The Cyber-Equity Gap

James

— 4 min read
Share
The Cyber-Equity Gap
Security is not distributed equally. Neither is the fallout.

On April 7, 2026, Anthropic announced Claude Mythos, an AI model capable of autonomously finding and exploiting software vulnerabilities at a scale and speed not previously seen. Mythos discovered thousands of previously unknown vulnerabilities across major operating systems and web browsers, including bugs that had survived decades of human-led security review.

Anthropic chose not to release Mythos publicly. Instead, they limited access to a small consortium of major technology companies through an initiative called Project Glasswing, giving those companies early access to use the model defensively against their own systems before the underlying capability became broadly available.

That decision makes sense. Releasing a tool that powerful into the wild without giving defenders time to prepare would have been irresponsible. Anthropic made the right call within the framing of the situation they created.

But Glasswing also did something else. It made the Cyber-Equity Gap visible.

The Two Versions of Cybersecurity

There is a version of cybersecurity that most large organizations can access: dedicated security teams, enterprise-grade tools, threat intelligence feeds, incident response plans, regular audits, and the budget to sustain all of it.

And then there is the version that most small businesses, nonprofits, schools, hospitals, and individuals are working with: a password manager if they're lucky, maybe multi-factor authentication, and a vague awareness that they should probably be doing more.

That gap, between who has access to real cybersecurity protection and who doesn't, is the Cyber-Equity Gap. And it is widening.

Glasswing is that gap made literal. Some organizations got months of head start to use a transformative AI capability on their own systems. Schools, small hospitals, accounting firms, and nonprofits were not on the list.

It would be easy to frame this as a problem for small businesses to solve on their own. It is not that simple.

Cybersecurity is not just about protecting individual organizations. It is about protecting the networks those organizations are part of. An accounting firm with weak security is a potential entry point into every client's financial data. A rural hospital with outdated systems is a vulnerability in the regional healthcare network. A school district with no incident response plan is a target that affects thousands of families.

The weakest link in any connected system determines the security of the whole system. And right now, there are a lot of weak links.

🚀 MARTY SAYS

"In space, you don't get to say 'that's not my part of the ship'. Everything is connected. A breach anywhere is a risk everywhere."

What Happens When the Others Don't Wait

Glasswing’s defensive head start only works if every AI lab exercises the same restraint. They won't. Competitors are rapidly iterating on cyber-capable models, including OpenAI’s GPT-5.4-Cyber and Google’s Big Sleep project. Smaller, open-weights models, meaning AI software whose underlying code is publicly downloadable, have already shown they can replicate these exploitation capabilities on a smaller scale.

The pattern matters more than any individual model. Mythos remains restricted. But other labs are building comparable capabilities, and not every lab will make the same choice Anthropic did. The next Mythos-class model might come from a company that releases it openly. It might come from an open-source effort. Whenever that happens, the gap between organizations that had time to prepare and organizations that didn't gets wider, fast.

How the Gap Is Growing

Three forces are making this worse simultaneously.

AI is lowering the cost of attacks. Bad actors can now automate sophisticated phishing and malware development at scale. While the barrier to launching a credible attack has plummeted, the technical barrier to defending against one remains high.

AI tools are creating new entry points. As we covered in earlier issues, AI tools, many of them designed for consumers and small businesses, collect and process sensitive data with varying degrees of security. Organizations without the resources to evaluate those tools carefully are adopting them anyway, often without understanding the exposure.

Security talent is concentrated at the top. The most skilled cybersecurity professionals work for organizations that can pay for them. That is not surprising, but it means the organizations that most need security expertise are least likely to have access to it.

THE ASYMMETRY PROBLEM

An attacker only needs to find one way in. A defender has to protect every possible entry point, all the time, with no margin for error. That asymmetry already tilts the playing field toward attackers. Now factor in that most small organizations have no dedicated security staff, limited budgets, and tools that weren't designed with security as a priority. For small organizations, that imbalance isn't a disadvantage but a wall.

Safe Harbor: Three Things You Can Do This Week

  • If you work at a large organization: Ask whether your security team does any outreach, mentorship, or resource sharing with smaller organizations in your supply chain or community. The weakest link problem is your problem too.
  • If you work at a small organization: Look at CISA's free cybersecurity resources at cisa.gov. The US Cybersecurity and Infrastructure Security Agency publishes free, practical guidance specifically designed for organizations without dedicated security teams.
  • For everyone: Enable multi-factor authentication on every account that offers it. It is the single highest-impact security action available to any individual or organization, regardless of budget. There is no excuse not to have it in 2026.

Next week: We shift into Month 3 and we're starting with the companies behind the tools you use every day. Before you can evaluate the AI, you need to know who built it and why.

Read more