AISLE, a cybersecurity AI company, recently tested Anthropic's Claude Mythos against a batch of smaller, cheaper open-weight models. All eight cheaper models found the same FreeBSD exploit Mythos found, including a 3.6-billion-parameter model priced at $0.11 per million tokens. Mythos Preview runs at $25 input and $125 output per million tokens — more than 1,000 times the price for, in this case, identical results.
That data point sits at the centre of a critique Mark Beare, Head of Consumer at Malwarebytes, has been making about the coverage of Anthropic's Mythos announcement. The model's offensive security capabilities are real: it can autonomously discover zero-day vulnerabilities, chain exploits, and surface bugs that survived decades of human review. The headlines have been accurate on the capability. They have been almost entirely silent on the economics.
Beare's argument is that cost acts as a natural throttle on AI-powered offensive security in a way that benchmark scores do not capture. Vulnerability hunting is not a surgical operation. It requires scanning codebases with hundreds of thousands of files, probing applications, browsers, operating systems, and infrastructure simultaneously — casting a wide net. At frontier model pricing, that wide net becomes extraordinarily expensive very quickly. The economics create a constraint that neither attacker nor defender can simply ignore.
This matters for how enterprises calibrate their security posture. The current industry conversation treats the Mythos capability announcement as a near-term threat requiring immediate defensive uplift at scale. Beare argues that threat actors face the same cost pressures as every other organisation deploying frontier models. Even the largest companies are making deliberate trade-offs between model capability and model cost every day. The casual deployment of frontier AI against the entire internet, harvesting zero-days at scale, does not match the economic reality of running these systems.
The AISLE finding on cheaper models reinforces the cost argument from the defensive side. If a 3.6B-parameter model can detect the same exploit as Mythos when wrapped in the right scaffolding, defenders can deploy broad, affordable coverage. The moat in AI cybersecurity, on that reading, is system design and domain expertise, not access to the most expensive model on the market.
Beare's broader point is that the Mythos announcement performed a genuine service by raising industry awareness of AI's offensive security potential. What the follow-on discussion should now address is the trajectory: as inference costs fall, the economic throttle loosens. Planning for that future state, rather than reacting to the current one, is where the more durable security strategy sits. Cost is one of the most meaningful constraints on how AI reshapes the threat landscape today; it will not be indefinitely.
