Singularity.Kiwi

AI progress, with honesty.
A New Zealand government building with digital security overlay and red alert indicators, dramatic documentary lighting
News 28 May 2026

New Zealand at the 'Wild Frontier' of AI Superhacking, Says Cyber Watchdog

NZ's cyber watchdog says frontier AI models like Mythos are creating a 'wild frontier' of superhacking. Palo Alto issued 24 alerts in a day instead of its usual 5 per month. NZ isn't part of the inner circle — and the patching crisis is global.

NCSCAnthropic MythosProject GlasswingCybersecurityNZ

Answer-First Lead

New Zealand’s National Cyber Security Centre says the country is at the “wild frontier” of AI superhacking, warning organisations to prepare for a “significant increase in vulnerabilities and incidents” from frontier models like Anthropic’s Claude Mythos. Palo Alto Networks — a Glasswing partner — issued roughly two dozen security alerts in a single day after Mythos testing, when it normally issues about five per month. NZ is not part of Project Glasswing, but the NCSC is talking to partners who are.

🔍 THE BOTTOM LINE

AI can now find security vulnerabilities faster than humans can patch them. NZ, with its small cybersecurity workforce and no seat at the Glasswing table, is disproportionately exposed to the fallout.

What the NCSC Said

The NCSC, which sits within the Government Communications Security Bureau (GCSB), told RNZ that as frontier AI models improve, “they will change the cyber threat landscape for organisations because of the ability for malicious actors to find and exploit vulnerabilities at unprecedented speed and scale.”

The centre recently briefed 300 local cybersecurity specialists on frontier AI models and their implications. Its core message: the old pace of vulnerability disclosure is over. Mythos found 10,000+ high and critical vulnerabilities in its first month. Only 97 have been patched.

The NCSC’s advice to NZ organisations boils down to four things:

  • Patch frequently — don’t wait for monthly cycles
  • Reduce the attack surface and apply defence in depth
  • Review vulnerability management policies across your supply chain
  • Monitor for potential compromise — constantly

“These are all standard practices,” the NCSC acknowledged, “but organisations need to do them more quickly and more consistently.”

That’s the uncomfortable truth: the NCSC’s advice isn’t new. It’s the same advice cybersecurity professionals have been giving for years. The difference is that the speed at which vulnerabilities can now be found and exploited makes “more quickly and more consistently” the difference between being breached and not.

Palo Alto: 24 Alerts in One Day

The scale of what Mythos is uncovering is staggering. Palo Alto Networks, one of the 50+ partners in Project Glasswing, reported issuing approximately two dozen security alerts in a single day as a result of Mythos testing. Its normal rate: about five per month.

That’s not a gradual increase. That’s a firehose.

Cloudflare found 2,000 bugs, 400 of them high or critical. Mozilla fixed 271 vulnerabilities in Firefox 150 that earlier models had completely missed. The UK’s NCSC — NZ’s counterpart — warned organisations to prepare for a “vulnerability patch wave” driven by decades of technical debt suddenly being exposed.

NZ Isn’t in the Room

Here’s the NZ-specific problem: the NCSC is not part of Project Glasswing. It’s talking to partners who are, but it’s getting the information second-hand.

“We are talking regularly with a range of partners and vendors, including some who are involved with Glasswing, so that we can understand the landscape and provide meaningful advice,” the NCSC told RNZ.

The Glasswing partners include AWS, Apple, Cisco, Cloudflare, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and the Linux Foundation. Notably absent: any NZ government agency, any NZ company, any NZ critical infrastructure operator.

China asked for Mythos access and was denied. The Pentagon is racing to weaponise frontier models, according to Politico — ironic, given it had been freezing Anthropic out over AI weapons concerns. Meanwhile, US banks are “rushing to plug cyber holes” flagged by Mythos, Reuters reported.

NZ is watching from the bleachers.

The Patching Crisis Hits Different Here

The global patching crisis — 10,000+ found, 97 patched — has a specific NZ dimension. As we reported in April, NZ’s own GCSB assessment found critical infrastructure barely at “foundational” cybersecurity level. The country has fewer security engineers per capita than the US or EU, and relies heavily on upstream open-source fixes.

When open-source maintainers are asking Anthropic to slow down disclosures because they can’t keep up, NZ organisations — further down the patching queue — are even further behind.

The NCSC acknowledged this timing gap. “We anticipate organisations need to prepare for a significant increase in vulnerabilities and incidents,” it said. “We’ve already started delivering advice to help organisations prepare.”

But advice isn’t patches. And the NCSC’s own resources are limited — it’s a small team covering a country of five million people with a disproportionately large attack surface of small-to-medium organisations that lack dedicated security staff.

Marketing Hype or Genuine Threat?

Critics have questioned whether Mythos’s capabilities are being oversold. RNZ itself asked whether the alarm bells were fair warning or marketing hype back in April.

There’s a degree of truth to the scepticism. Anthropic stands to benefit from Mythos being perceived as powerful and dangerous — it justifies premium pricing, government contracts, and regulatory moats. When the company says Mythos’s hacking abilities “emerged” rather than being designed in, that’s both technically interesting and commercially convenient.

But the raw numbers are hard to spin away. A 90.6% true positive rate confirmed by six independent security firms. Mozilla finding 10× more vulnerabilities than with previous models. A $1.5M fraudulent wire transfer intercepted at a partner bank. Whether or not Anthropic is amplifying the narrative for commercial gain, the vulnerabilities Mythos is finding are real.

The NCSC seems to have landed on a pragmatic position: the hype and the threat aren’t mutually exclusive. The vulnerabilities are real. The question is whether the response infrastructure — patching, triage, disclosure — can keep up.

What About the Long Term?

Anthropic and the NCSC both argue that in the medium to long term, frontier AI will benefit defenders more than attackers. Better code from the start. More secure development lifecycles. Faster patching, eventually, by the same AI that finds the bugs.

The NCSC said frontier AI “offers the promise of more secure software code from the outset and a better software development lifecycle.”

That’s probably true — eventually. But “eventually” is a word that doesn’t help the organisation getting exploited today through a vulnerability that Mythos found in April and nobody’s patched yet. The transition period — between AI finding bugs and AI helping fix them at scale — is where the damage happens. And NZ, without Glasswing access and with limited cybersecurity capacity, is more exposed during that transition than most.

❓ Frequently Asked Questions

Q: What does this mean for NZ businesses and organisations? A: The NCSC is clear: patch more frequently, reduce your attack surface, review your supply chain’s vulnerability management, and monitor constantly. The standard advice hasn’t changed — the urgency has. Organisations that treat cybersecurity as a quarterly checklist exercise are now exposed in ways they weren’t six months ago.

Q: Is NZ part of Project Glasswing? A: No. The NCSC says it’s talking to partners who are, but NZ has no direct access to Mythos or the Glasswing vulnerability data. This means NZ is learning about vulnerabilities through the same public channels as everyone else — not through the early-warning pipeline that Glasswing partners get.

Q: Should I be worried about Mythos being used against NZ targets? A: Mythos itself is restricted to Glasswing partners. The concern isn’t Mythos specifically — it’s that similar capabilities are becoming available to other actors. If Anthropic’s model can find 10,000 vulnerabilities, models with comparable capability won’t stay restricted forever.

Q: What’s the NCSC actually doing? A: It briefed 300 cybersecurity specialists on frontier AI, is engaging with Glasswing-adjacent partners, and has published guidance on preparing for the vulnerability patch wave. It’s also working with critical infrastructure providers. What it doesn’t have is direct access to Mythos or the real-time vulnerability data that Glasswing partners receive.

🔍 THE BOTTOM LINE

NZ’s cyber watchdog is right: we’re at the wild frontier. The question is whether we’re riding the horse or standing in front of it. Without Glasswing access, with limited cybersecurity capacity, and with the patching queue growing faster than the patching workforce, NZ is watching the superhacking revolution from the cheap seats. The NCSC’s advice — patch more, faster, consistently — is sound. It’s also an admission that the fundamentals haven’t changed, only the speed at which they need to be executed. In a country where critical infrastructure was assessed as barely at “foundational” cybersecurity level just months ago, speed is exactly what we don’t have.

Sources

  • RNZ
  • Anthropic
  • Palo Alto Networks
  • Reuters
  • Politico
  • UK NCSC
Sources: RNZ, Anthropic, Palo Alto Networks, Reuters, Politico

Related Articles