Singularity.Kiwi

AI progress, with honesty.
Two locked digital vaults facing each other across a dark network operations center, dramatic blue and amber lighting, photojournalistic style
Breaking News 13 May 2026

OpenAI's Daybreak vs Anthropic's Mythos: The AI Cybersecurity Arms Race Just Went Hot

OpenAI launched Daybreak with three GPT-5.5 model variants for cybersecurity, directly challenging Anthropic's Mythos. Same day: Google caught the first AI-developed zero-day in the wild.

OpenAIDaybreakAnthropicMythosAI cybersecurity

The AI cybersecurity arms race has a starting gun, and someone just fired it twice.

On Monday, Google’s Threat Intelligence Group disclosed the first confirmed zero-day exploit developed with AI assistance — a criminal group’s Python script designed to bypass 2FA on a popular open-source admin tool. Google caught it before deployment. The tell? Hallucinated CVSS scores, educational docstrings, and the structured textbook formatting that screams “large language model output.”

Hours later, OpenAI launched Daybreak — a cybersecurity platform built around three GPT-5.5 model variants, backed by Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler. The message was clear: if AI can find vulnerabilities, AI should defend them too.

Two Platforms, Two Philosophies

The contrast with Anthropic’s Mythos is now the defining shape of this race.

Daybreak is operational and workflow-integrated. It starts with threat modelling against a repository, identifies and tests vulnerabilities in an isolated environment, then proposes and validates fixes. The three model tiers — standard GPT-5.5, Trusted Access for Cyber (for verified defenders), and GPT-5.5-Cyber (for authorised red teaming) — create a graduated access system. OpenAI wants Daybreak embedded in enterprise security workflows, compressing hours of analysis into minutes with audit-ready evidence.

Mythos is discovery-first. Anthropic has surfaced thousands of zero-day vulnerabilities across major operating systems and browsers, but kept it inside a controlled rollout to roughly a dozen partner organisations under a $100M defensive programme. Anthropic treats Mythos as a dual-use system whose offensive reasoning is powerful enough to require strict governance. We covered Mythos extensively last month when GPT-5.5 matched its cybersecurity scores in UK AISI testing.

The philosophical difference matters. OpenAI is selling a tool for defenders. Anthropic is guarding a weapon. Both approaches have merit — and both have risks.

The Zero-Day That Proved the Point

Google’s disclosure wasn’t theoretical. The exploit targeted a semantic logic flaw — not a buffer overflow or input sanitisation error, but a high-level design mistake where a developer hardcoded a trust assumption into 2FA logic. Traditional vulnerability scanners and fuzzers miss this category entirely. LLMs don’t. Frontier models can read developer intent and correlate authentication enforcement logic with hardcoded exceptions that contradict it.

This is exactly the kind of vulnerability that Daybreak and Mythos are designed to find. The fact that a criminal group got there first — using AI to find a flaw that no traditional tool could — is the proof point that moved AI cybersecurity from “interesting research” to “operational necessity.”

The GTIG report also documented Chinese and North Korean state actors using AI for vulnerability research, Russian-nexus actors deploying AI-generated decoy code against Ukrainian targets, and an Android malware called PROMPTSPY that uses Google’s own Gemini API to autonomously navigate devices, capture biometric data, and block its own uninstallation.

The offensive AI era isn’t coming. It’s here.

What This Means for NZ

New Zealand’s Cyber Security Centre reported last year that 350+ serious cyber incidents affected NZ organisations. AI-powered offensive tools will increase both the volume and sophistication of attacks on NZ businesses, which are overwhelmingly small-to-medium enterprises without dedicated security teams.

The defensive tools are coming — Daybreak, Mythos, and others will filter down. But the gap between offensive and defensive AI capabilities is measured in months, not years. NZ organisations that haven’t invested in AI-aware security practices are now officially behind the curve.

🔍 THE BOTTOM LINE

The first AI-built zero-day was caught before it was used. The next one might not be. OpenAI and Anthropic are racing to build the defensive AI that catches them — but the criminals are already using AI to find them. The cybersecurity arms race that everyone predicted is no longer theoretical. It has incident numbers and CVSS scores.

❓ Frequently Asked Questions

Q: What does this mean for NZ? NZ businesses — mostly SMEs without security teams — face increasing AI-powered attacks. The NCSC’s 350+ annual incidents will grow. AI-aware security tooling will arrive, but probably on enterprise timelines. The gap is real and present.

Q: What’s the difference between Daybreak and Mythos? Daybreak is an operational security platform that integrates into enterprise workflows with three tiers of GPT-5.5 access. Mythos is a vulnerability discovery system with tightly controlled access, focused on finding zero-days through advanced reasoning. Daybreak is a hammer; Mythos is a scalpel.

Q: Should I be worried about AI hacking my systems? The first confirmed AI-developed zero-day targeted an open-source admin tool’s 2FA. If you’re running internet-facing services without modern security practices, yes — the threat landscape just changed. Patch management and 2FA implementation matter more than ever.

Sources

Sources: The Next Web, OpenAI, Google GTIG, The Verge

Related Articles