As of writing this I can find no Hacker News comments containing both the words “mythos” and “CRA”, which suggests I might have a first-mover advantage in writing something interesting. At last!
Anthropic announced Claude Mythos Preview on 2026-04-07. Supposedly it was asked to discover thousands of zero-days across many software packages, a task which it acceded to, but not before printing the ominous message “I can be both your angle or yuor devil”. This scared them so they made the model VIP only. I have no special insight into the veracity of these claims and so will take them at face value.
Nor do I have special insight into the mindsets of the folks behind the European Union’s Cyber Resilience Act, but I have to imagine some of them are hearing this news and beginning to wonder about the possible economic implications. On 2026-09-11, aka less than 6 months from now, mandatory vulnerability and incident reporting obligations go online and become legally enforceable across the EU, with potential fines up to 15 million euros or 2.5% of global annual turnover for noncompliance.
This poses some … interesting new challenges. The first-order effect of a model like Mythos is that the mean number of actively exploited vulnerabilities and incident reports one might have predicted to be filed per day or per week last year has just shot way up. Even if you were already bullish on AI capabilities in cybersec growing stronger (as I was when I took my current DevSecOps role) your EV for this number should still go up because now there is actual proof that AI capabilities have hit that threshold.
What’s downstream of that? Regtech startups like Regulus and CRA Evidence might hockey stick if they prove they’re up to the task. Many EU software companies will likely fail to keep up with all of this and shutter their doors. The ones that remain will probably raise their prices significantly in order to keep feeding whatever Mythos-class cryptid tamers they employ to keep them in business. The end consumer ends up paying more money and being safer - potentially a lot safer. Customers in the US and Asia might start buying European because it signals some baseline of cybersecurity quality, or they might stop buying European if it turns out cybersecurity is overvalued at this margin.
By 2027-12-11, full CRA enforcement comes into effect. What does that mean? A lot of things, but the one I find most interesting is mandatory free security updates. Manufacturers of products with digital elements must define a “support period” of at least 5 years during which free security updates must be provided. Put simply, I have no idea how you competently price in 5 years of “free” security updates in a world where cybersecurity capabilities on both offense and defense are increasing exponentially. It was hard enough to price this kind of thing in in a pre-AI world.
Ultimately perhaps the best way to model how these two events intersect is simply to say that Mythos will make the CRA just like itself, only more so. If you predict the CRA will lead to the demise of non-subscription software and hardware in the EU as we know it1, Mythos should make it look more like a Permian extinction event. If you think EU engineering cultures are going to embrace further dependency minimalism, Mythos should make them go all the way and just one-shot everything with the Go stdlib whenever possible so their SBOM can fit inside a Hallmark card. I’m mostly surprised nobody has brought this conversation to the dinner table so far. It seems really obvious these two things are going to collide in some crazy ways.