The AI That Hacks: Mythos Found Invisible Flaws Hidden for 27 Years
Claude Mythos is discovering thousands of zero-days across every OS and browser. What this means for cybersecurity, developers, and enterprises.
181 to 2. That’s the score Claude Mythos posted against its predecessor Claude Opus 4.6 on a straightforward test: turning known Firefox vulnerabilities into working exploits. A 90x improvement in a single model generation. And that’s just the opening line of Anthropic’s technical report.
Behind that number lies a finding that will reshape cybersecurity for years to come: an AI has just proven it can find and exploit flaws that 27 years of human code review had missed. Flaws in OpenBSD — the operating system whose entire raison d’etre is security. Flaws in FreeBSD, FFmpeg, every major browser, the Linux kernel.
And Anthropic decided not to release the model publicly. Instead, they locked it behind Project Glasswing — a coalition of 50 organizations using Mythos to scan the world’s critical infrastructure. With $100 million in credits and a single goal: give defenders a head start before similar models fall into attackers’ hands.
But will that be enough?
How an AI Finds Bugs Nobody Saw for Decades
To understand why Mythos is a turning point, you first need to understand why traditional vulnerability detection methods are hitting a ceiling.
The classic tools — static application security testing (SAST), fuzzing, manual audits — work by pattern matching. A fuzzer throws millions of random inputs at a program and watches for crashes. An auditor reads through the code line by line, looking for known mistakes. These methods are good at catching simple bugs: obvious buffer overflows, unfiltered SQL injections, textbook type errors.
But they systematically miss an entire category of vulnerabilities: those that require semantic reasoning. That means understanding not what an isolated line of code does, but how multiple components interact under specific conditions.
Take the most striking example from the Anthropic report. A bug in OpenBSD’s TCP stack, sitting there for 27 years. Two well-crafted network packets were enough to crash any server. OpenBSD’s own security fuzzer had executed that code path millions of times without ever triggering the flaw. Why? Because the bug lived in the interaction between TCP SACK options under adversarial conditions — something a random fuzzer has virtually zero chance of generating, but that a language model capable of reasoning about code semantics can identify.
Cost of the discovery campaign: roughly $20,000. The specific run that found the flaw: under $50.
Seven Flaws, Seven Blind Spots
The technical report and VentureBeat’s analysis detail seven categories of vulnerabilities that Mythos found — and that existing tools had missed:
| Vulnerability | Age | Software | Why traditional tools missed it |
|---|---|---|---|
| TCP SACK overflow | 27 years | OpenBSD | Semantic reasoning about TCP interactions |
| H.264 out-of-bounds write | 16 years | FFmpeg | Fuzzer executed the path 5M times without triggering |
| Unauthenticated NFS RCE | 17 years | FreeBSD | 20-gadget ROP chain spread across multiple packets |
| Local privilege escalation | — | Linux kernel | Chaining 2-4 low-severity flaws via race conditions |
| Browser zero-days | — | All major browsers | 4-vulnerability chain + JIT heap spray |
| Memory bugs in a memory-safe VMM | — | Not disclosed | Logic flaw, not a memory error |
| Crypto library exploits | — | Not disclosed | Logic bugs invisible to static analysis |
This table illustrates a crucial point: Mythos doesn’t do the same thing as existing tools, only faster. It does something fundamentally different. It reasons about code like a senior security expert — but with the ability to read millions of lines without fatigue and test hypotheses in parallel.
The Quantitative Leap: Numbers That Change the Equation
According to Anthropic’s technical report, Mythos’s cyber capabilities are not an incremental improvement. They represent a change in kind.
On SWE-Bench Pro (an expert-level software problem-solving benchmark): Mythos hits 77.8% versus 53.4% for Claude Opus 4.6. On CyberGym (vulnerability reproduction): 83.1% versus 66.6%. On Anthropic’s Cybench CTF benchmark (capture-the-flag cybersecurity challenges): Mythos reached 100%, completely saturating the benchmark. The red team had to abandon synthetic tests and move to real-world zero-day discovery as the only evaluation that still meant anything.
One of the most telling details: Anthropic engineers with no cybersecurity training asked Mythos to find remote code execution (RCE) vulnerabilities before going to bed. The next morning, they had a working exploit on their screen.
In another case, Mythos wrote a browser exploit that chained four separate vulnerabilities, including a complex JIT heap spray that escaped both the renderer sandbox and the operating system sandbox. On FreeBSD, it built a remote RCE exploit via the NFS server that granted root access to an unauthenticated user — distributing a 20-gadget ROP chain across multiple network packets.
This is no longer academic research. It is a nation-state-grade offensive tool, built as a side effect of a general-purpose language model.
Project Glasswing: The Defenders’ Race Has Begun
Faced with these capabilities, the question Anthropic asked itself was not “when to release it” but “how to give defenders a lead before this becomes widely accessible.”
The answer is called Project Glasswing. Launched on April 7, 2026, it is a cyber-defense coalition bringing together the biggest names in tech and security:
- Cloud and infrastructure: AWS, Microsoft, Google, Apple, NVIDIA
- Cybersecurity: CrowdStrike, Palo Alto Networks, Cisco
- Finance: JPMorgan Chase, Broadcom
- Open source: Linux Foundation
More than 40 additional organizations that build or maintain critical software have also received access. Anthropic has committed to providing $100 million in usage credits and $4 million in grants to open-source security organizations.
The mandate is precise: use Mythos to scan their own systems and critical open-source code before models with similar capabilities become available to attackers. A public report of results is expected within 90 days — early July 2026.
“I’ve been 27 years in this industry,” said Anthony Grieco, SVP and Chief Security and Trust Officer at Cisco, during RSAC 2026. “I’ve never been more optimistic about what we can do for security because of velocity. It’s also a little terrifying because we’re moving so fast. And it’s terrifying because our adversaries also have that capability.”
Why This Defensive Head Start May Not Be Enough
Anthropic’s bet rests on an assumption: by giving Mythos to defenders now, they buy a window to patch critical flaws before equivalent models appear in the wild.
But that assumption has several weaknesses.
The Timing Problem
Open-source models are advancing at a staggering pace. In the week of April 7 alone, 8 models shipped in 7 days, including GLM-5.1 from Zhipu AI (745 billion parameters, MIT license) which rivals the best proprietary models on coding benchmarks. If Mythos’s capabilities come primarily from improved coding reasoning — rather than security-specific training — then the next wave of open-source models could develop similar offensive capabilities on their own.
Anthropic acknowledges this implicitly in internal drafts (uncovered during the late-March data leak): Mythos “foreshadows a wave of models that can exploit vulnerabilities in ways that far outstrip defenders’ efforts.”
The Attacker-Defender Asymmetry Problem
In cybersecurity, the asymmetry always favors the attacker. A defender must protect their entire attack surface. An attacker only needs one flaw. Even if Glasswing patches the vulnerabilities Mythos found over the next 90 days, new models will find others — potentially faster than security teams can fix them.
The Coverage Problem
The 50 organizations in Glasswing cover a significant portion of critical infrastructure. But they don’t cover everything. Small businesses, startups, local government agencies, open-source projects maintained by a single person — the entire fabric that makes up most of the world’s actual attack surface — don’t have access to Mythos. And that is often exactly where attackers strike.
What This Concretely Means for Developers
If you write code for a living, here is what Mythos’s capabilities mean for your day-to-day work:
1. “Audited” code is no longer synonymous with “secure.” OpenBSD is one of the most audited projects on the planet. Twenty-seven years of code reviews by security experts were not enough to catch a flaw that Mythos identified for under $50. No human review process can match a model that reasons about an entire codebase simultaneously.
2. Fuzzers are no longer enough. The FFmpeg case says it all: 5 million fuzzing passes over the vulnerable code path, zero detections. Fuzzing remains useful for simple bugs, but complex logic flaws now require semantic reasoning — exactly what LLMs do well.
3. Cybersecurity is becoming an “AI-augmented” skill. Cisco’s Anthony Grieco speaks of simultaneous optimism and terror. The cybersecurity profession is not disappearing — it is transforming. Analysts who master AI-powered detection tools will have a massive edge. Those who continue relying solely on pre-AI tooling will fall behind.
4. Open source needs a new security model. If an AI can find flaws in FreeBSD, OpenBSD, and the Linux kernel in a matter of hours, open-source projects maintained by small teams are even more vulnerable. The question is no longer “does our code have bugs” but “how long before an AI finds them.”
The Political Context Makes Everything More Complicated
It is impossible to discuss Mythos without mentioning the explosive geopolitical context Anthropic is navigating.
In March 2026, the Pentagon officially designated Anthropic as a “supply chain risk” — a label normally reserved for foreign companies or adversaries. The reason: Anthropic had refused to allow Claude to be used in autonomous weapons systems. On April 8 — the day after Glasswing launched — a Washington appeals court rejected Anthropic’s challenge to have the designation suspended.
So we have an AI lab that is simultaneously:
- Banned by the US military for saying no to autonomous weapons
- The creator of the most powerful offensive model ever built
- The organizer of a cyber-defense coalition alongside Apple, Google, Microsoft, and AWS
The paradox is striking. Anthropic wants to be the responsible AI company, but its own technology is the most concrete illustration of the very risks it warns about. Whether you see that as hypocrisy or clear-eyed pragmatism depends on your perspective. But one thing is certain: it sets a precedent. Mythos is the first model that a major lab has publicly described as “too capable to release.”
Frequently Asked Questions
Can attackers already use AI to find zero-days?
Not at Mythos’s level — not yet. Current open-source models (GLM-5, Llama 4, Qwen 3.6+) are powerful at coding but have not demonstrated the same ability to chain vulnerabilities into working exploits. However, Mythos’s capabilities come from general reasoning, not specialized security training. That means the next generation of open-source models could get there naturally.
How long before we see concrete results from Project Glasswing?
Anthropic has committed to publishing a report within 90 days of launch — early July 2026. Partners have been actively scanning their systems for several weeks already.
Should my company be worried?
Yes, but don’t panic. The core message from Glasswing is: update your dependencies, invest in AI-assisted security tools, and assume that any code that hasn’t been audited by a state-of-the-art LLM probably contains critical flaws. It is a new standard, not an apocalypse.
Key takeaways:
- Mythos has found thousands of zero-days across every major OS and browser — including 27-year-old flaws that no tool and no human expert had ever detected
- Cybersecurity is entering the AI era: traditional methods (fuzzing, SAST, manual audits) are hitting their ceiling against bugs that require semantic reasoning
- Project Glasswing gives defenders a head start — but that lead is temporary, because open-source model capabilities are advancing rapidly
- The first public report is expected in July 2026. Until then, the best advice: assume your code has flaws that only an AI can find
