Mythos is Alive, Obfuscation is Dead. Here's What Comes Next.

This week, two things happened that should be read together.

Anthropic launched Claude Managed Agents, autonomous AI systems capable of executing complex workflows without human oversight. Then Powell and Bessent called an emergency meeting with America's biggest bank CEOs to discuss the cybersecurity threat posed by Anthropic's Mythos model, a system so capable of identifying and exploiting software vulnerabilities that Anthropic restricted its release to a handful of vetted organizations under Project Glasswing.

Most of the coverage focused on what Mythos might do to financial infrastructure. That's a real concern. But there's a more immediate implication that every company with a mobile app needs to understand right now.

Mythos changes the economics of mobile API attack. Permanently.

The Deobfuscation Problem

For years, mobile app security has rested on a fragile assumption: that the effort required to reverse engineer an app, strip its obfuscation, and understand its API call patterns was high enough to deter most attackers. Not nation-states, perhaps. But the vast majority of API abuse, credential stuffing, and automated fraud.

That assumption is now broken.

AI models with the capabilities Mythos represents can deobfuscate mobile applications cheaply, quickly, and at scale. Code that once took a skilled reverse engineer days to analyze can be understood in minutes. The secrets embedded in your app, API keys, tokens, hardcoded credentials, signing logic, can be extracted and replicated. The cost of building something that emulates API calls as if they were coming from a legitimate mobile app has collapsed.

This is not a theoretical future risk. It is a present inflection point. And it means that any mobile API security strategy still relying on secrets in the app, or on the assumption that obfuscation raises the barrier high enough, needs to be reconsidered today.

Behavioral Defense Doesn't Save You Either

The natural response to this argument is usually: "we have behavioral analytics and anomaly detection on the backend. We'll catch the fake traffic."

Not anymore.

The same AI capability that deobfuscates your app can also study your legitimate traffic patterns and generate synthetic requests that are statistically indistinguishable from real user behavior. Request timing, session cadence, geographic distribution, device fingerprints. AI can model all of it and produce traffic that passes every behavioral test you have deployed. The defender's last line of detection is being outmaneuvered by the same technology that broke the first line.

This is the core of what Approov’s Pearce Erensel was presenting at the Cloudflare booth at RSAC last month. The threat model has shifted. The offense is running plays the defense has never seen before, and the playbook most companies are running was written for a different era.

The Answer: Zero Secrets, Runtime Attestation

If secrets in the app can be extracted, the answer is not better obfuscation. It is removing the secrets entirely. Zero secrets architecture means there is nothing in the app worth stealing, because the app never holds long-lived credentials. Authentication is earned at runtime, not baked in at build time.

But zero secrets alone is not sufficient. You still need to answer the question: is the software making this API call the genuine, unmodified application, running on a device that hasn't been rooted or jailbroken?

That is what runtime attestation answers. Approov holds a US patent (US 11,163,858 B2) for exactly this capability. Before any API call is honored, the calling software must obtain a short-lived cryptographic attestation token that proves its integrity. There are no long-lived credentials to steal. Replay attacks are defeated by the challenge-response architecture. And because the attestation operates at the runtime level, not the network or identity level, it cannot be spoofed by a synthetic client no matter how convincingly it mimics legitimate traffic patterns.

This works today, across iOS, Android (both GMS and non-GMS), and HarmonyOS NEXT. It is not a future roadmap item. It is deployed in production at enterprises across financial services, media, automotive and healthcare.

The Inflection is Now

The Powell and Bessent meeting was a signal. Regulators are taking seriously the possibility that AI-powered attack capability has crossed a threshold that changes the risk calculus for critical infrastructure.

For companies with mobile apps and APIs, that threshold has already been crossed. Obfuscation is no longer a meaningful barrier. Behavioral detection is no longer a reliable backstop. The defense that worked in 2022 is not the defense you need in 2026.

Zero secrets architecture and runtime attestation are not incremental improvements to the existing approach. They are the replacement for it.

That replacement is available today.