AI Production Systems
What the Mythos AI Model Means for Vibe-Coded Apps
Anthropic's Mythos model shows that AI can now find software vulnerabilities on its own. For vibe-coded apps, that raises the bar. Here is what to do about it.
Is Your AI App Production Ready?
Score your app across five critical areas. Takes 2 minutes.
Curated by Matt Perry
CTO
Anthropic's new Mythos AI model has been described by finance ministers, central bankers and the UK's AI Security Institute as a step-change in what AI can do. It can find real security weaknesses in live software, on its own, faster than most human researchers.
That is a big deal for any business running software online. It is a bigger deal if your app was built quickly with AI vibe coding tools like Lovable, Bolt, Cursor or v0.
This post is not about fear. It is about getting ahead of a shift that is already happening. Here is what Mythos signals for your business, and why an independent security audit is now one of the smartest investments you can make.
What is the Mythos AI model?
Mythos is a new AI model from Anthropic, the company behind Claude. It was designed with unusually strong skills in cyber-security research. In preview testing, Mythos was able to find exploitable weaknesses in real operating systems, financial platforms and web browsers.
According to BBC reporting in April 2026, governments and major banks have been given early access to Mythos so they can test their own systems before the model is released more widely. The Bank of England, the Canadian finance ministry and the US Treasury have all said it needs to be taken seriously.
The UK's AI Security Institute, which was given preview access, put it simply in its independent report: Mythos can exploit systems with weak security posture, and more models with these capabilities will be developed.
That is the phrase every business owner should read twice.
What is a vibe-coded app?
A vibe-coded app is software built mostly or entirely by describing what you want in plain English to an AI tool. Popular platforms include Lovable, Bolt, Cursor and v0. The AI writes the code. You guide it.
Vibe coding is brilliant for speed. You can go from idea to working prototype in an afternoon. The tools are optimised for building features quickly, not for hardening security. Keys end up in client code. Authentication often lives in the browser. Input validation is patchy. Error messages leak details.
In short, vibe-coded apps are very often exactly the kind of weak security posture that automated tools like Mythos are designed to find.
Why this matters more than last year
Until recently, most attacks on small apps were crude and manual. A human sat at a keyboard, poked at your login form, guessed a URL or tried an injection. That took time, and most small apps were just not worth the effort.
AI models that can automatically find vulnerabilities change the maths. The cost of scanning a new app drops close to zero. The scale of what one attacker can test rises enormously. Every app on the internet, no matter how small, becomes a possible target.
This is an industry-wide shift, not a single-company problem. Mythos is simply the first widely discussed example. Other models with similar capabilities are expected.
What the Bank of England and others have said
Andrew Bailey, governor of the Bank of England, told the BBC: "We are having to look very carefully now what this latest AI development could mean for the risk of cyber crime."
Canadian finance minister François-Philippe Champagne framed the issue as "the unknown, unknown" and called for process and safeguards to protect the resilience of financial systems.
The regulators are not saying AI models are dangerous on their own. They are saying the bar for secure enough has just been raised, and every business operating software needs to think about its own posture.
Where vibe-coded apps typically fall short
When we audit apps built with vibe coding tools at Original Objective, we see the same small set of issues again and again. These are the same weaknesses that automated vulnerability finders look for.
Common issue | Why it is a problem |
|---|---|
API keys in client-side code | Anyone with a browser can read them |
No server-side input validation | Attackers can send malformed data straight to the API |
Open CORS headers | Any website can call your endpoints from a user's browser |
Default or hardcoded credentials | Easy to guess or find in generated code |
Missing rate limiting | Brute force and abuse go unblocked |
No Row Level Security on Supabase | Any logged-in user can read any row |
Detailed error messages in production | Stack traces hand attackers a roadmap |
None of these are hard to fix. The problem is that vibe coding tools simply do not fix them for you.
What you can do right now
You do not need to rebuild anything. A few practical steps will put you well ahead of the curve.
- Inventory your apps. List every app or internal tool that was built quickly with AI, and note what data it handles.
- Check for secrets in the browser. Open your deployed app, press F12, and search the network tab for anything that looks like an API key. If you find one, it needs to move server-side.
- Review authentication. Make sure auth checks run on the server, passwords are hashed, and sessions expire.
- Enable database row-level security. Especially if you are using Supabase or a similar platform.
- Turn off debug output. Production users should never see a stack trace.
- Set up dependency scanning. Dependabot and Snyk both have free tiers.
- Get a second pair of eyes. An independent audit finds things you cannot see in your own work.
Why an independent audit matters now
At Original Objective we audit vibe-coded apps for UK businesses every week. A full audit of a typical small application takes two to three days. It costs £1,495. The fix work, if needed, usually takes another two to five days or potentially a two week sprint.
To put that in context, the UK government's Cyber Security Breaches Survey estimates the average cost of a data breach for a small business at £8,170 to £13,400, before reputational damage or lost customers. The economics are straightforward.
Our audits check the specific issues that automated tools are trained to find. We cover authentication, secrets management, server-side validation, CORS, rate limiting, database security, file handling, error output, transport security and dependency hygiene. You get a prioritised report, and we can do the fix work with you if you want help.
When you might NOT need a full audit
Not every project needs a professional audit straight away. You might safely hold off if:
- Your app is purely internal, runs on a private network, and handles no personal data
- You are still at prototype stage and not inviting real users
- Your app has no login, no user data and no connection to production systems
If any one of those is no longer true, an audit moves from optional to sensible.
Get an independent audit
The Mythos moment is a useful prompt. It is not a reason to panic, but it is a reason to stop putting off the security review you have probably been meaning to book. AI models that automatically find vulnerabilities are the new normal. The apps that will be fine are the ones that were checked.
If you have built something with Lovable, Bolt, Cursor or any other vibe coding tool, and you want a clear, honest view of where you stand, book a free intro call with the Original Objective team. We will tell you what we see, what to fix first, and what you can safely ignore.
More in AI Production Systems
View all
Ready to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callCurated by Matt Perry
CTO
Anthropic's new Mythos AI model has been described by finance ministers, central bankers and the UK's AI Security Institute as a step-change in what AI can do. It can find real security weaknesses in live software, on its own, faster than most human researchers.
That is a big deal for any business running software online. It is a bigger deal if your app was built quickly with AI vibe coding tools like Lovable, Bolt, Cursor or v0.
This post is not about fear. It is about getting ahead of a shift that is already happening. Here is what Mythos signals for your business, and why an independent security audit is now one of the smartest investments you can make.
What is the Mythos AI model?
Mythos is a new AI model from Anthropic, the company behind Claude. It was designed with unusually strong skills in cyber-security research. In preview testing, Mythos was able to find exploitable weaknesses in real operating systems, financial platforms and web browsers.
According to BBC reporting in April 2026, governments and major banks have been given early access to Mythos so they can test their own systems before the model is released more widely. The Bank of England, the Canadian finance ministry and the US Treasury have all said it needs to be taken seriously.
The UK's AI Security Institute, which was given preview access, put it simply in its independent report: Mythos can exploit systems with weak security posture, and more models with these capabilities will be developed.
That is the phrase every business owner should read twice.
What is a vibe-coded app?
A vibe-coded app is software built mostly or entirely by describing what you want in plain English to an AI tool. Popular platforms include Lovable, Bolt, Cursor and v0. The AI writes the code. You guide it.
Vibe coding is brilliant for speed. You can go from idea to working prototype in an afternoon. The tools are optimised for building features quickly, not for hardening security. Keys end up in client code. Authentication often lives in the browser. Input validation is patchy. Error messages leak details.
In short, vibe-coded apps are very often exactly the kind of weak security posture that automated tools like Mythos are designed to find.
Why this matters more than last year
Until recently, most attacks on small apps were crude and manual. A human sat at a keyboard, poked at your login form, guessed a URL or tried an injection. That took time, and most small apps were just not worth the effort.
AI models that can automatically find vulnerabilities change the maths. The cost of scanning a new app drops close to zero. The scale of what one attacker can test rises enormously. Every app on the internet, no matter how small, becomes a possible target.
This is an industry-wide shift, not a single-company problem. Mythos is simply the first widely discussed example. Other models with similar capabilities are expected.
What the Bank of England and others have said
Andrew Bailey, governor of the Bank of England, told the BBC: "We are having to look very carefully now what this latest AI development could mean for the risk of cyber crime."
Canadian finance minister François-Philippe Champagne framed the issue as "the unknown, unknown" and called for process and safeguards to protect the resilience of financial systems.
The regulators are not saying AI models are dangerous on their own. They are saying the bar for secure enough has just been raised, and every business operating software needs to think about its own posture.
Where vibe-coded apps typically fall short
When we audit apps built with vibe coding tools at Original Objective, we see the same small set of issues again and again. These are the same weaknesses that automated vulnerability finders look for.
Common issue | Why it is a problem |
|---|---|
API keys in client-side code | Anyone with a browser can read them |
No server-side input validation | Attackers can send malformed data straight to the API |
Open CORS headers | Any website can call your endpoints from a user's browser |
Default or hardcoded credentials | Easy to guess or find in generated code |
Missing rate limiting | Brute force and abuse go unblocked |
No Row Level Security on Supabase | Any logged-in user can read any row |
Detailed error messages in production | Stack traces hand attackers a roadmap |
None of these are hard to fix. The problem is that vibe coding tools simply do not fix them for you.
What you can do right now
You do not need to rebuild anything. A few practical steps will put you well ahead of the curve.
- Inventory your apps. List every app or internal tool that was built quickly with AI, and note what data it handles.
- Check for secrets in the browser. Open your deployed app, press F12, and search the network tab for anything that looks like an API key. If you find one, it needs to move server-side.
- Review authentication. Make sure auth checks run on the server, passwords are hashed, and sessions expire.
- Enable database row-level security. Especially if you are using Supabase or a similar platform.
- Turn off debug output. Production users should never see a stack trace.
- Set up dependency scanning. Dependabot and Snyk both have free tiers.
- Get a second pair of eyes. An independent audit finds things you cannot see in your own work.
Why an independent audit matters now
At Original Objective we audit vibe-coded apps for UK businesses every week. A full audit of a typical small application takes two to three days. It costs £1,495. The fix work, if needed, usually takes another two to five days or potentially a two week sprint.
To put that in context, the UK government's Cyber Security Breaches Survey estimates the average cost of a data breach for a small business at £8,170 to £13,400, before reputational damage or lost customers. The economics are straightforward.
Our audits check the specific issues that automated tools are trained to find. We cover authentication, secrets management, server-side validation, CORS, rate limiting, database security, file handling, error output, transport security and dependency hygiene. You get a prioritised report, and we can do the fix work with you if you want help.
When you might NOT need a full audit
Not every project needs a professional audit straight away. You might safely hold off if:
- Your app is purely internal, runs on a private network, and handles no personal data
- You are still at prototype stage and not inviting real users
- Your app has no login, no user data and no connection to production systems
If any one of those is no longer true, an audit moves from optional to sensible.
Get an independent audit
The Mythos moment is a useful prompt. It is not a reason to panic, but it is a reason to stop putting off the security review you have probably been meaning to book. AI models that automatically find vulnerabilities are the new normal. The apps that will be fine are the ones that were checked.
If you have built something with Lovable, Bolt, Cursor or any other vibe coding tool, and you want a clear, honest view of where you stand, book a free intro call with the Original Objective team. We will tell you what we see, what to fix first, and what you can safely ignore.
More in AI Production Systems
View allReady to put AI to work in your business?
Book a free 30-minute discovery call. We will discuss your goals, identify quick wins, and outline a practical plan to get started.
Book a discovery callFixed price, fixed scope. No day-rate surprises.
We productised the work so the price is the price. Pick the tier that matches where you are. No discovery calls needed before you can get a number.
Production Readiness Audit
A senior engineer reviews your repo, deployed app and infrastructure against 12 production-readiness categories. Written report with a prioritised remediation roadmap, delivered in 10 business days.
- Full review of your repo and deployed app
- Security, secrets and auth audit
- Observability and error-handling gaps
- LLM cost controls and rate limits
- Severity-ranked findings
- 60-minute walkthrough call
Production Hardening Sprint
Two weeks of focused engineering to fix the critical and high-severity issues from the audit. Same checklist, same deliverables, same timeline every time.
- Everything in the Audit
- Auth and authorisation hardened
- Observability stack installed
- Secrets moved to a vault
- CI/CD pipeline and critical-path tests
- LLM cost controls enforced
- Top security risks closed
- Handover docs
Lite Sprint also available at £2,995 for 1 week, when only 2-3 urgent fixes are needed.
Production Managed Service
Ongoing fractional production engineering. We keep the thing alive so you can stay focused on building features.
- 24/7 monitoring and alerting
- On-call response within SLA
- Monthly production review
- Security patching
- Quarterly re-audit
- Watch £1,495 · Hold £2,950 tiers
Frequently Asked Questions
What is the Mythos AI model and why is everyone talking about it?
Mythos is a new AI model from Anthropic, the company behind Claude, with unusually strong cyber-security skills. In preview testing it was able to find exploitable weaknesses in real operating systems, financial platforms and web browsers. Finance ministers, the Bank of England and the UK's AI Security Institute flagged it in April 2026 as a step-change in what AI can do. Mythos is the first widely discussed model of its kind, and more are expected.
Does Mythos put my vibe-coded app at risk?
Mythos itself is being tested by governments and banks before wider release, so you are not facing it directly today. The real concern is that similar AI tools will soon be used by attackers. These tools are particularly effective at finding the common weaknesses in apps built with Lovable, Bolt, Cursor and other vibe coding platforms. An audit now is far cheaper than dealing with a breach later.
How much does a vibe-coded app security audit cost in the UK?
A thorough audit from Original Objective costs between £2,000 and £5,000 for a typical small application. Fix work, if needed, is usually another two to five days on top. That compares to an average UK data breach cost of £8,170 to £13,400 according to the government's Cyber Security Breaches Survey, before reputational damage or lost customers.
Should I stop using vibe coding tools after reading about Mythos?
No. Vibe coding tools like Lovable, Bolt and Cursor remain brilliant for building quickly. The issue is not the tools themselves, it is that they optimise for features rather than security. You can keep using them confidently as long as you run a security review before real users touch the application. Build fast, then harden before launch.
How quickly can an audit and fix be done before launch?
For a typical vibe-coded app, the audit takes one to two days. Most fixes are straightforward and can be completed in another two to five days. You can usually go from initial call to a production-ready application in under two weeks. For urgent launches we can prioritise the highest-risk issues first and phase the rest after go-live.
Subscribe to the AI Growth Newsletter
Get weekly AI insights, tools, and success stories — straight to your inbox.
Here's what you'll get when you subscribe:
- AI for SMBs – adopt AI without big budgets or complex setup
- Future Trends – what's coming next and how to stay ahead
- How to Automate Your Processes – save time with workflows that run 24/7
- Customer Service AI – chatbots and agents that delight customers
- Voice AI Solutions – smarter calls and seamless accessibility
- AI News – how to stay ahead of the ever changing AI world
- Local Success Stories – how AI has changed business in the UK
No spam. Just practical AI tips for growing your business.
Not sure if your app is production-ready?
Not sure if your app is production-ready?
Take the AI Readiness Quiz