In early May, Anthropic released Mythos, an AI model capable of autonomously finding vulnerabilities and executing full network intrusions. The cybersecurity world's first reaction was that the industry was about to be disrupted.
Two weeks later, the numbers tell a different story.
Key Figures
As of May 21, three major cybersecurity ETFs have shown the following performance in May:
- HACK (Amplify Cybersecurity): +17.27%, its largest monthly gain since inception in November 2014
- BUG (Global X Cybersecurity): +26.14%, its largest monthly gain since inception in October 2019
- CIBR (First Trust NASDAQ): Participating in the rally
Individual stocks have seen even more dramatic moves:
- Fortinet (FTNT): +54.19%
- CrowdStrike (CRWD): +45.85%
- Akamai (AKAM): +39.40%
- Palo Alto Networks (PANW): +37.55%
- Zscaler (ZS): +33.49%
- SailPoint (SAIL): +31.17%
Twelve stocks in BUG's portfolio have gained over 20% this month.
Why the Script Flipped
Before Mythos launched, the market narrative was: vulnerability discovery is the moat of cybersecurity companies, and AI industrializing that process would fill the moat. That sounded reasonable, but it missed the second half—defenders also got the same weapon.
Anthropic gave early access to Mythos to four U.S. companies: Apple, Amazon, JPMorgan Chase, and Palo Alto Networks. The last integrated Mythos into its product's vulnerability scanning process, uncovering 75 vulnerabilities in a month—seven times the usual rate.
CrowdStrike is doing similar work. The consensus in the cybersecurity community is that if you can use Mythos, attackers will eventually have their own version. Mistral is already in talks with European banks for alternatives, and OpenAI has given GPT-5.5-Cyber to major banks like BBVA. Digesting the tool early means securing a 3- to 5-month time advantage.
Corporate response has been more direct: increased budgets.
Budget Increases Underestimated
The UK AI Security Institute's test results stated: "Mythos can autonomously complete full takeover of an enterprise internal network with a 30% success rate; human experts take 20 hours to do the same."
For CIOs, this number isn't about whether to outsource security to AI, but rather: "Tomorrow the enemy will use this, I must add people and money now."
In May earnings calls for all publicly traded security companies, CEOs' remarks were strikingly similar: customer budgets are expanding, renewal cycles are lengthening, and package upgrade rates are rising.
As a Benzinga analysis put it: "AI gets better at finding vulnerabilities. Vulnerability discovery was the moat." The moat has indeed collapsed. But customers didn't save money; they increased spending—the unexpected second half of the story.
The Story Isn't Over
In the short term, it's a win-win: AI companies sell tools, security companies sell defenses.
In the medium term, two variables remain unresolved. First, Mythos is currently only available to four companies. Once it expands to 50 or 500, the cost curve for attackers will drop first. Whether cybersecurity stocks can continue to rise then is uncertain. Second, the current high valuations are built on customer fear. If one or two Mythos-level large-scale intrusions occur in the next six months, valuations could either double or collapse—Wall Street will vote with its money.
For now, the market's answer is: Mythos is not the death knell for cybersecurity, but its stimulant.
Sources: Claude Mythos Was Supposed To Kill Cyber Stocks: Now Record High - Akamai Technologies, Global X Cybersecurity ETF (Benzinga); Anthropic's Mythos set off a cybersecurity 'hysteria.' Experts say the threat was already here (CNBC); CocoLoop; UK AI Security Institute Mythos Capability Assessment