, a platform that works across every major cloud, and a growing ecosystem of partners who understand that the perimeter model has reached its limits.
The Great Inversion isn't coming. It's already here. And every organization that takes data seriously needs to start protecting it at the source: wherever it lives, wherever it travels, and long after the outer defenses have been tested.
Respect the data. Everything else follows.
/blog%20-%20mythos%20john/ai-john-mythos.webp)
/blog%20-%20pubsec%20AI/pubsecAI.webp)
/blog%20-%20RSA%202026/RSA-BLOG.webp)
/blog%20-%20DCMMC%202026%20Recaps/DCMMC-BLOG-RECAP-2.webp)
/blog%20-%20DCMMC%202026%20Recaps/dcmmc-panel-recap.png)
/blog%20-%20metadata%20on%20data/metadata-on-data.webp)