What Anthropic's Mythos Disclosure Means for Evanston Law Firms and Their Clients

Evanston, Ill. , April 24, 2026. The first call a managing partner at an Evanston firm got the morning after the Fortune story broke was not from a paranoid client. It was from a senior associate, asking a simple question: "If this thing exists, are we already behind?"

The article in question was published on March 26, 2026, when Fortune reported that Anthropic, the AI lab behind Claude, had been quietly testing a more powerful model whose existence was exposed through a misconfigured public-facing data cache. Inside the cache were draft blog posts referring to a model with the internal codenames "Mythos" and "Capybara." Anthropic confirmed the leak, called it human error in the configuration of a content management system, and acknowledged that the model represented "a step change" in capability over its current flagship, Claude Opus 4.6. The most striking line from the leaked draft, paraphrased across the trade press, was that the new model was "currently far ahead of any other AI model in cyber capabilities."

Three weeks later, on April 7, Anthropic published its own structured disclosure on a microsite at red.anthropic.com. The disclosure detailed a 244-page system card and confirmed that the model can identify and exploit previously unknown software vulnerabilities autonomously, across what Anthropic described as every major operating system and every major web browser. To prevent immediate misuse, the company restricted access to a defensive-coordination program it calls Project Glasswing. Press reporting from Reuters, TechCrunch, Axios and Scientific American identified the partners as a short list of large platform companies, financial institutions, and security-infrastructure providers.

None of the named Project Glasswing partners are Evanston law firms. None will ever be. And that is the point of this article.

What follows is a working brief for an Evanston law firm partner who needs to think clearly about what Mythos's existence implies, without wandering into either complacency or theater. Three angles: the threat-model update, the client conversation, and the outside-vendor diligence pass.

What Anthropic Actually Disclosed

Anthropic's microsite, published April 7 and updated April 9, walks through the cybersecurity claims with unusual specificity. The model identified a 27-year-old vulnerability in OpenBSD, a 16-year-old flaw in the FFmpeg multimedia library, and what Anthropic described as a guest-to-host memory corruption issue inside a memory-safe virtual machine monitor. Across roughly 1,000 open-source repositories run through Google's OSS-Fuzz, Mythos achieved what the company called "full control flow hijack" on ten separate, fully patched targets. On a Firefox 147 exploit construction task, the model succeeded 181 times in the company's testing, compared with two successful runs out of several hundred attempts on Claude Opus 4.6, the model that is publicly available today.

Professional security contractors validated the bug reports with what Anthropic said was 89 percent exact severity agreement and 98 percent within one severity level. The company estimated the cost of the OpenBSD research at under $20,000 in compute for a thousand runs that produced "several dozen" findings. An n-day exploit construction job that previously would have taken a senior offensive security engineer weeks ran in under half a day at a cost the company put under $1,000.

The company is explicit about why Mythos is not generally available. From the microsite: "Over 99% of the vulnerabilities we've found have not yet been patched, so it would be irresponsible for us to disclose details about them." General-availability access has been deferred. Coordinated, audited access has been routed through Project Glasswing.

Independent voices have urged proportion. Scientific American quoted Peter Swire of Georgia Tech, who served on the Clinton and Obama administrations, calling the announcement "very dramatic" and "a PR success." Ciaran Martin, the founding chief executive of the U.K. National Cyber Security Centre and now at the University of Oxford, told the same publication: "It's a big deal, but it's unlikely to prove to be the end of the world. I would not be at the more apocalyptic end of the scale." Both quotes are useful for any partner being asked at a client dinner whether the practice has been compromised.

The reason Mythos matters for an Evanston law firm is not that the firm is a target of a frontier model in a sealed lab. It is that the model's existence proves a capability now exists. Capabilities, once they exist, diffuse. The next twelve to twenty-four months will probably see open-weight or jailbroken approximations of the same techniques in the hands of less responsible actors. The right time to harden the firm's posture is the period before that arrives, not after.

Why This Matters for an Evanston Law Firm

An Evanston practice is closer to the front line than its size suggests. The list of what sits on a typical Evanston firm's network is the kind of inventory a sophisticated attacker would build their own list to find. M&A deal rooms running through to closing, with data spanning buyers, sellers, target financials, and deal-pricing memos. Patent prosecution files for Northwestern spinouts and Chicago-area medical device companies, including invention disclosures that have not yet published. Estate plans for North Shore families with multi-generational wealth, including the trust structures, the beneficiary lists, and the offshore positions. Criminal-defense work product where the privileged communications are themselves the asset.

Each of those categories has the property that the value of access does not decay quickly. A leaked deal room is bad on closing day and remains bad five years later when the underlying parties are still in the market. A leaked patent disclosure is forever. A leaked estate plan is a coercion tool for life. A leaked criminal defense file is, in some cases, a person's life.

For most of the last decade, the practical defense for a small or mid-sized firm has been a combination of relative obscurity, off-the-shelf endpoint protection, multi-factor authentication, an outside IT managed service provider, and a cyber insurance policy. That stack assumed an attacker who would be discouraged by any non-trivial friction. The arrival of automated vulnerability-discovery and exploit-construction capability removes the friction. A model running for $1,000 of compute and half a day can probe a software stack that a human attacker would walk away from after fifteen minutes.

The point is not that an Evanston firm will be targeted by Mythos itself. Anthropic has effectively quarantined that specific model. The point is that, by Anthropic's own disclosure, the science of doing this work autonomously is now real. Within twenty-four months, some version of it will be available to actors who do not run Project Glasswing-style governance. That is the planning horizon every partner now has to write into their cyber program.

Three concrete pieces of work follow from this. First, the threat model needs an honest refresh. Second, partners need a written, defensible point of view they can offer clients without sounding alarmist. Third, the firm's outside vendors and any AI tools the firm itself runs need to face questions that, until very recently, were considered out of scope.

Use Case 1: Refreshing the Firm's Threat Model

A threat model written before automated exploit construction is, in 2026, an out-of-date document.

The first concrete piece of work is the most boring. A managing partner sits with the firm's IT lead, the office administrator, and ideally a security professional from outside the firm, and re-reads the existing security documentation as if it were written by someone else. Specifically: the data-classification matrix, the access-control policy, the incident-response runbook, and the vendor inventory.

The question to hold in mind during the read is direct. If the adversary on the other side of every assumption was an AI agent capable of running thousands of probing variations per hour, with a $1,000-a-day compute budget and no fatigue, what assumption in this document fails first?

A short list of likely failures, drawn from patterns common at small and mid-sized professional services firms.

Email is the perimeter, and it is brittle. The standard playbook of multi-factor authentication on Microsoft 365 or Google Workspace remains necessary, but it is no longer sufficient. AI-generated phishing that passes context, style, and prior-thread continuity is already in the wild. A firm that has not enforced phishing-resistant MFA, meaning hardware security keys or platform-bound passkeys rather than SMS or app-based one-time codes, has a perimeter that an automated agent can probe efficiently. The U.S. Cybersecurity and Infrastructure Security Agency has been recommending phishing-resistant MFA since 2022. The Mythos disclosure makes the recommendation operational.

The "low-value" application is now the entry point. Most firms have one or two SaaS applications that everyone shrugs at. The conference-room booking system. The legal-research tool with a separate login. The marketing CRM that someone in 2019 set up and forgot. A human attacker would not bother. An automated agent will probe each of these for known and unknown vulnerabilities, find one with a software stack that has not been updated in three years, and use it to pivot.

Local privilege matters again. If the firm allows partners and staff to run with local administrator privileges on their laptops because removing them is operationally annoying, that decision needs to be revisited. Many of the Mythos-class exploit chains documented in the Anthropic disclosure rely on chaining a remote-code-execution flaw to a local privilege escalation. If local admin is already granted, half the chain is already done.

Backups need to be tested, not just configured. A backup that has not been restored in twelve months is not a backup. Ransomware that successfully encrypts a firm's primary file share can be made survivable by a tested, off-network backup. It cannot be made survivable by a backup the firm has assumed exists.

The cyber insurance application has new questions. Carriers underwriting professional services in 2026 are already updating their applications to include questions about AI-related risk, AI-tool use by staff, and the firm's AI policy. A firm that cannot answer those questions in writing is going to find renewal harder and pricier. Producing the answers is, by itself, a forcing function for the threat-model conversation.

The output of that exercise is not a finished policy. It is a list of fifteen to twenty concrete decisions, ranked by what costs the least to fix and protects the most-sensitive client data. A partner can take that list to the firm's IT managed service provider with a budget, a deadline, and a clear request. That is the deliverable for the first thirty days after reading this article.

Use Case 2: Talking to Clients Without Sounding Alarmist

The client question is coming. The right answer is short, written in advance, and signed by a name partner.

An Evanston firm represents three categories of client whose risk tolerance and reaction patterns are entirely different. The same one-page note will not work for all three. But the underlying message can be consistent.

The Fortune-500 general counsel, the head of a $400-million single-family office, and the client facing federal indictment are all, at some point in the next month, going to ask some version of the same question. They are going to ask whether their work product is safe. They will not phrase it that way. They will ask why their bills include a "cybersecurity surcharge," or what the firm's AI policy is, or whether the firm uses ChatGPT for drafting. The question behind the question is the same.

The right move is to put a written answer in front of the question. A one-page note, signed by the managing partner, sent to clients above a defined relationship threshold, that does five things and stops.

It acknowledges the public disclosure of Mythos and the broader trend it represents, in two or three sentences and without dramatizing.

It describes, in plain English, what the firm has actually done to harden its posture in the last ninety days. Not "we take security very seriously." Specific actions: phishing-resistant MFA enforced; vendor inventory completed; backups tested; AI tool use governed by a written policy.

It explains the firm's policy on AI tools used in the practice. If the firm is using Claude through an enterprise plan, or Microsoft Copilot through a business agreement that does not train on customer data, say so. If the firm prohibits the use of free consumer AI tools for client matters, say that.

It offers a phone call with the managing partner or the firm's IT lead to any client who wants more detail.

It commits to a written annual update.

The note is not marketing. It is risk management. Clients who would never have asked for it will read it once, file it, and remember it the next time they hear about an AI security story on the radio. Clients who would have asked for it have the answer before the question, which changes the dynamic of the conversation entirely.

The version of this note for a Fortune-500 client should be calibrated to the existing assumption that the company has its own enterprise security organization that has already absorbed the Mythos news. The right tone is peer-to-peer: here is what we, as outside counsel, have done to ensure we are not the weakest link in your supply chain.

The version for a high-net-worth family office should be calibrated to the family principal's likely fear, which is identity-driven impersonation, deepfake-enabled social engineering of staff, and quiet exfiltration of trust documents. Specifics matter. Naming the controls in plain terms ("we now require a hardware key to access your file from any device") lands better than abstractions.

The version for a criminal-defense client is the most delicate and the most important. Privileged work product is, by definition, the thing the adversary in that engagement most wants. The right message is short, specific, and human: the firm has hardened access to the file, has limited who can read what, and has documented the chain of custody for any digital evidence. That last point matters in court. A defense file whose digital chain of custody can be challenged is a defense file whose contents can be excluded.

Two cautions on the client note. First, do not send it via an unencrypted attachment to a public email account. The medium is part of the message. Second, do not have the firm's marketing function draft it. The voice has to be a partner's, not a brand voice. A client can tell the difference in two sentences.

Use Case 3: Asking the Right Questions of Vendors

Most law firm breaches in the last five years originated at a vendor. The Mythos news does not change the pattern. It accelerates it.

The third concrete piece of work is the one most firms postpone, because it requires the firm to admit that it does not have full control of its own data. The data lives at the e-discovery vendor, at the document management hosting provider, at the time-and-billing SaaS, at the legal-research provider, at the IT managed service provider, and increasingly at AI tool vendors. Each of those relationships needs to be revisited in light of the Mythos disclosure with a structured set of questions, in writing.

The diligence pass is not adversarial. It is a contract-renewal-quality conversation that gives the vendor a chance to demonstrate maturity. Vendors that respond well are kept and extended. Vendors that respond evasively are flagged for replacement at the next contract cycle.

For the e-discovery vendor. Where, physically, does our client data sit? Is encryption at rest enforced with customer-managed keys, or with the vendor's keys? When was the last third-party penetration test, and may we see the report under NDA? Have you adopted phishing-resistant MFA for all employees with production access? Do you use any third-party AI tools for document review or processing, and if so, are those tools contractually prohibited from training on our data? What is your incident-response service level if you experience a breach that touches our matters? Will you notify us within 24 hours, 72 hours, or only as required by statute?

For the IT managed service provider. Do you have any sub-tier vendors with administrative access to our environment? If so, who, and under what contract terms? When did you last rotate the privileged credentials your engineers use to access our systems? What is the average patch-deployment time for critical vulnerabilities across our environment? What is the vendor's own AI policy, particularly for support engineers using AI assistants while they work on our systems?

For any AI tool the firm itself uses. This is the new question category, and it is the one most firms have not yet asked in writing. If the firm uses Claude, Microsoft Copilot, ChatGPT Enterprise, or a specialty legal AI tool, the questions are similar. Is the contract signed at the enterprise tier, with a no-training clause covering customer data? Where is the data processed and stored? What logging and audit trail does the tool produce? What is the vendor's process for handling a data subject access request or a litigation hold? If the tool is a thin wrapper over a frontier model from Anthropic, OpenAI, or Google, what additional vetting did the vendor perform on the underlying model provider?

The output of that exercise is a stack of one-page questionnaires. The act of sending them, with a deadline of 30 days for response, is itself the work. Vendors that respond on time and substantively are the ones the firm should be building deeper relationships with. Vendors that miss the deadline or produce boilerplate non-answers are flagged for the partnership's quarterly vendor review.

One additional note on this diligence pass. If a vendor declines to answer any of these questions on the grounds that "the contract does not require it," that itself is a finding. A long-term outside vendor handling client work product who is unwilling to demonstrate basic security hygiene is a vendor whose contract should not be renewed. The firm's professional responsibility obligations do not pause at the boundary of an outside vendor's network.

How to Get Started in the First Two Weeks

The work above is a quarter or two of effort if done well. The first two weeks should produce three things: a refreshed threat model conversation, a draft client note, and a vendor diligence list. The pattern below is what an Evanston managing partner can run without specialized cybersecurity staff.

What This Does Not Replace

Two honest cautions before closing.

First, none of the work above replaces a real cybersecurity professional. A managing partner can run the threat-model conversation, write the client note, and send the vendor questionnaires. None of those activities make the partner a chief information security officer. For a firm holding the kind of data described above, a fractional CISO arrangement, even at $30,000 to $60,000 per year, is increasingly the right answer. The partner's job is to make the strategic decision and own the client conversation. The CISO's job is to operate the program.

Second, the goal is not zero risk. There is no zero-risk posture in cybersecurity, with or without Mythos. The goal is to reduce the firm's attack surface to the point where an adversary with automated tooling chooses an easier target, and to ensure that if the firm is breached, the response is documented, professional, and survivable. Cyber insurance, a tested incident-response retainer, and pre-existing relationships with a breach counsel firm and a forensics provider are the difference between a difficult quarter and an existential one.

An Evanston firm that does this work in the next ninety days will not be invulnerable. It will be in the top quartile of its peer set, and it will be able to demonstrate that fact in writing to any client, regulator, or insurance carrier that asks.

A Final Note on Timing

The Mythos disclosure is the kind of news that becomes background within a quarter. By July, most clients will have stopped asking about it. The temptation, for any partner with a full docket, is to read the Fortune story, file it under "things to think about," and move on.

That is the wrong move for two reasons. The first is that the capability Mythos represents is not going away. Frontier AI labs continue to ship. The next disclosure of this kind, from Anthropic or one of its peers, is on a six-to-twelve-month clock. Each successive disclosure will erode the assumption that adversaries are bounded by human skill and human time.

The second reason is that the work itself is not difficult. It is a quarter of disciplined attention, a fractional CISO retainer, and a willingness to have honest conversations with clients and vendors. The firms that do it now will treat it as ordinary maintenance. The firms that defer it will treat it as a crisis the first time a client asks the question and they do not have an answer ready.

For partners who want a structured second set of eyes on the threat-model conversation, the client note, or the vendor diligence pass, a free 30-minute AI audit is available, in person in Evanston or on video. No obligation. The output is a one-page plan that an Evanston firm can hand to its IT lead and act on inside a quarter.

The model exists. The disclosure has been made. The work is in front of the partnership.

Frequently Asked Questions