TL;DR:

  • NCSC chief Richard Horne has told Sky News that AI models like Claude Mythos are “warning shots” for UK organisations, requiring them to act with “10 times urgency” on basic cyber hygiene.
  • Horne said Mythos is not finding new attack classes — it is speeding up discovery of existing, known vulnerabilities, meaning the test is whether organisations can compress patching timelines from days to minutes.
  • The framing is consistent with other UK-government voices this week — CMORG, gov.uk’s call to AI companies, the £90m SMB resilience spend — making Wednesday the clearest joint NCSC-HMG repositioning of AI cyber-threat narrative to date.

The UK’s top cybersecurity official has told Sky News that AI models such as Anthropic’s Claude Mythos are “warning shots” for the UK about powerful AI. Richard Horne, head of the National Cyber Security Centre, stressed that UK organisations need to act with “10 times urgency” on their cyber defences. Horne said he did not consider AI a current national-security threat per se — the new models “are not finding new attacks, they’re just exposing more security vulnerabilities”.

What Horne is actually saying

Horne’s key framing is the compression of response time. “We talked about applying critical patches in days, and that’s coming down to minutes,” he said, arguing that organisations should focus on how quickly they can deploy security updates. The exposure risk he describes is not new types of attack but the accelerated weaponisation of known vulnerabilities in unpatched, outdated or obsolete systems — precisely the UK infrastructure condition that MI5 has been pressing water, energy and communications firms to remediate in recent weeks.

Mythos was announced by Anthropic earlier this month and not released publicly, instead shared with select companies including the UK AI Security Institute, which independently confirmed Anthropic’s assessment of its hacking capability. Horne said the ability of frontier AI to “do the work of a huge number of people in an instant” makes this “a significant moment in time”.

Part of a coordinated UK reframe

Horne’s Sky News comments sit alongside Security Minister Dan Jarvis’s CYBERUK speech today, the Bank of England’s CMORG summoning of City firms, and the gov.uk call to action asking AI companies to co-build national cyber defence. The coordinated pattern is notable: rather than treating Mythos as a crisis to be hushed, UK authorities are using it to push for operational-resilience commitments the NCSC has been urging for years. That is the same reframe the BBC reported earlier this week with the NCSC’s “net positive” language on Mythos.

Looking forward

The harder question is whether UK organisations — particularly SMBs — can actually compress their patching cycles from days to minutes. The NCSC’s Early Warning service sign-up, the new Cyber Resilience Pledge commitments, and the £90 million SMB funding route address part of that challenge. But the underlying constraint is the UK’s long tail of legacy technology and under-resourced IT teams. Horne’s “10 times urgency” figure is easy to quote; the operational reality inside UK manufacturing, NHS trusts, local authorities and small law firms will test it. A consolidated NCSC annual threat-report update later this quarter should show whether the message is landing.