The potential threats of Anthropic Mythos to the NHS

The introduction of Anthropic's Mythos model marks a definitive shift in the landscape of artificial intelligence and its intersection with critical national infrastructure. Within the context of the National Health Service (NHS), this model represents both a transformative potential for cybersecurity defense and an unprecedented threat to the stability of clinical and administrative systems.

As a frontier model capable of autonomous vulnerability discovery and exploitation, Mythos challenges the foundational assumptions of traditional cybersecurity governance and necessitates a rapid re-evaluation of the NHS digital estate.

The Emergence of Mythos and the Qualitative Leap in Autonomy

The development of Anthropic Mythos Preview has been characterised as a "watershed moment" in the progression of large language models (LLMs) from passive advisors to active, agentic participants in cybersecurity operations.

Internal evaluations and independent testing by the United Kingdom's AI Security Institute (AISI) confirm that Mythos is substantially more capable at cyber offense than any model previously assessed. While earlier models could identify simple bugs or assist in drafting phishing emails, Mythos demonstrates the ability to autonomously chain together multiple vulnerabilities, sometimes up to 32 sequential steps, to achieve full network takeover. For a complex organisation like the NHS, which relies on a diverse and often fragmented technological infrastructure, this level of automation reduces the friction historically required for sophisticated cyberattacks.

The industry reaction to these capabilities has been polarized. Some analysts view the withholding of the model from the public as a responsible exercise in AI safety, while others characterise it as a calculated marketing manoeuvre aimed at securing high-value enterprise and government partnerships. Regardless of the corporate intent, the technical reality remains that the barrier to high-end cyber exploitation has fundamentally shifted from human expertise to computational access.

Technical Specifications and Benchmark Performance Analysis

More critically, in the domain of cybersecurity, Mythos achieved an 83.1% success rate on the CyberGym benchmark, representing a significant jump from the 66.6% recorded by previous models.

Comparative Performance Metrics of Frontier Models

The following table outlines the comparative performance of Anthropic's flagship models across key benchmarks relevant to cybersecurity and technical reasoning.

The jump in the "Exploit Success Rate" from near-zero to over 70% indicates that the model has crossed a threshold of reliability that makes it a viable tool for operational use. In practical terms, this means that an attacker using a Mythos-class model can identify and weaponise a vulnerability in hours, whereas a human-led team might take weeks. The model’s ability to reverse-engineer closed-source binaries further expands the threat surface to include proprietary medical software and hardware common in the NHS environment.

The Vulnerability of the NHS Legacy Estate

The primary risk Mythos poses to the NHS stems from the massive "technical debt" inherent in a system that serves millions of people across thousands of locations. The NHS infrastructure is a heterogeneous mix of modern cloud-native applications and legacy systems that have been in operation for decades. Mythos has proven particularly adept at uncovering flaws in precisely these types of legacy foundations.

Legacy Exploitation and the Persistence of Zero-Days

For the NHS, the discovery of the 17-year-old FreeBSD NFS flaw is particularly alarming. Network File System (NFS) protocols are widely used for data sharing between servers in healthcare environments. The ability of Mythos to generate a 20-gadget Return Oriented Programming (ROP) chain to exploit this flaw without human intervention suggests that legacy medical databases, often perceived as "secure" due to their age and lack of previous exploits, are now highly vulnerable.

The Asymmetry of Patching and Exploitation

A core challenge for NHS digital governance is the widening gap between the speed of AI-driven exploitation and the organisational capacity for remediation. Estimates indicate that while AI can discover and weaponise a flaw in minutes for a cost of under $50, the median organisational patch window remains stagnant at approximately 70 days. In some sectors, security debt compounds at a rate of 252 days per fix.

This "patching gap" creates a permanent window of opportunity for autonomous agents. If an attacker uses a model like Mythos to scan the entire NHS digital perimeter, they can identify thousands of entry points faster than a central authority can issue a security alert. The economic disparity is equally stark: scanning a massive codebase like OpenBSD costs under $20,000 using Mythos, a fraction of the cost of a traditional human-led audit.

Clinical Risks and the Impact on Patient Safety

Automation Bias and Clinical Deskilling

The deployment of high-performing AI assistants can lead to a phenomenon known as "clinical skill attrition". Real-world evidence from 2021 to 2026 suggests that when clinicians rely on AI tools repeatedly over several months, their unassisted diagnostic accuracy can fall significantly. This creates a self-reinforcing loop of automation bias: as AI performs tasks reliably, clinicians exercise their own reasoning less frequently; as their skills atrophy, they become less capable of identifying when the AI is wrong, leading to increased reliance and further skill degradation.

For the NHS, this deskilling is particularly risky in high-pressure environments like Emergency Departments or Intensive Care Units. If a clinician relies on a Mythos-class assistant to interpret complex multi-omic data or longitudinal medical records, an error or "hallucination" by the AI could go unchallenged, resulting in incorrect treatment or dosage.

Algorithmic Bias and Health Inequality

The NHS has a statutory duty to provide equitable care, yet the "black box" nature of some frontier models makes it difficult to verify their decision-making processes. If the NHS adopts Mythos-derived agents for administrative tasks like medical coding or verifying Medicare-style coverage requirements, there is a risk that certain patient populations could be unfairly disadvantaged by biased algorithms.

Data Privacy and Governance in the Age of Mythos

The massive volume of sensitive patient data held by the NHS makes it a prime target for the autonomous exfiltration capabilities of Mythos. The 70TB breach at Barts Health NHS Trust, attributed to the ALPHV ransomware group, serves as a grim reminder of the scale of potential data loss.

UK GDPR and the Challenge of Shadow AI

Under UK GDPR, the NHS is responsible for the protection of personal identifiable information (PII). The emergence of "Shadow AI", where staff use unauthorised AI tools to summarise clinical notes or draft patient communications, creates significant data governance gaps.

When patient information is pasted into third-party AI systems, it may be used for model training or stored in unsecured environments, violating Article 28 of the GDPR.

The NHS spends approximately £1 million across 46 trusts just to prepare for general GDPR enforcement, yet the speed of Mythos-class attacks could render these preparations obsolete. Attackers can now use AI to customise phishing emails and bypass multi-factor authentication (MFA) at a scale that was previously impossible.

Geopolitical Tensions and Supply Chain Integrity

The relationship between the NHS and Anthropic is complicated by broader geopolitical factors, particularly the "supply chain risk" designation issued by the United States government.

The Pentagon Conflict and US Blacklisting

In early 2026, the US Department of Defense and the Trump administration designated Anthropic as a "supply chain risk," leading to a mandate for federal agencies to phase out Anthropic contracts. This designation stems from a conflict over the model's refusal to allow its use for mass surveillance or autonomous lethal weapons, leading to a legal battle in the Washington, DC federal courts.

This creates a strategic dilemma for the NHS:

1. Procurement Risks: If the primary developer of a frontier model is blacklisted by its home government, the long-term stability and support of the product are called into question.

   
   

2. Sovereign Data Concerns: The US government's desire for visibility into where every advanced GPU operates, mandated by the Chip Security Act, could conflict with the UK's desire for sovereign data control over its healthcare records.

   
   

Despite these tensions, the UK government has maintained a partnership with Anthropic, signing an MOU to explore how AI can transform public services. This divergence in policy between the US and UK creates a complex procurement landscape for NHS administrators who must balance the need for cutting-edge technology with the requirement for a secure and stable supply chain.

Defensive Opportunities and Project Glasswing

While the offensive capabilities of Mythos are formidable, Anthropic has positioned the model as a powerful tool for defense. Through "Project Glasswing," Anthropic has shared the model with over 50 organisations, including CrowdStrike, Microsoft, and Google, to find and patch vulnerabilities in critical software before they can be exploited by adversaries.

The Shift to Agentic Defence

The National Cyber Security Centre (NCSC) has highlighted the "game-changing" nature of Mythos for defensive operations. For the NHS, this represents an opportunity to move from a reactive "patch-and-pray" model to an "agentic defence" posture.

• Automated Hardening: Using Mythos to scan legacy NHS codebases can identify the "27-year-old bugs" before they are found by state-sponsored actors.

  
  

• Real-Time Microsegmentation: AI-driven tools can help the NHS implement real-time microsegmentation, isolating compromised systems before an attacker can move laterally through the network.

  
  

• Enhanced Monitoring: Agentic SOCs (Security Operations Centres) can use models like Mythos to process the overwhelming volume of alerts generated by modern infrastructure, identifying the few truly critical threats amid the noise.

  
  

Anthropic has committed $100 Million in usage credits and $4 million in donations to open-source security to support these defensive efforts. If the NHS can secure access to these resources, it could significantly accelerate its modernisation efforts.

Regulatory Response and the Legislative Landscape

The UK government is responding to the "Mythos threat" with a series of legislative and regulatory initiatives designed to protect critical infrastructure.

The Cyber Security and Resilience Bill

This bill, currently progressing through Parliament, aims to strengthen protections for critical services like the NHS and the energy system. It introduces statutory enforcement powers with penalties that could dwarf current GDPR fines, making executive-level responsibility for cyber resilience a legal requirement.

MHRA Guidance on AI as a Medical Device (AIaMD)

The Medicines and Healthcare products Regulatory Agency (MHRA) has established a robust roadmap for the regulation of AIaMD. This includes:

• Good Machine Learning Practice (GMLP): Guiding principles for the development and deployment of medical AI, developed in partnership with the FDA and Health Canada.

  
  

• AI-Airlock: A regulatory sandbox that allows manufacturers to test novel AI features in a controlled environment with NHS partners.

  
  

• Transparency Principles: Requirements for AI systems to be "explainable" and for their training methodologies to be transparent to regulators and clinicians.

  
  

These frameworks are essential for ensuring that the integration of frontier models like Mythos does not bypass the stringent safety standards required for medical technology.

Economic Implications of the "Mythos Shift"

The arrival of Mythos has already caused significant turbulence in the financial markets, particularly in the cybersecurity sector. On March 27, 2026, cybersecurity stocks saw a sharp decline following reports of Mythos's capabilities, as investors feared that traditional security technologies could be replaced by advanced AI labs.

For the NHS, the economic considerations are twofold:

1. The Cost of Inaction: Maintaining legacy systems costs UK banks approximately £3.3 billion annually—roughly a quarter of their IT budgets. The NHS likely faces a similar burden. In an era where AI can exploit these systems for pennies, the "hidden fragility" of legacy delivery models becomes an unsustainable risk.

   
   

2. The Cost of Modernisation: While AI-powered modernisation tools can help "re-architect" legacy systems, the medium-term costs of system integration and workforce training are substantial.

   
   

The NHS estimates that proper application of AI technology could save the service hundreds of millions of pounds every year, funds that could be redirected toward frontline patient care. However, achieving these savings requires a massive upfront investment in both technology and human capital.

Strategic Recommendations and Future Outlook

The threat of Anthropic Mythos to the NHS is not a static one; it is a dynamic, evolving risk that will accelerate as AI capabilities continue to double every few months. To navigate this landscape, the NHS must adopt a multi-layered strategic response.

1. Immediate Hardening of Legacy Perimeter

The NHS must prioritize the decommissioning or isolation of legacy systems running on vulnerable versions of FreeBSD and OpenBSD. Given the ability of Mythos to autonomously exploit these foundations, any system that cannot be patched within a 72-hour window must be considered a critical vulnerability.

2. Implementation of AI Governance Frameworks

Trusts must move beyond "Shadow AI" and establish formal governance structures for the use of LLMs in clinical and administrative work. This includes:

• Mandatory Bias Audits: Regular testing of clinical AI agents against diverse patient datasets.

  
  

• Deskilling Mitigation: Integrating "AI-unassisted" diagnostic checks into clinical training to maintain foundational human skills.

  
  

• Data Processing Agreements: Ensuring all third-party AI providers, including Anthropic, provide HIPAA-ready or UK-equivalent data protection guarantees.

3. Participation in Defensive AI Coalitions

The NHS should seek active involvement in initiatives like Project Glasswing. By partnering with leading cybersecurity firms and AI labs, the NHS can leverage "frontier AI for defenders" to gain a durable advantage over adversaries. This includes adopting agentic SOC frameworks that can respond to AI-driven threats at machine speed.

4. Regulatory Agility and Legislative Compliance

Compliance with the upcoming Cyber Security and Resilience Bill and the MHRA’s AIaMD roadmap must be viewed as a strategic priority, not a clerical burden. Boards and executive teams must take direct responsibility for cyber resilience, ensuring that their organisations can detect, assess, and report incidents within the required windows.

However, by embracing the defensive capabilities of frontier AI and implementing robust governance and regulatory frameworks, the NHS can transform this threat into an opportunity for comprehensive modernisation. The window for this transformation is narrow; as these capabilities proliferate, the organisations that thrive will be those that view cybersecurity not as a technical function, but as a foundation for the safe and sustainable delivery of healthcare in the AI era.

Nelson Advisors > European MedTech and HealthTech Investment Banking

Nelson Advisors specialise in Mergers and Acquisitions, Partnerships and Investments for Digital Health, HealthTech, Health IT, Consumer HealthTech, Healthcare Cybersecurity, Healthcare AI companies. www.nelsonadvisors.co.uk

Nelson Advisors regularly publish Thought Leadership articles covering market insights, trends, analysis & predictions @ https://www.healthcare.digital 

Nelson Advisors publish Europe’s leading HealthTech and MedTech M&A Newsletter every week, subscribe today! https://lnkd.in/e5hTp_xb 

Nelson Advisors pride ourselves on our DNA as ‘Founders advising Founders.’ We partner with entrepreneurs, boards and investors to maximise shareholder value and investment returns. www.nelsonadvisors.co.uk

#NelsonAdvisors #HealthTech #DigitalHealth #HealthIT #Cybersecurity #HealthcareAI #ConsumerHealthTech #Mergers #Acquisitions #Partnerships #Growth #Strategy #NHS #UK #Europe #USA #VentureCapital #PrivateEquity #Founders #SeriesA #SeriesB #Founders #SellSide #TechAssets #Fundraising #BuildBuyPartner #GoToMarket #PharmaTech #BioTech #Genomics #MedTech

Nelson Advisors LLP

Hale House, 76-78 Portland Place, Marylebone, London, W1B 1NT

lloyd@nelsonadvisors.co.uk

paul@nelsonadvisors.co.uk

Meet Nelson Advisors @ 2026 Events

Digital Health Rewired > March 2026 > Birmingham, UK 

NHS ConfedExpo  > June 2026 > Manchester, UK 

HLTH Europe > June 2026, Amsterdam, Netherlands

HIMSS AI in Healthcare > July 2026, New York, USA

Bits & Pretzels > September 2026, Munich, Germany  

World Health Summit 2026 > October 2026, Berlin, Germany

HealthInvestor Healthcare Summit > October 2026, London, UK 

HLTH USA 2026 > October 2026, USA

Barclays Health Elevate > October 2026, London, UK 

Web Summit 2026 > November 2026, Lisbon, Portugal  

MEDICA 2026 > November 2026, Düsseldorf, Germany

Venture Capital World Summit > December 2026 Toronto, Canada