Post-Mythos Cybersecurity Arms Race: OpenAI's Sol, Terra, and Luna Signal a Shift to Defensive AI

The “Mythos shock” is settling into something more familiar and more useful: a slow, expensive, specialised arms race. A week after Anthropic’s Mythos went out to a US-vetted handful of “trusted partners” The US Government Picked Who Gets Anthropic, OpenAI has countered with three narrow defensive models — Sol, Terra, and Luna — aimed at the day-to-day grunge of patching, monitoring, and incident response. The fight has moved off the cover of the brochure and into the security operations centre. For New Zealand’s small but persistent AI sector, that is the more important story.

🔍 THE BOTTOM LINE

The cybersecurity landscape has matured past Mythos’s “revolutionary” hype and into a phase defined by specialised, defence-oriented models. OpenAI’s Sol, Terra, and Luna confirm that even the offensive-leaning US labs are now selling shields, not swords — because shields are easier to monetise and harder to regulate. Open-source models (DeepSeek, Gemma 4, Qwen 3.6) are closing the gap on detection but still can’t generate novel exploits. The takeaway for NZ firms: stop chasing headline breakthroughs; the real game is boring, niche, and winnable.

What Mythos Did — And Why It’s Already Overhyped

The Mythos story broke hard. Cephalosec’s write-up put a number on it: brute-force testing running 1,000+ iterations per file, with costs in the $20K-per-bug range and entity-level budgets pushing $100M (think Glasswing). That implied a near-perfect offensive capability.

That framing doesn’t survive scrutiny. The same analysis notes that GPT-5.4 and Opus 4.6 are “not so far behind” in raw detection — meaning the gap is shrinking not because Mythos is uniquely brilliant, but because the frontier is converging fast. The takeaway in our earlier Small AI Models Match Mythos on Cybersecurity — The Moat Is the System, Not the Model piece holds: the moat was never the model, it was the system around it. Once a few labs publish their workflows, everyone else replicates them within a quarter.

In other words: Mythos is impressive, but it’s not a moat. It’s a press release.

The Open-Source Catch-Up Is Real

The most under-reported number in this whole story is the open-source detection rate. DeepSeek performs decently inside cloud environments; Gemma 4 and Qwen 3.6 reportedly find around half of the vulnerabilities Mythos flags in head-to-head runs. That’s not a rounding error — that’s a credible second-tier product that anyone with a decent GPU rack can self-host.

The honest caveat: open models are good at detection, bad at exploit generation. They can tell you a bug exists; they cannot reliably produce a working proof-of-concept. That asymmetry matters. Detection is a defensive posture. Exploit generation is an offensive one — and it’s the part every AI lab is now treating as a controlled good. Which is precisely why OpenAI’s new models are defensive.

OpenAI’s Sol, Terra, and Luna: The Pivot to Paid Shields

The Sol/Terra/Luna release is the most interesting thing OpenAI has shipped this quarter, and it barely made the homepage of any major outlet. The three models are narrow, defensive, and — crucially — sold as part of enterprise deployment packages rather than as raw API endpoints. Coverage at The Verge frames them as part of OpenAI’s broader “Daybreak” security suite; analysts are already mapping them to slots the industry has been calling “GPT-5.5-Cyber” and “Codex Security.”

This is OpenAI doing what every frontier lab eventually does once the regulator shows up: pivot to the workload that’s exportable. Defensive models are easier to sell to governments, easier to license overseas, and easier to gate behind enterprise contracts. Offensive tooling gets you export-control scrutiny and hostile press. Defensive tooling gets you procurement meetings.

Expect the same playbook from Anthropic within six months.

The Mozilla Signal: Detection Has Already Won

The proof point nobody’s talking about is Mozilla’s published numbers: 271 confirmed vulnerabilities found in Firefox with a false-positive rate low enough that engineers stopped arguing with the model and started merging its patches. Mozilla’s write-up is the closest thing the industry has to a public benchmark for AI-augmented security work, and it is unflattering to the vendors charging $100M for the “real” version.

A Hacker News discussion on the Mozilla numbers crystallised the consensus: high-accuracy AI auditing is no longer the bottleneck. The bottleneck is who gets to use it. Cloudflare’s own characterisation of their AI testers as “better than human testers” confirms the same point from the defender’s side. The capability exists. The access doesn’t.

That’s the whole post-Mythos story in one paragraph: the technology has commoditised faster than the politics.

Artificial Scarcity, Disguised as Responsibility

The export-control moves around Mythos and the premium-deployment framing around Sol/Terra/Luna are the same play with different branding. US restrictions blocked Mythos/Fable capabilities from non-US citizens roughly two weeks ago. Anthropic — a company that publicly lobbied for global AI regulation — became the recipient of some of the most potent, least regulated technology on Earth, then turned around and asked for permission to share it with a hand-picked list of allies. The contradiction is now structural, not anecdotal.

OpenAI’s Sol/Terra/Luna packaging is the smoother version of the same trick: powerful defensive tools wrapped in enterprise contracts and “responsible deployment” language, sold to the same buyers who would have bought Mythos if they could get it. The headline says “responsibly deployed.” The price list says “access-tiered.”

Neither lab is lying. Both are doing exactly what the regulatory environment rewards.

❓ FAQ

Q1: Is Mythos technology truly revolutionary? No. It is a massive computational effort applied to known attack vectors, with workflows that competing labs are already replicating. The gap to GPT-5.4 and Opus 4.6 is measured in quarters, not years.

Q2: Can open-source models fully replace commercial offerings like Sol, Terra, and Luna? For detection: soon, yes — Gemma 4 and Qwen 3.6 already find roughly half of what Mythos flags, and the gap is closing. For exploit generation and enterprise integration: no, not yet, and likely not this year.

Q3: What does “artificial scarcity” mean in this context? Powerful defensive AI is being sold as a premium, contract-gated service by large US labs, making top-tier security auditing accessible only to organisations that can pay enterprise rates or pass government vetting. The scarcity is policy-created, not capability-created.

Q4: Should NZ companies focus on offense or defense right now? Defence, and specifically niche defence. Build around local assets where global AI models lack context: compliance-heavy regulated industries, industrial control systems with physical-domain knowledge requirements, and SMB segments the frontier labs have no incentive to serve.

Q5: Will the export-control regime around Mythos spread to defensive models too? Probably, eventually. The current distinction between “offensive” and “defensive” AI is policy theatre — the same training runs underpin both. Expect a second wave of restrictions within 12–18 months once the defensive tools prove capable enough to be strategically interesting.

The New Zealand Angle: Niche Beats Headline

For our local tech ecosystem, the lesson is uncomfortable and useful in equal measure. We are not going to win the frontier-model arms race. We do not have a $100M offensive-research budget and we are not getting one. The Mythos gate and the Sol/Terra/Luna paywall both point the same direction: the most capable AI is now a controlled good, and the next most capable AI is a paid good.

What we can do — and what the global labs will not bother to do — is build deep into the long tail. Industrial control system security for NZ’s dairy, forestry, and port infrastructure. Compliance tooling tuned to the Privacy Act 2020 and the new AI guidance. Local-language and te reo Māori incident-response workflows. Vulnerability triage for the SMB market the hyperscalers ignore. None of that is headline-grabbing. All of it is defensible, billable, and adjacent to where the offensive models can’t easily reach.

The post-Mythos world is a worse one for companies that planned to rent capability from San Francisco. It is a better one for companies willing to own a small, ugly, locally-relevant problem and grind on it for a decade.

🔍 THE BOTTOM LINE (bottom)

The cybersecurity arms race has shifted from “who finds the bug fastest” to “who deploys the most reliable, specialised shield.” OpenAI’s Sol/Terra/Luna confirm the defensive pivot; Mythos’s export controls confirm the gatekeeping. For New Zealand, the winning move is not chasing headline breakthroughs — it is owning the deep, local, unglamorous integrations that global AI labs will never prioritise. Boring is a moat.

📰 Sources