- Mythos found a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw that fuzzer tools missed after 5 million attempts.
- Anthropic launched Project Glasswing, a 12-partner coalition offering $100M in credits to give defenders a head start against AI-powered threats.
- Security leaders warn that current patching cycles are too slow, as threat actors reverse-engineer fixes within 72 hours of release.
On April 10, 2026, Anthropic announced the limited release of Claude Mythos Preview, an AI model capable of autonomously discovering security vulnerabilities across operating systems, browsers, and other software products. The model found a 27-year-old bug in OpenBSD’s TCP stack where two crafted packets could crash any server running it, a discovery that cost approximately $20,000 for the campaign with specific runs costing under $50. No human guided the discovery after the initial prompt, marking a significant shift in how vulnerabilities can be identified and exploited.
According to Wired, the model excels at identifying and developing groups of vulnerabilities that can be exploited in sequence, comparing the approach to “Rube Goldberg–machine-style hacking.” It can find very long chains of vulnerabilities exploitable together, including zero-click attacks that require no user interaction, and provides proof of exploitation alongside vulnerability discovery.
Anthropic Mythos: AI Redefining Vulnerability Discovery
VentureBeat reported that the model’s performance dramatically outperformed previous tools across multiple benchmarks. On Firefox 147 exploit writing, Mythos achieved 181 successes compared to just 2 for Claude Opus 4.6, representing a 90x improvement. The model saturated Anthropic’s Cybench CTF at 100%, forcing the company to shift toward real-world zero-day discovery. Security researcher Nicholas Carlini noted that he had “found more bugs in the couple of weeks since Mythos than in the rest of my life combined.”
The Mythos model exposed critical gaps in existing detection methods. In one striking example, fuzzer tools exercised FFmpeg’s H.264 codec vulnerable code path 5 million times without triggering the flaw that Mythos caught through reasoning about code semantics. The campaign cost approximately $10,000 and identified a bug that had survived 16 years of human security review. The model found bugs in OpenBSD (27 years old), FreeBSD NFS remote code execution (17 years old), Linux kernel privilege escalation, and critical vulnerabilities in cryptography libraries, all through fully autonomous operation.
The discovery that Mythos can find vulnerabilities that automated tools miss raises fundamental questions about security testing methodologies. As reported by Wired, security engineer Niels Provos noted that Mythos is “really good at coming up with multistage vulnerabilities” and provides proof of exploitation, but “doesn’t intrinsically change the problem space.”
However, Davi Ottenheimer, a security consultant, called the framing “every spaghetti Western ever where big-tent preachers say the end is nigh,” arguing it represents a shift but “not magical and mystical.” The debate highlights differing views on whether AI vulnerability discovery represents an existential threat to existing defense strategies or simply an evolution in security tooling.
Mythos Cybersecurity: A New Detection Playbook for Security Teams
The findings have prompted calls for security teams to fundamentally rethink their detection strategies. Jeetu Patel, Cisco’s President and Chief Product Officer, called the development “a very, very big deal” at the HumanX AI conference, emphasizing the need for “machine-scale defenses” against machine-scale attacks. Cisco SVP Anthony Grieco stated that even in the best circumstances, patching once a year “is not fast enough,” given that threat actors reverse-engineer patches within 72 hours while over 99% of vulnerabilities identified by Mythos remain unpatched.
The findings have broader implications beyond individual security teams. Bloomberg reported that US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened finance sector leaders at Treasury headquarters to discuss potential impacts of models like Mythos Preview. Jen Easterly, former CISA Director, suggested AI could help move toward “building technology that is more secure from the start,” noting that “for decades, we have built an enormous global industry to defend, detect, and respond to vulnerabilities that should never have existed in the first place.”
Anthropic has launched Project Glasswing, a 12-partner defensive coalition including CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Foundation, offering $100 million in usage credits and $4 million in open-source grants. The goal is to give defenders a “head start” before attackers gain widespread access to similar capabilities.
Public findings reports are expected in early July 2026, though security experts note that July will likely bring not a disclosure event but a “patch tsunami” as the scope of previously unknown vulnerabilities becomes clear. Security teams are advised to inventory their exposure, expand bounty scopes to include kernel and virtual machine monitor targets, and prepare for significantly accelerated patching cycles.