TL;DR:

  • Richard Horne, head of the National Cyber Security Centre, will tell the CyberUK conference that advanced AI tools such as Anthropic’s Claude Mythos can be a “net positive” for UK cyber defence if secured against misuse.
  • Security minister Dan Jarvis is calling on AI companies to work with government on a “generational endeavour” to use AI to protect critical networks.
  • Horne will urge organisations not to fear new AI-enabled attacks but to “do the basics right” on patching, legacy system retirement and adoption of the newly-published European AI safety guidelines.

The CyberUK speeches are the British government’s first attempt to reframe Anthropic’s Mythos disclosure — which dominated international headlines last week after the model’s hacking capability was described as “as good as, if not better than, the best humans” — from pure threat narrative to dual-use opportunity. It is a calculated message: the UK does not make frontier models and cannot directly control their release, so its posture has to be about leveraging access, not constraining supply.

The constrained-ally playbook

Horne’s speech lands alongside Anthropic’s invitation to the NCSC to use Mythos for defensive red-teaming — an access arrangement the UK does not have with OpenAI’s comparable GPT 5.4 Cyber model. That asymmetric access is the substantive policy point beneath the rhetorical one. UK defenders can use Mythos to find and patch vulnerabilities in critical national infrastructure ahead of malicious actors acquiring similar capability by other means. That only works if Anthropic keeps the access arrangement in place and if UK operators of critical networks act fast enough on the findings.

What Horne expects critical-infrastructure operators to do

The “basics” frame is intentional. MI5’s recent warnings to energy, water and communications firms focused on patching known vulnerabilities rather than novel AI-driven threats, and Horne’s CyberUK message reinforces that priority. His reference to European safety guidelines — Anthropic and other labs have publicly committed to the Brussels-origin voluntary framework — suggests the NCSC is building its supervisory expectations off the same document, offering a degree of UK-EU alignment even outside formal regulatory convergence.

Looking forward

The practical question for UK business cyber teams is whether NCSC access to Mythos-generation capability translates into faster vulnerability disclosures. Today’s briefings imply yes — but the speed of translation into sector-specific guidance has historically been the weak point. Watch for a first Mythos-informed NCSC threat advisory in the next quarter, and for insurer responses to align with it. The Financial Times separately reported this week that Beazley and QBE are already adjusting cyber policy wording for AI-specific exposures, and that insurer-regulator alignment will shape UK deployment economics faster than any formal AI Act-style regulation.