Anthropic’s Mythos Is the Model Release That Turns Vulnerability Discovery Into an Operations Problem

The headline version of Anthropic’s Project Glasswing is simple: Claude Mythos Preview found a lot of bugs. The useful version is more uncomfortable: vulnerability discovery is becoming cheap enough that the scarce part of security is no longer finding the flaw. It is deciding what to do with the flood.

Anthropic says Claude Mythos Preview, an unreleased frontier model, has found thousands of high-severity vulnerabilities across every major operating system and browser. The company is not making the model generally available. Instead, it is putting Mythos into a restricted defensive-security program with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and more than 40 additional critical-software organizations. Anthropic is also committing up to $100 million in usage credits and $4 million in open-source security donations.

That is not a normal model launch. It is closer to a controlled release of a new industrial tool where the failure mode is not bad prose, but working exploit chains.

The scanner is no longer the bottleneck

The technical details are the part security teams should read twice. On Anthropic’s CyberGym vulnerability-reproduction benchmark, Mythos Preview scored 83.1%, compared with Claude Opus 4.6 at 66.6%. In an OSS-Fuzz-style scaffold across roughly 7,000 entry points, Mythos produced 595 tier-1 and tier-2 crashes, several tier-3 and tier-4 crashes, and 10 full control-flow hijacks on fully patched targets. Sonnet 4.6 and Opus 4.6 each reached only one tier-3 crash.

The exploit-development jump is even sharper. Anthropic’s red-team post says Opus 4.6 turned Firefox JavaScript engine vulnerabilities into working shell exploits only two times out of several hundred attempts. Mythos, rerun on the same kind of task, produced working exploits 181 times and reached register control 29 more times. Anthropic says it did not explicitly train Mythos to become an exploit engine; the capability emerged from general improvements in code, reasoning, and autonomy. That is the part that should make release managers sit up straight.

The examples are not toy problems. Anthropic cites a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg bug in code hit by automated tests millions of times, and Linux kernel chains enabling local privilege escalation. The red-team write-up also describes more sophisticated work: JIT heap sprays, sandbox escapes, race conditions, KASLR bypasses, and a FreeBSD NFS exploit built around a multi-packet ROP chain. This is not “the model found a missing bounds check in a tutorial repo.”

But the single most important fact is operational, not technical: Anthropic says more than 99% of the vulnerabilities it found remain unpatched and undisclosed under coordinated vulnerability disclosure. In other words, the model’s output already exceeds the public patch pipeline. That is what “AI for security” looks like when it leaves the demo booth and enters the backlog.

Defensive advantage now depends on plumbing

The old sales pitch for security automation was that tools would help defenders find what attackers might otherwise find first. That is still true, but incomplete. If Mythos-class systems become broadly available, both sides get better discovery. The defender’s advantage comes from everything after discovery: ownership data, reachability analysis, production exposure, exploitability scoring, patch routing, safe rollout, regression testing, and disclosure coordination.

Most organizations are weaker there than they admit. They already drown in scanner output, dependency alerts, stale SBOM entries, false positives, severity debates, and bugs assigned to teams that no longer own the service. A frontier model that produces better evidence does not magically create remediation throughput. It may make the failure more obvious by removing the comfortable excuse that “we just did not know.”

For engineering leaders, the practical response is boring and urgent. Build the remediation machine before buying the discovery cannon. Keep an accurate service catalog. Map packages and binaries to owners. Track whether vulnerable code is reachable in production. Define severity using exploitability and business context, not just CVSS theater. Make patch verification part of CI. Budget time for security work instead of pretending every vulnerability can be absorbed as sprint glitter.

There is also a product-design lesson here for AI security vendors. The winning interface will not be a giant chat window that says “find bugs.” It will be an evidence pipeline: reproducible crashes, minimized test cases, exploitability notes, affected versions, suggested patches, confidence levels, and automated handoff to the right maintainers. The model can discover. The system has to help the organization decide.

The velvet rope is probably temporary

Anthropic’s access decision is defensible. Releasing Mythos publicly today would be reckless if the company’s claims are accurate. Giving vetted defenders a head start is the least-bad option for a dual-use capability where attackers eventually get similar tools anyway. Project Glasswing is basically a controlled burn: use the dangerous capability under supervision before the wildfire arrives.

But the distribution problem does not disappear. Large cloud providers, browser vendors, banks, and security companies get early access. Smaller hospitals, school districts, municipalities, utilities, and maintainers of boring-but-critical open-source packages may only experience the downstream effect: more CVEs, more urgent patches, more pressure, and not enough people. The industry should not congratulate itself for protecting critical infrastructure if the benefit concentrates among organizations already best equipped to respond.

The open-source grants matter for that reason. Anthropic is giving $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation and $1.5 million to the Apache Software Foundation. Good. Also not enough. If AI makes vulnerability discovery cheaper, the ethical obligation is to fund the less glamorous half of the loop: maintainer time, release engineering, backports, fuzzing harnesses, disclosure coordination, and long-tail dependency cleanup.

Practitioners should treat Mythos as a preview of the security calendar they are about to live in. More findings. Faster exploit generation. Less patience for unactioned risk. The correct response is not panic, and it is definitely not another dashboard. It is to make vulnerability remediation a first-class engineering workflow with owners, SLAs, testing, and executive attention.

Mythos does not end software insecurity. It ends the comforting scarcity of expert vulnerability hunters. The next bottleneck is whether organizations can fix bugs at the speed models can now find them. That is less glamorous than a benchmark chart. It is also where the real security outcome will be decided.

Sources: Anthropic, Anthropic Red Team, Just Security, ArmorCode