When AI Becomes
the Weapon
Anthropic's red team just published what their latest model can do to critical infrastructure. Dutch hospitals already know what happens when the control layer is missing. Here is the connection — and what changes it.
181 working exploits. Zero human steps. One prompt.
Anthropic's red team published something unusual in April 2026: an honest assessment of what their latest model, Claude Mythos Preview, can do to real software systems. The finding was stark.
Given an isolated container, Claude Code, and a simple prompt — "find a vulnerability in this program" — Mythos Preview reads the source, forms hypotheses, writes test harnesses, debugs failures, and delivers working exploits. Fully autonomously. No security expertise required from the operator.
The previous state of the art, Opus 4.6, produced 2 working Firefox exploits across hundreds of attempts. Mythos Preview produced 181 from the same set. That is not an improvement. That is a category boundary crossed.
Anthropic's own red team called this one of the most dangerous AI capabilities they have seen. They are not releasing it broadly. They are instead deploying it defensively via Project Glasswing — to critical infrastructure partners who need to find their own bugs before attackers do.
The implication for everyone else is direct: the cost of producing a working exploit against your infrastructure just dropped from weeks of specialist work to an overnight prompt. The expertise barrier that once protected legacy systems — including clinical IT like Chipsoft's HiX — is gone.
The only answer is not better patching alone. It is a control layer that assumes the exploit will land and asks what happens next.
Mythos Preview reads source code, forms hypotheses, tests them, debugs failures, and delivers working exploits — without a human in the loop. This is not a tool. It is an autonomous researcher.
JIT heap spray + sandbox escape + two chained privilege escalations — written as a single autonomous exploit chain against a major browser. Previously a task requiring weeks of expert work.
Autonomous local privilege escalation on Linux using race conditions. No expert guidance. No manual debugging. A clean exploit delivered from a single prompt.
Remote code execution on FreeBSD's NFS implementation via a 20-gadget return-oriented programming chain. The kind of exploit that used to require months of specialist research.
Engineers without any security training asked for an RCE in the evening. A working exploit was ready the next morning. The expertise barrier for sophisticated attacks has collapsed.
The previous SOTA (Opus 4.6) produced 2 working Firefox exploits across hundreds of attempts. Mythos Preview produced 181 from the same set. That is not iteration. That is a phase transition.
Chipsoft HiX. €220,000. Clinical operations halted for weeks.
In December 2019, Maastricht University Medical Center became one of the most documented ransomware victims in European healthcare. The attack did not need AI. Today, it would take one prompt.
The Clop ransomware group gained initial access through a spear-phishing email at Maastricht UMC+ in October 2019. No AI was needed — a single click was enough to get inside a flat, trusted network.
Clop spent weeks moving laterally across the hospital network before detonating. Chipsoft's HiX EHR system — used by hundreds of Dutch hospitals — was among the systems hit. Patient records, clinical workflows, research systems: all frozen.
Surgeries were rescheduled. Students lost research data. Backup procedures replaced digital workflows. The hospital could not access patient records for critical care decisions during the outage period.
Maastricht UMC+ paid the ransom in Bitcoin. The Dutch government and cybersecurity community discussed the precedent. The lesson was not about the payment — it was about what was missing before the attack.
Chipsoft's HiX is the dominant electronic health record platform in the Netherlands. The majority of Dutch hospitals — academic medical centres, general hospitals, and specialist clinics — run their clinical operations on it.
That concentration means a successful attack on HiX infrastructure is not an IT incident. It is a clinical incident. Patient records become inaccessible. Medication administration depends on paper fallback. Surgical planning stops.
In 2019, an attacker with weeks of time and basic lateral movement capability achieved this. In 2026, Mythos Preview can find the initial exploit autonomously overnight. The entry cost just collapsed.
The question is not whether AI-powered ransomware will target Dutch healthcare infrastructure. It is whether that infrastructure will have a control layer in place when it does.
Four control gaps that turned a phishing email into a €220k ransom
Once inside, ransomware moves freely because there is no policy layer deciding what each process is permitted to reach. HiX data, backup stores, and domain controllers sat in the same trusted zone.
Clop spent weeks in the network before detonating. An AI-governed infrastructure layer watching process behaviour, lateral connections, and access patterns would have raised the alert during reconnaissance.
The hospital had no fail-closed mode. When the ransomware detonated, everything came down together. A properly isolated, fail-closed architecture degrades gracefully — critical functions survive even when the periphery is lost.
Attackers who compromise logs can cover their tracks. Without an immutable, out-of-band audit trail, the hospital could not reconstruct the full attack path quickly enough to isolate and recover with confidence.
Control before execution. Every time. No exceptions.
SAITS is a control-first AI and cloud platform. The same architecture that governs AI agent execution also makes ransomware lateral movement structurally impossible in a properly deployed environment.
Every process, AI agent, and service runs inside an explicit permission envelope. Actions outside that envelope do not degrade gracefully — they stop. Ransomware that cannot move laterally cannot spread.
The SAITS control plane monitors execution behaviour continuously — process trees, lateral connections, data access patterns, and AI agent tool calls. Deviation from baseline triggers isolation, not just alerting.
Every action — human, automated, or AI-generated — is written to a tamper-evident, out-of-band audit log. Attackers who compromise the application layer cannot erase what the control plane already recorded.
Services are containerised with enforced network segmentation. If one surface is compromised, the blast radius is bounded by the control layer — not by hoping the attacker stops. Critical clinical data sits in a separate trust domain.
No AI agent on the SAITS platform can call a tool, write to storage, or invoke an external service without passing through the governed execution layer. Mythos-style autonomous execution is impossible without control-layer authorisation.
Mythos Preview turns N-day vulnerabilities into minutes of work. The SAITS platform enforces patch cycles as a first-class infrastructure concern — not a maintenance task. Unpatched surfaces become immediate policy violations.
The exploit landing is not the disaster.
The disaster is what happens after.
Mythos Preview can find the initial exploit. That is now a given. The question every CTO, CISO, and hospital board needs to answer is: what does your infrastructure do once the exploit lands?
In a flat, trusted network, the answer is: it spreads. It reaches your HiX servers. It encrypts your clinical data. It halts your operations. And then someone calls the Bitcoin wallet address.
In a SAITS-governed infrastructure, the answer is: the execution is bounded. The lateral movement attempt hits a policy boundary. The anomaly is detected and isolated. The blast radius is contained. The audit trail is intact.
Not because the exploit did not land. But because the control layer was already there, waiting for exactly that moment.
Six things that change your posture today
Assume your perimeter is already inside. Design every network segment as if the attacker is already there.
Add a fail-closed execution layer to every AI workflow. If the control plane cannot verify the action, the action does not happen.
Shorten your patch cycle to days, not quarters. Mythos Preview converts N-days into minutes of attacker work.
Separate your clinical or operational data into a distinct trust domain with explicit crossing rules.
Instrument behaviour, not just uptime. Ransomware reconnaissance is weeks of normal-looking traffic before detonation.
Test your recovery. Maastricht UMC+ had backups — some were encrypted too. Validated, isolated, immutable backups are non-negotiable.
Primary source for the 181 exploit count, zero-day examples, and the non-expert accessibility finding.
Analysis of the 2019 Clop ransomware attack on Maastricht University Medical Center including the €220,000 ransom payment.
Chipsoft's HiX system is the primary EHR used by the majority of Dutch hospitals. Compromise of this infrastructure class has direct clinical impact.
Dutch National Cyber Security Centre guidance on ransomware threats specifically targeting healthcare infrastructure.
Reference taxonomy for AI-specific attack vectors including excessive agency, insecure tool use, and supply chain risk.
Your infrastructure needs a control layer.
Not a better firewall.
SAITS builds fail-closed, governed execution environments for organisations that cannot afford to find out what happens after the exploit lands.
Talk to SAITS about your control layer