Claude Mythos Preview is not a normal model announcement dressed in cyber language. Anthropic has framed it as a restricted research preview because its strongest public capability sits in one of the most sensitive areas of applied AI: finding software vulnerabilities, testing whether they matter, and in some cases turning them into working exploit demonstrations. Anthropic’s own documentation says Claude Mythos Preview is offered separately as a research preview model for defensive cybersecurity workflows through Project Glasswing, with invitation-only access and no self-serve sign-up.
Table of Contents
Claude Mythos is a release strategy, not a product launch
That access model is the first clue to its real meaning. A chatbot release is measured by who can use it, how much it costs, and whether it writes better code or prose than the previous model. Mythos is being measured by a different standard: whether a frontier model can safely be pointed at foundational software without giving the same capability to attackers. That makes the product decision inseparable from cyber policy, vulnerability disclosure, national security, and software maintenance capacity.
Anthropic describes Project Glasswing as a program to secure critical software for the AI era. Its page says partners receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in foundational systems. The company also says it does not plan to make Claude Mythos Preview generally available, while it hopes eventually to let users safely deploy Mythos-class models after stronger safeguards exist.
The distinction matters. Mythos is not best understood as “the next Claude” for everyday users. It is better understood as a test case for controlled deployment of frontier cyber capability. It asks whether a lab can release enough power to help defenders while withholding enough power to prevent mass misuse. That is harder than ordinary model safety because cybersecurity is inherently dual use. The same bug report that helps a maintainer patch an open-source library can help an attacker exploit users before the patch lands.
The public evidence also makes clear that Mythos is not only a branding exercise. Anthropic says Project Glasswing partners found more than ten thousand high- or critical-severity vulnerabilities after one month, and that several partners reported bug-finding rates more than ten times higher than before. Anthropic also reports scanning more than 1,000 open-source projects, with 23,019 total candidate vulnerabilities and 6,202 estimated high- or critical-severity findings.
Those claims are large enough to demand caution. Many details remain undisclosed because vulnerability disclosure depends on giving maintainers time to patch. Still, named public evidence from Mozilla, Cloudflare, Microsoft, the UK AI Security Institute, Reuters, Cisco, and Anthropic’s own vulnerability disclosure dashboard supports the core story: Claude Mythos Preview is a model that pushes vulnerability research from expert-only craft toward model-assisted production.
The real answer to “what possibilities does Claude Mythos have?” begins there. It is not a magic hacker. It is not only a scanner. It is not merely a more capable coding assistant. It is a frontier AI system that appears able to perform parts of high-end security research at a speed and volume that existing software institutions were not built to absorb.
The real answer starts with vulnerability economics
The central possibility of Mythos is economic, not theatrical. It changes who can search for flaws, how many flaws can be searched for at once, and how quickly a plausible weakness can become a validated security issue. Human vulnerability research is scarce because it depends on rare skill. Mythos-class systems begin to reduce that scarcity. They do not remove human judgment, but they shift human labor away from first-pass discovery and toward supervision, triage, patch design, disclosure, and governance.
That shift is visible in Anthropic’s open-source figures. The company says Mythos Preview found 23,019 candidate vulnerabilities across more than 1,000 open-source projects, including 6,202 estimated high- or critical-severity issues. Of 1,752 high- or critical-rated vulnerabilities assessed by independent security research firms or Anthropic, 90.6% were valid true positives, while 62.4% were confirmed high or critical.
Those numbers do not mean every candidate finding is a crisis. They mean the cost curve is changing. In the old model, every serious bug required a human to decide where to look, read the code, form a theory, build a test, reproduce the issue, prove impact, write the report, and help with the fix. In the Mythos model, much of the search and hypothesis work can be multiplied. Humans still review the result, but the search space becomes far less constrained by the number of available experts.
This is why the most serious reading of Mythos avoids hype. The model’s value is not that it always gets the right answer. No public evidence supports that. The value is that it may run many serious attempts across many targets, at machine speed, with enough quality that human triage becomes the limiting step. The scarce resource moves from bug discovery to verified remediation.
That shift changes incentives. Software vendors that once relied on periodic audits, external bug bounty reports, and annual penetration tests will face pressure to scan continuously. Open-source foundations will need new triage support. Cloud platforms will harden critical repositories before attackers can examine the same classes of bugs. Banks and critical infrastructure operators will ask whether their most sensitive systems can survive AI-assisted vulnerability discovery.
Attackers will make the same calculation. The Axios report on Mythos says Anthropic research found that Mythos could turn newly disclosed vulnerabilities into working exploits in hours rather than weeks. Axios reported that Mythos generated a first proof-of-concept exploit for a Windows kernel vulnerability within 31 minutes, produced blue-screen crashes for 18 of 21 tested kernel bugs, and built eight working code-execution exploits across 18 Firefox security patches.
Those results do not prove that every disclosed vulnerability can be weaponized instantly. They do show that the old buffer between public disclosure and practical exploitation is under pressure. The economic effect is brutal: the attacker no longer needs the same number of senior exploit developers to test many public patches. A model-assisted workflow can try, fail, revise, and try again.
That is the real possibility. Mythos makes cyber work cheaper to attempt. Cheaper attempts change the balance between defenders and attackers. Defenders gain earlier discovery if they have access and process. Attackers gain faster weaponization if similar capability diffuses without controls.
Project Glasswing reveals the intended use case
Project Glasswing is Anthropic’s answer to a release problem it cannot solve through ordinary access tiers. The program gives selected organizations access to Claude Mythos Preview so they can find and fix vulnerabilities in critical software. Anthropic has named major launch partners including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
The partner list tells us what Anthropic thinks the model is for. These are not casual users testing a new chat interface. They are platform operators, cloud providers, security vendors, open-source stewards, and companies whose software sits deep inside global infrastructure. That is where Mythos’s value is highest and where misuse would be most damaging.
Anthropic’s Project Glasswing page says the work will focus on tasks such as local vulnerability detection, black-box testing of binaries, endpoint security, and penetration testing of systems. The same page says Anthropic committed $100 million in model usage credits to Project Glasswing and additional participants, donated $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and donated $1.5 million to the Apache Software Foundation.
Those donations matter because the open-source world is the obvious stress point. A large vendor can assign people to triage Mythos findings. A volunteer-maintained package may not have a security team at all. The model may find bugs that human reviewers missed for years, but finding them is only the beginning. Someone has to verify, patch, test, release, publish an advisory, and support downstream users who cannot update quickly.
Reuters reported on June 3, 2026, that South Korea’s Science Ministry said the Korea Internet & Security Agency had gained access to Anthropic’s Mythos model through Project Glasswing. Reuters also reported that the ministry said the initiative aims to use frontier AI models to identify and help fix cybersecurity vulnerabilities, and that the confirmation followed reporting that Anthropic would expand access to about 150 organizations in more than 15 countries.
That international expansion shows the program is no longer only a vendor hardening exercise. It is becoming part of national cyber policy. Governments see the same basic equation as companies: if frontier models can find vulnerabilities faster than people, national defenders want controlled access before criminal groups, spyware vendors, or hostile states obtain comparable systems.
Project Glasswing also reveals a strategic bet. Anthropic appears to believe that withholding Mythos entirely would waste a defensive window, but releasing it broadly would create too much misuse risk. Restricted access is the compromise. It lets defenders work on important targets while Anthropic observes how the model behaves in real workflows, where the bottlenecks arise, and which safeguards break.
That compromise is fragile. It depends on vetting, contracts, cloud delivery controls, usage monitoring, partner discipline, disclosure norms, and the assumption that comparable capability will not appear everywhere too quickly. Mythos is therefore not just a model. It is an early test of whether frontier AI labs can operate controlled-access cyber capability without turning the cyber ecosystem into a free-for-all.
The model’s strongest public evidence sits in cyber
Anthropic calls Claude Mythos Preview a general-purpose model, but the strongest public evidence concerns cybersecurity. That does not mean the model is only useful for cyber. It means cyber is where Anthropic, partners, and external evaluators have disclosed the clearest data.
The UK AI Security Institute evaluated Claude Mythos Preview and found a step up over previous frontier models. AISI said Mythos succeeded 73% of the time on expert-level capture-the-flag tasks, and that it was the first model to solve “The Last Ones,” a 32-step simulated corporate network attack, from start to finish. It did so in 3 of 10 attempts and completed an average of 22 of 32 steps across attempts.
That evaluation matters because it comes from outside Anthropic. It also matters because it tests sustained operations rather than isolated trivia. Cyber ranges are imperfect, but they force a model to maintain a plan across reconnaissance, exploitation, movement, privilege gain, and completion. AISI also made the limit clear: Mythos did not complete its operational-technology-focused cyber range during the evaluation, and cyber ranges do not fully reproduce live defended enterprise environments.
Mozilla gives another public anchor. Its Firefox team said the Firefox 150 release included fixes for 271 vulnerabilities identified during its initial Claude Mythos Preview evaluation. Mozilla also said an earlier collaboration using Claude Opus 4.6 led to fixes for 22 security-sensitive bugs in Firefox 148.
Cloudflare gives a workflow anchor. It tested Mythos Preview across more than fifty repositories and described the jump from prior models as more than a refinement. Its account focuses on how models are used inside a process: pointing them at real repositories, watching false positives, assessing whether the model reasons through exploitation, and deciding what surrounding architecture is required to use such systems safely.
Microsoft gives an enterprise engineering anchor. It says it is working with Anthropic and industry partners through Project Glasswing to test Mythos Preview, identify and mitigate vulnerabilities earlier, and coordinate defensive response. Microsoft says it evaluated Mythos with CTI-REALM, its open-source benchmark for real-world detection engineering tasks, and saw material improvements over prior models.
These examples support a narrow but strong conclusion. Mythos has publicly demonstrated unusual capability in vulnerability discovery, exploitability reasoning, and cyber-range performance. It has not publicly demonstrated omniscience, guaranteed correctness, or full autonomy against mature defended environments. The right conclusion is not “AI can hack everything.” The right conclusion is that cyber capability has crossed a threshold where serious institutions are changing release, triage, and patch workflows around it.
That is a major distinction. The hype version treats Mythos as a monster. The dismissive version treats it as a marketing stunt. The evidence-led version treats it as a new production capability with known limits and serious externalities.
Agentic workflows matter more than chat answers
A static chatbot can explain a vulnerability class. An agentic system can inspect a repository, build a target, run tests, compare outputs, form hypotheses, write harness code, revise after failure, and produce a report. Mythos matters because the public evidence points toward the second pattern. The intelligence is not only in the base model. It is in the loop around the model.
This is where many public readings of Mythos go wrong. They imagine a user typing “find a bug” into a chat box and receiving a perfect exploit. Real security work is messier. A model needs file access, build steps, test environments, permissions, time, logs, and safe constraints. It needs a scaffold that tells it what it can touch, what evidence counts, when to stop, and how to report findings without causing harm.
Cisco’s Foundry Security Spec is one of the clearest attempts to describe that scaffold. Cisco says a full agentic security system wraps the model in orchestration, roles, and guardrails so detection, validation, and coverage are designed before work begins. It names roles such as Orchestrator, Indexer, Cartographer, Detector, Triager, Validator, Coverage-Guide, and Reporter.
That architecture tells us something important about Mythos’s real possibility. The future is not a lone model replacing a security team. The future is a security evaluation system in which models do the first-pass exploration, rule-based tools cover known patterns, validators test exploitability, and humans approve severity, patching, disclosure, and release. The model may be powerful, but the institution around it determines whether the output is useful or dangerous.
Cloudflare’s post makes the same point from practical testing. It says the architecture and process around models need to change so they can be used at scale. Cloudflare was not only asking whether Mythos could find bugs; it was asking what a real organization needs to absorb the findings, separate true positives from noise, and prevent unsafe use.
The agentic loop also explains why safeguards are hard. A single output can be blocked if it looks like exploit code. A multi-step agentic task is harder to classify. The model may be reading a crash log in one step, writing a reproduction test in another, and generating a patch later. The same steps can be benign in a vendor’s authorized repository and malicious against a third party.
Anthropic’s report on an AI-orchestrated cyber espionage campaign, published before the Mythos release, shows the danger of agentic cyber workflows even without public Mythos access. Anthropic said attackers used Claude Code inside a framework where the AI performed reconnaissance, inspected infrastructure, researched and wrote exploit code, harvested credentials, categorized stolen data, and documented the operation, with human intervention only at a few decision points.
That episode is not the Mythos story, but it explains the stakes. A model does not need to be fully autonomous to change cyber operations. It only needs to reduce the amount of expert human labor per campaign. Mythos-class systems, if misused, would reduce that labor further.
Zero-day discovery becomes a production process
A zero-day vulnerability is unknown to the software developer or maintainer when it is discovered or exploited. In traditional security, serious zero-day discovery is associated with expert researchers, state-linked groups, commercial exploit brokers, advanced criminal teams, and high-end bug bounty hunters. Claude Mythos Preview suggests that some parts of zero-day discovery can be turned into a repeatable model-assisted process.
Anthropic’s red-team analysis says Mythos Preview is strikingly capable at computer security tasks and discusses its ability to find and exploit zero-day vulnerabilities in real open-source codebases. Anthropic also says its disclosure process means it can only discuss a small fraction of findings, because fewer than 1% of potential vulnerabilities discovered at the time of the red-team post had been fully patched by maintainers.
The less dramatic but more useful reading is that zero-day discovery becomes an industrial queue. A model scans a repository, proposes candidate flaws, creates evidence, passes stronger candidates to triage, and the highest-severity issues reach human validators before disclosure. Anthropic’s vulnerability disclosure dashboard says the company began using an early snapshot of Mythos Preview in February 2026 to find open-source vulnerabilities, then worked with external security research firms to triage, validate, and report human-reviewed high- or critical-severity vulnerabilities to maintainers.
That pipeline is new in scale, not in concept. Security firms already use automation and human triage. What changes with Mythos is the quality of candidate discovery and exploitability reasoning. The dashboard reported that as of May 22, 2026, Anthropic had disclosed 1,596 vulnerabilities across 281 open-source projects, with 97 patched and 88 assigned a CVE or GitHub Security Advisory.
Those numbers show both promise and strain. The model can push more candidate vulnerabilities into the system, but the number patched is far smaller than the number disclosed, and the number disclosed is itself only a subset of what Mythos has found. The shape of the funnel matters: discovery is wide, triage is narrower, patching is narrower still, and downstream deployment is another problem entirely.
This is why zero-day discovery by Mythos should not be treated as a simple good or bad. It is good when the model finds serious bugs before attackers do and the maintainer can patch safely. It is dangerous when discovery volume outruns triage, when exploit details leak too early, when maintainers are overwhelmed, or when comparable models are pointed at the same code by hostile operators.
The possibility is therefore conditional. Mythos can make zero-day discovery more systematic, but only a disciplined disclosure and remediation process converts that discovery into security. Without that process, the model increases vulnerability knowledge faster than it reduces vulnerability exposure.
N-day exploitation is the more immediate danger
The public tends to fear zero-days because they sound mysterious. Security teams often fear N-days because they are everywhere. An N-day vulnerability is already known, disclosed, or patched somewhere, but many systems remain unpatched. This is where attacker economics are strongest. The patch reveals clues. Public discussion supplies context. Asset owners move slowly. Mythos-class systems threaten to shrink the time between disclosure and working exploitation.
Axios reported that Anthropic’s frontier red team tested Mythos against Firefox and Microsoft Windows kernel vulnerabilities disclosed after model knowledge cutoffs. According to Axios, Mythos generated its first proof-of-concept exploit for a Windows kernel vulnerability within 31 minutes, created eight distinct kernel exploits, and produced eight working code-execution exploits across 18 Firefox security patches.
Even if these were controlled tests, the operational implication is harsh. Organizations that need weeks to test and deploy patches may face adversaries that need hours to weaponize public information. The old lag between disclosure and exploitation was never safe, but it bought time. Mythos-class systems reduce the value of that time.
CISA’s Known Exploited Vulnerabilities catalog already exists because known, exploited vulnerabilities are one of the most practical ways to prioritize remediation. CISA describes the catalog as a tool for the cybersecurity community and network defenders to better manage vulnerabilities and keep pace with threat activity.
Mythos makes that catalog logic more urgent. A vulnerability that is not yet exploited today may become exploitable tomorrow if public patches are enough for an AI-assisted workflow to produce a proof. The difference between “known” and “known exploited” could shrink, especially for high-value software with many exposed installations.
The UK NCSC warned on May 1, 2026, that organizations must prepare for a “vulnerability patch wave” addressing decades of technical debt. The same warning connects AI-assisted discovery and exploitation with higher patch pressure.
That is the operational center of the Mythos story. The model does not need to find every zero-day to change cyber risk. It only needs to make known vulnerabilities easier to exploit before defenders patch them. For many organizations, known vulnerabilities are already the more common path into compromise. Mythos-class models make delays more expensive.
The practical answer is unglamorous: know the assets, shorten emergency patch cycles, test rollback procedures, segment critical systems, harden exposed services, monitor exploitation attempts, and prepare compensating controls for systems that cannot be patched quickly. Mythos does not replace vulnerability management. It makes weak vulnerability management more visible.
Confirmed capability map
| Capability area | Public evidence | Limit that still matters |
|---|---|---|
| Large codebase scanning | Anthropic reports more than 1,000 open-source projects scanned | Candidate findings still need human triage |
| Browser hardening | Mozilla says Firefox 150 fixed 271 Mythos-identified vulnerabilities | Most technical details depend on advisories and shipped patches |
| Exploit-chain reasoning | Cloudflare describes a stronger jump from prior models | Requires authorization, sandboxing, and expert review |
| Cyber-range performance | AISI reports a 73% success rate on expert CTF tasks | Simulated ranges differ from live defended networks |
| N-day exploitation | Axios reports working exploit development in hours | Results vary by target, patch context, and environment |
This table is compact by design. It shows that Mythos has real public evidence behind it, while keeping the claims inside the limits of what has been independently described.
Mozilla’s Firefox work gives the story a public anchor
Mozilla’s Firefox case is one of the strongest public examples because it connects Mythos to a real product release. Mozilla said that since February its Firefox team had used frontier AI models to find and fix latent security vulnerabilities, and that Firefox 150 included fixes for 271 vulnerabilities identified during the initial Claude Mythos Preview evaluation. It also said an earlier scan with Claude Opus 4.6 had led to fixes for 22 security-sensitive bugs in Firefox 148.
That comparison is striking. It does not mean every Mythos finding was equally severe. It does not mean Firefox was uniquely weak. Browser engines are among the hardest, most security-reviewed codebases in the world. The point is different: if a hardened browser can yield hundreds of AI-identified vulnerabilities in one evaluation cycle, less mature software is likely to yield far more.
Firefox is also a useful example because browsers sit at the boundary between users and hostile content. A browser parses web pages, scripts, images, media, fonts, documents, and protocols. It must isolate untrusted code and survive endless malformed inputs. That makes browser security a dense field of memory safety, sandboxing, privilege boundaries, process isolation, site isolation, JIT compiler hardening, and update speed.
AI-assisted review is especially relevant here because browsers contain many subtle interactions. A single bug may not be enough. An exploit may require a renderer bug, a sandbox escape, and a way to bypass mitigations. A model that can reason across chains becomes more useful than a model that simply flags suspicious lines.
Mozilla’s tone is also instructive. It did not describe the work as magic. It described pressure. It said teams seeing these findings may feel vertigo, and that the response requires focus and reprioritization. That is exactly the institutional effect Mythos creates. The model gives defenders more signal, but it also forces them to decide what to drop so they can respond.
The Firefox example should make software leaders uncomfortable in a productive way. A serious product with deep security expertise used Mythos and still found many vulnerabilities. That suggests the rest of the software world should not assume silence means safety. Silence may only mean nobody has pointed a strong enough agentic workflow at the code.
The lesson is not that every organization needs Mythos access tomorrow. Most will not get it. The lesson is that AI-assisted vulnerability discovery is no longer an abstract future risk. It has already changed a major browser release. It will move into other product categories: cloud services, security appliances, operating systems, databases, developer tools, identity systems, financial platforms, and infrastructure libraries.
Cloudflare’s account explains the exploit-chain leap
Cloudflare’s Project Glasswing post is useful because it focuses less on headline counts and more on behavior. Cloudflare said it had been testing security-focused LLMs on its own infrastructure for months and then pointed Mythos Preview at more than fifty repositories after being invited into Project Glasswing. It described Mythos as a real step forward and said the jump from prior general-purpose frontier models was not just a refinement.
The most important implication is chain construction. Older automated tools often flag local weaknesses. A static analyzer may detect a risky pattern. A fuzzer may trigger a crash. A dependency scanner may flag a known vulnerable package. These tools are powerful, but they often stop at isolated evidence. Human researchers then decide whether the issue is exploitable and how it fits into a larger attack.
Mythos appears stronger at the connecting work. That is where serious vulnerability research lives. Modern software rarely fails through one obvious mistake. An attacker may need an input confusion, a privilege boundary mistake, a memory corruption primitive, a leak, a stale object, a race condition, a sandbox edge case, and a way around mitigations. Each step may look limited alone. Together, they may matter.
Cloudflare’s testing also highlights false positives and process needs. A model that confidently reports every oddity is not enough. Security teams need findings that are bounded, reproducible, prioritized, and connected to impact. They need a record of what the model looked at and what it did not. They need to know whether a finding is reachable in production. They need to avoid turning every plausible bug into an emergency.
That is where Mythos’s real possibility differs from ordinary scanning. The model is not valuable because it says “this code looks wrong.” It is valuable when it can build a credible path from source code to impact. That path may include a proof, a crash, a reproduction case, a patch suggestion, or a severity argument that a human reviewer can inspect.
Cloudflare’s experience also shows why access control cannot be reduced to user intent. A legitimate defender may ask for exploitability proof to prioritize a fix. A malicious operator may ask for the same proof to attack a target. The prompt may look similar. The difference is authorization, environment, target ownership, and disclosure path. That is why Project Glasswing controls the user base and the workflow, not only the text output.
The Cloudflare case therefore answers part of the Slovak question “aké skutočné možnosti má Claude Mythos?” The real possibilities include high-quality bug discovery, exploitability validation, and attack-chain reasoning. The limits include false positives, inconsistent refusals, need for scaffolding, need for expert review, and the fact that model output becomes useful only when embedded in a disciplined security process.
Microsoft’s response points to secure development pipelines
Microsoft’s public response is important because it shows where Mythos-class capability may land in enterprise engineering. Microsoft says that through Project Glasswing it is working with Anthropic and industry partners to test Claude Mythos Preview, identify and mitigate vulnerabilities earlier, and coordinate defensive response. It also says it plans to incorporate advanced AI models like Mythos directly into its Security Development Lifecycle to identify vulnerabilities and develop mitigations and updates earlier.
That phrase, Security Development Lifecycle, is the real signal. The strongest use case is not emergency scanning after release. It is shifting security left without pretending that code review alone solves everything. If a frontier model can inspect code before merge, run tests, look for exploitability, and feed lessons into secure-coding rules, then software teams can remove some bugs before they become public advisories.
Microsoft’s model is also multi-model, not Mythos-only. It says no single model defines its strategy. That is sensible. Cyber work is too varied for one model to dominate every task. One model may be better at code reasoning, another at detection engineering, another at summarizing incident evidence, another at generating safe patches. The enterprise future is likely a portfolio of models connected to strict workflows and human approval.
This matters for buyers. A vendor saying “we use AI” will soon be meaningless. The serious question is: where in the secure development pipeline does the AI run, what evidence does it produce, who reviews it, and how are recurring bug classes prevented? A model that only produces reports adds queue pressure. A model that feeds a prevention loop reduces future work.
NIST’s Secure Software Development Framework gives a useful foundation for this shift. NIST SP 800-218 describes practices for mitigating the risk of software vulnerabilities and provides a common way to organize secure software development. Its focus on preparing the organization, protecting software, producing well-secured software, and responding to vulnerabilities remains relevant even when AI finds the bugs.
Mythos does not replace such frameworks. It makes them harder to ignore. A company with clear ownership, build reproducibility, test coverage, patch release processes, dependency management, and incident response can absorb AI findings. A company without those basics turns a powerful model into a generator of unmanaged risk.
The pre-release pipeline is where Mythos-class models may have their most durable defensive value. Post-release vulnerability discovery will always matter, but it is reactive. Pre-release review can reduce the number of exploitable flaws that reach users. The next step is not only finding more bugs. It is closing the loop so the same bug class is less likely to appear again.
The UK AI Security Institute gives external evidence
The UK AI Security Institute’s Mythos evaluation is one of the most important public data points because it comes from a government evaluator rather than Anthropic or a partner company. AISI said Mythos Preview showed continued improvement on capture-the-flag tasks and a major improvement on multi-step cyber-attack simulations. It also said Mythos could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously when explicitly directed and given network access in controlled evaluations.
The expert-level CTF result is notable: AISI said Mythos Preview succeeded 73% of the time on expert-level tasks, a category no model could complete before April 2025. That is not a small incremental claim. It signals a rapid rise in cyber-relevant reasoning and execution.
The “The Last Ones” result is more important because it tests persistence. AISI says TLO is a 32-step simulated corporate network attack estimated to require humans about 20 hours to complete. Mythos was the first model to complete the whole range, doing so in 3 of 10 attempts, with an average of 22 steps completed across attempts.
A sober reading must include limits. AISI said real-world cyberattacks require chaining many steps across hosts and segments, and its range is only a step toward measuring that. The evaluation did not show that Mythos can reliably compromise mature enterprises with active defenders. It showed that the model can perform far beyond earlier models in controlled cyber environments.
That distinction protects against both fear and complacency. Fear says the model is already an autonomous super-attacker. The evidence does not prove that. Complacency says cyber ranges are artificial, so the result does not matter. That is also wrong. Simulations are how capability warning signs often appear before large-scale real-world incidents.
The more accurate conclusion is this: AISI’s evaluation supports the view that Mythos-class models can perform extended cyber tasks that previously required skilled human teams, at least in controlled settings. That is enough to justify restricted release, careful governance, and changes to defensive workflows.
AISI’s evaluation also helps explain why Anthropic is cautious about public access. If a model can complete expert CTFs and multi-step attack simulations, then public release would create a high-risk dual-use capability. Even if safeguards block many harmful prompts, adversaries can attempt jailbreaking, task decomposition, role framing, or external scaffolding. The model’s raw capability is not the only risk; the user’s surrounding system matters.
The open-source burden is the central bottleneck
Open-source software is where Mythos’s benefit and burden collide hardest. Anthropic says it scanned more than 1,000 open-source projects that underpin much of the internet and its own infrastructure. It reported thousands of estimated high- or critical-severity findings and a strong true-positive rate among triaged high- or critical-rated reports.
The defensive opportunity is clear. Many open-source projects cannot afford deep security audits. A frontier model that can find serious issues gives maintainers access to a kind of review that was previously reserved for vendors, governments, well-funded foundations, and elite research teams. That is good for the software commons.
The burden is equally clear. Maintainers must understand the report, reproduce it, assess severity, write a fix, avoid regressions, release a version, communicate with downstream users, and sometimes handle public pressure. Many maintainers have limited time. Some projects are maintained by one or two people. Some critical libraries are barely funded. A wave of valid high-severity findings can feel like a denial-of-service attack against maintainers even when the intent is defensive.
Anthropic’s own update recognizes the human bottleneck. It says finding bugs has become far more straightforward with Mythos Preview, while human capacity to triage, report, design, and deploy patches is the bottleneck. Its dashboard shows a steep drop-off at each disclosure phase, reflecting the human work required to verify and fix vulnerabilities.
This is the central open-source problem: AI makes security debt visible faster than the ecosystem can pay it down. Visibility is not the same as remediation. A maintainer who receives twenty credible high-severity reports in a week is not automatically safer. The project becomes safer only after the right bugs are fixed, releases are shipped, downstream users update, and attackers do not exploit the gap.
Funding helps, but money alone is not enough. Open-source projects need shared triage services, safe reproduction environments, standard report formats, maintainer-friendly disclosure timelines, patch review support, regression testing, downstream notification help, and ways to avoid exposing exploit details prematurely. Foundations such as the Linux Foundation, OpenSSF, Alpha-Omega, and the Apache Software Foundation become more central because they can absorb coordination work that individual maintainers cannot.
For open source, Mythos is not only a technology story. It is a governance stress test. The model can uncover hidden defects in the public code that everyone depends on. Whether that makes the internet safer depends on whether open-source institutions receive enough operational support to act on the findings.
Coordinated disclosure becomes harder under AI speed
Coordinated vulnerability disclosure was built for a world where vulnerability discovery was slower. A researcher finds a bug, reports it privately, gives the maintainer time to patch, and public details follow after a window. The model-speed era strains that timeline because many bugs can be discovered at once and because other actors may rediscover or weaponize them quickly.
Anthropic’s coordinated vulnerability disclosure dashboard says the company began using an early Mythos snapshot in February 2026, partnered with external security research firms, and reported human-reviewed high- or critical-severity vulnerabilities to maintainers under its disclosure policy. It also tracks disclosed findings and publishes details when disclosure windows close.
The dashboard reported 1,596 disclosed vulnerabilities across 281 open-source projects as of May 22, 2026, with 97 patched and 88 assigned a CVE or GitHub Security Advisory. It also says the disclosed set is only a subset of total Mythos findings because independent human triage and review are the rate-limiting steps.
That funnel shows how disclosure changes under AI. A human researcher may report one serious bug. Mythos may produce many candidates across many projects. If all are dumped on maintainers, the process breaks. If they are held too long, users remain exposed. If details are public too early, attackers gain a roadmap. If reports are too vague, maintainers cannot fix quickly. Every choice carries risk.
The problem gets harder when N-day exploitation accelerates. If a maintainer patches quietly, public diffs may reveal the bug. If public advisories wait, downstream users may not prioritize updates. If exploit details are withheld, defenders may lack detection logic. If exploit details are included, attackers may move faster.
This is why the disclosure layer is one of Mythos’s most serious practical limits. A model can find a vulnerability in minutes. The responsible path from finding to user safety may still take weeks. The gap between machine discovery and human disclosure norms is now one of the main risk zones in cybersecurity.
Coordinated disclosure will likely evolve. We may see more batch reporting, automated severity drafts, standardized evidence bundles, confidential maintainer portals, foundation-backed triage teams, default redaction of exploit steps, and stronger hash-commitment systems that prove a finding existed without exposing details. Anthropic’s dashboard already uses a disclosure ledger and hash commitments for findings still inside the disclosure window.
The goal is not secrecy for its own sake. It is controlled timing. In the Mythos era, timing becomes as important as discovery.
Human experts move from hunting to supervision
Mythos does not make human security experts obsolete. It changes their job. The most valuable human work moves from first-pass searching to designing safe workflows, choosing targets, reviewing evidence, validating exploitability, approving severity, writing patches, and deciding disclosure. A model can propose many things. A human still has to decide what is true, what matters, and what is safe to release.
This is the same pattern seen with fuzzing, static analysis, and automated testing. Tools did not remove experts. They changed the expert’s focus. A good fuzzing program needs harnesses, coverage guidance, crash deduplication, root-cause analysis, and patch review. A static analyzer needs rules, suppression strategy, tuning, and human interpretation. Mythos-class systems raise the level of automation, but they do not remove the need for technical judgment.
Cisco’s Foundry Security Spec makes this explicit by treating the model as part of a role-based system. Its roles include detector, triager, validator, and reporter, which mirrors the human workflow in a mature security program. The point is not to ask the model one question. The point is to build a system that produces evidence a security organization can defend.
The human expert also becomes the safety boundary. The model may generate proof code in a lab. A human decides whether that proof is necessary, how it is stored, who can see it, and how much appears in a report. The model may suggest a patch. A human reviews compatibility, performance, and unintended side effects. The model may rate a bug critical. A human checks reachability, product context, exploit prerequisites, and exposure.
This is not a comforting footnote. It is the operating model. If organizations use Mythos-style systems without expert supervision, they risk drowning in plausible but wrong output or producing dangerous exploit material without proper controls. If they use experts only as rubber stamps, they turn judgment into ceremony.
The best setup treats the model as a tireless investigator and the human as the accountable decision maker. Mythos shifts expert labor toward judgment, not away from it. That is good news for teams that have strong experts and weak capacity. It is bad news for teams that hoped AI would let them avoid building security competence.
This also changes hiring. Security teams will need people who can work with model agents, design evaluation scaffolds, interpret AI-generated reports, understand exploitability, and communicate risk to product owners. They will need fewer people doing repetitive first-pass review and more people building safe, auditable security workflows. The premium moves toward mixed skill: security engineering, systems knowledge, AI workflow design, and incident governance.
Model safeguards remain the unsolved release problem
Anthropic’s decision not to make Mythos generally available is itself evidence that safeguards are not yet enough. The company says its eventual goal is to enable safe deployment of Mythos-class models for cybersecurity and other benefits, but that it needs progress on safeguards that detect and block the model’s most dangerous outputs.
Claude’s support documentation for real-time cyber safeguards says Anthropic applies safeguards to detect harmful cyber activities while allowing legitimate security work. It also describes prohibited and high-risk dual-use categories, plus a Cyber Verification Program for users who need work in some high-risk areas for legitimate reasons.
That is a reasonable structure, but cyber classification is unusually hard. The same request can be defensive or offensive. “Write a proof of concept for this bug” may be a vendor validating a fix or an attacker preparing a campaign. “Analyze this binary” may be malware defense or exploit development. “Find authentication bypasses” may be authorized testing or intrusion planning. The model cannot reliably know authorization from text alone.
Anthropic’s earlier report on AI-orchestrated cyber espionage shows how attackers abuse this ambiguity. The company said malicious operators convinced Claude to participate by breaking tasks into small harmless-looking pieces and presenting the work as legitimate defensive testing.
That is the safeguard problem in miniature. Output filters catch some dangerous material. They do not solve task decomposition, context laundering, external tool use, or malicious scaffolding. A strong model connected to code execution and network access can create harm even if each individual prompt looks tolerable.
Real safeguards for Mythos-class systems need layers: verified users, contractual limits, cloud-side logging where lawful, target authorization checks, sandboxing, exploit-output controls, rate limits, anomaly detection, disclosure workflows, red-team evaluation, and abuse response. Prompt refusal is only one layer.
The access model also needs to protect the model itself. If a restricted model can be accessed through a partner environment or weak operational controls, the policy boundary fails. The more capable the model, the more the surrounding infrastructure becomes part of the safety case.
The practical conclusion is direct: Mythos cannot be made safe by a polite refusal style. It needs institutional access control and technical containment. That is why Project Glasswing is more than a marketing program. It is a containment experiment for a class of models that may become too useful to keep locked away and too risky to release casually.
General-purpose capability makes the risk harder to split
Anthropic describes Claude Mythos Preview as a general-purpose model, not a cyber-only product. Its public documents and API documentation frame it as a research preview model offered separately for defensive cybersecurity workflows, but the underlying capability appears tied to advanced coding, reasoning, and agentic work.
That general-purpose nature complicates every policy answer. If Mythos were a narrow exploit generator, the release decision would be simpler: restrict it heavily. If it were a harmless assistant, release would be easy. The hard case is a model that may be useful for many benign tasks but also unusually strong at cyber operations.
The same capabilities that help with vulnerability research can help with other work. A model that can read a large codebase, infer invariants, test hypotheses, and revise after failure may also help migrate legacy systems, debug distributed services, write tests, reason about financial models, inspect compliance documents, analyze scientific code, and support long-running enterprise agents. The model’s cyber strength may be a side effect of being good at structured technical work.
This makes “just block cyber” too simple. Many cyber-relevant tasks are normal software engineering tasks. Building a parser test, analyzing memory safety, reading a patch, or writing a harness may be ordinary work until the intent changes. A model that cannot do these tasks would be much less useful for benign engineering. A model that can do them may also help attackers.
Anthropic’s Responsible Scaling Policy Version 3.0 says frontier models have moved from chat interfaces toward systems that can browse the web, write and run code, use computers, and take autonomous multi-step actions, creating new risks as capabilities emerge.
That observation fits Mythos exactly. The risk is not one forbidden domain. The risk is the combination of general intelligence, code execution, long-horizon agency, tool use, and access to technical environments. Cyber is the most visible domain because impact is immediate and misuse is obvious, but the underlying governance challenge is broader.
This is why future Mythos-class deployment will likely be tiered by task, user, environment, and output type rather than by model name alone. A verified maintainer scanning their own repository in a controlled sandbox is different from an anonymous user asking for exploit help against a third-party appliance. Same model, different risk. The access system must understand that distinction.
Banks and governments see a national security tool
The Mythos story moved quickly from software vendors to banks and governments because cyber vulnerability discovery is a national security issue. Reuters reported that South Korea’s KISA secured access to Mythos through Project Glasswing, alongside major Korean companies, and that South Korea’s Science Ministry said the initiative aims to use frontier AI models to identify and help fix cybersecurity vulnerabilities.
Banks have their own reasons to care. Anthropic’s Glasswing update says Mythos Preview helped at one partner bank to detect and prevent a fraudulent $1.5 million wire transfer after a threat actor compromised a customer’s email account and made spoof phone calls.
That example is not classic vulnerability research. It suggests that Mythos-class reasoning may support security operations, fraud analysis, anomaly investigation, and incident triage. A bank’s security problem is not limited to code bugs. It includes identity compromise, social engineering, transaction fraud, vendor risk, insider risk, customer-facing systems, and regulatory reporting.
Governments see both defensive and strategic value. A national cyber agency could use Mythos-class systems to scan public-sector software, test critical infrastructure dependencies, assist incident response, evaluate vendor products, and support open-source projects used by essential services. The same government must also worry about escalation: if every major state uses frontier models for cyber discovery, vulnerabilities may be found and stockpiled faster.
This duality will create policy tension. A government may say it wants Mythos for defense, while intelligence or military agencies may see offensive possibilities. Civilian cyber agencies may push for disclosure and patching. National security agencies may push for retention of certain exploit capabilities. The model does not decide the policy. It amplifies the consequences of policy choices.
For banks and governments, the main possibility is not “AI as a hacker.” It is AI as a force multiplier for institutional cyber capacity. It can help a small expert team inspect more systems, triage more signals, and test more hypotheses. The risk is that the same multiplier is available to adversaries or is misused inside a poorly governed program.
This is why access to Mythos will likely remain politically sensitive. If a country receives access, others may want it. If some vendors receive access, competitors may ask whether the process is fair. If a model finds vulnerabilities in widely used infrastructure, governments may ask who controls disclosure timing. Mythos is not only an enterprise tool. It is part of the cyber power balance.
Cloud providers face both shield and blast radius
Cloud providers are natural Mythos users because their software is foundational, enormous, and constantly attacked. They own huge codebases, complex control planes, identity systems, virtualization layers, networking stacks, storage systems, managed services, and customer-facing APIs. A frontier model that finds subtle flaws before attackers do is attractive.
AWS is listed among Project Glasswing partners, and Anthropic’s Project Glasswing page includes an AWS statement saying AWS has been testing Claude Mythos Preview in its own security operations and applying it to critical codebases.
For a cloud provider, the upside is broad. Mythos can support secure code review, attack-path analysis, service hardening, regression tests for bug classes, internal red-team acceleration, customer-impact assessment, and patch prioritization. A cloud provider can also deploy fixes centrally for managed services, reducing customer burden.
The downside is blast radius. A serious vulnerability in a cloud control plane, identity layer, or shared infrastructure can affect many customers at once. If a model finds such a flaw, the provider needs strict control over evidence, exploit artifacts, patch timing, customer notification, and detection rules. The same scale that makes cloud defense powerful makes cloud mistakes costly.
Cloud providers also host the AI systems themselves. If Mythos-class models are delivered through cloud platforms, then model access control, logging, tenant isolation, secret handling, and sandboxing become part of the cloud security problem. A provider is not only using AI to secure software; it is also securing the AI delivery stack.
This creates a recursive challenge. A model that can find vulnerabilities in software may also be used to test the platform that hosts the model. The provider needs confidence that tool execution environments, code sandboxes, network access boundaries, storage systems, and logs do not expose customer data or allow unsafe model actions.
The cloud world is likely to become one of the first places Mythos-class defense matures because the incentives are strong and the resources exist. Providers already run large security teams, internal red teams, automated scanning, incident response, and patch systems. They can absorb model findings better than a small vendor.
The question is whether cloud providers can turn that advantage into shared security rather than private hardening only. If Project Glasswing findings lead to patches in open-source libraries, shared standards, disclosure improvements, and secure default patterns, the wider ecosystem benefits. If findings remain siloed, the benefits concentrate with already powerful platforms.
Software supply chains become easier to inspect
Software supply-chain risk has grown because modern systems are built from dependencies, packages, containers, APIs, cloud services, build tools, and open-source components. Mythos-class models make this risk easier to inspect in some ways and harder to govern in others.
The easy part is code access. Many dependencies are open source. A model can scan repositories, compare versions, inspect patches, and reason about how a bug in a library might affect downstream users. Anthropic’s open-source scanning effort shows this at scale. It scanned more than 1,000 projects and found thousands of candidate issues across software that underpins much of the internet.
The hard part is deployment context. A vulnerability in a dependency may be unreachable in one product and critical in another. A library bug may require a rare configuration. A patch may break compatibility. A transitive dependency may sit inside firmware that users cannot update. AI can help trace some of this, but organizations still need asset inventory, SBOMs, ownership, and deployment data.
Mythos changes procurement questions. Buyers will increasingly ask vendors whether they use AI-assisted security review, how they handle AI-discovered vulnerabilities, whether they monitor dependencies, how quickly they patch critical issues, and whether they can provide evidence. A vendor that cannot answer may look weaker in risk reviews.
The supply-chain effect also touches insurers and regulators. Cyber insurers already ask about patching, MFA, backups, EDR, and vulnerability management. In a Mythos-class world, they may ask about AI-assisted code review and AI-era disclosure readiness. Regulators in critical sectors may expect vendors to demonstrate faster remediation for known exploited vulnerabilities and high-risk dependencies.
CISA’s KEV catalog remains a practical tool because actively exploited vulnerabilities give defenders a priority list. But AI-assisted discovery may expand the set of vulnerabilities that become dangerous before they appear in KEV. Organizations will need to combine KEV prioritization with exposure analysis, exploitability signals, and vendor patch intelligence.
The real possibility is not perfect supply-chain security. It is better inspection of shared code and faster pressure on weak links. Mythos-class models make hidden dependency risk less hidden. The organizations that know where their code comes from will benefit. Those that cannot map their dependencies will struggle to act on new findings.
Legacy systems lose the protection of obscurity
Many old systems are not safe. They are under-examined. They survived because few people had the time, skill, or incentive to read them deeply. Mythos attacks that weak form of safety. If a model can inspect large volumes of old code, generate tests, and reason about exploitability, the age of a system becomes less of a shield and more of a liability.
The UK NCSC’s warning about a vulnerability patch wave captures this dynamic. It says organizations must prepare for a wave of patches addressing decades of technical debt.
Technical debt becomes security debt when old assumptions meet new discovery tools. A legacy parser may have survived because inputs were limited. An old admin interface may have survived because it was hard to inspect. A forgotten internal service may have survived because no one knew it existed. AI-assisted discovery turns all three into risks.
Operational technology, embedded devices, medical equipment, industrial controllers, old VPN appliances, firewalls, storage arrays, and unsupported enterprise systems are especially exposed. They may be difficult to patch, tied to physical processes, certified only for specific software versions, or managed by vendors with slow update cycles. A model can find a bug faster than an organization can schedule downtime.
N-day acceleration worsens this. Once a patch exists for a related product, attackers may use models to derive exploit paths against unpatched variants. Organizations running unsupported versions may not receive patches at all. Compensating controls become the only realistic defense: segmentation, access restrictions, monitoring, virtual patching, service isolation, and decommissioning.
The executive lesson is painful. A system that cannot be patched quickly must be isolated before Mythos-class discovery makes its weaknesses public. Waiting for a critical advisory is too late if exploit development takes hours.
Legacy risk is not only a government or hospital problem. Many companies run old authentication services, custom middleware, outdated libraries, unmaintained scripts, abandoned SaaS integrations, and internal tools no one wants to touch. These systems often have privileged access. Mythos-class models make them easier to examine and easier to exploit if neglected.
The practical response is inventory first. No model, framework, or policy helps if an organization does not know what it runs. Asset discovery, ownership, dependency mapping, and end-of-life plans are not glamorous. They are the defensive prerequisites for the AI cyber era.
Benchmarks support the trend but not a miracle story
Mythos has strong benchmark signals, but benchmarks should be read as evidence, not prophecy. AISI’s results show a major jump in expert CTFs and multi-step cyber ranges. Anthropic’s update says Mythos performs strongly on external and academic exploit benchmarks. Microsoft reports strong CTI-REALM performance. These signals align. They do not prove unlimited real-world capability.
A recent arXiv paper, “Benchmarking Mythos-Linked Bug Rediscovery,” adds a useful correction. The authors tested whether models could rediscover selected public or high-confidence Mythos-linked bugs under controlled target-file conditions. They found that GPT-5.5 xhigh achieved 5 target rediscoveries out of 18 attempts, Claude Opus 4.7 achieved 1 out of 18, and Kimi K2 achieved none. They emphasized that their results do not refute Anthropic’s undisclosed workflow but show that simplified target-file scaffolds do not reproduce the full capability.
That paper is important because it points to scaffolding. A model’s raw ability is only one part of the outcome. The task setup, available tools, prompts, repository context, build access, test harnesses, compute budget, and stopping rules all matter. A weak scaffold may make a strong model look ordinary. A strong scaffold may let a weaker model perform better than expected.
This should shape how organizations evaluate Mythos-style systems. Do not ask only which model is best. Ask what workflow surrounds it. Does the system index the code well? Does it build targets reliably? Does it use fuzzing and sanitizers? Does it validate reachability? Does it avoid duplicate reports? Does it provide coverage metrics? Does it preserve provenance? Does it keep exploit artifacts contained?
Benchmarks also vary by domain. CTFs reward certain skills. Real enterprise systems involve messy authentication, logs, rate limits, flaky builds, incomplete documentation, active defenders, legal constraints, and business uptime. Browser exploitation differs from cloud control-plane review. Kernel bugs differ from web application flaws. No single benchmark captures all of this.
The correct benchmark conclusion is therefore balanced but direct: public evaluations support a real capability jump, while practical results depend heavily on scaffolding, target class, tools, and human review. That is not a weaker story. It is a more useful one. It tells defenders where to invest: not only in model access, but in the system that turns model intelligence into verified security work.
The security stack around Mythos matters as much as the model
A powerful model pointed at a repository can produce impressive demos and chaotic operations. A powerful model inside a disciplined security stack can produce reproducible findings. The stack includes target selection, permissions, code indexing, build automation, fuzzing, static analysis, symbolic checks, sandbox execution, validation logic, report generation, patch workflows, and disclosure control.
Cisco’s Foundry Security Spec describes exactly this kind of surrounding system. It argues that organizations using frontier LLMs for security need bounded, prioritized, verifiable findings, a coverage signal, an auditable provenance chain, and safety guardrails that constrain the system at the substrate rather than relying only on prompts.
That last point is crucial. Prompt-level control is weak when the model is acting through tools. A safe security stack must constrain file access, network access, code execution, secrets, exploit artifacts, logging, and external communication. The model should not be trusted simply because it says it is doing defensive work.
A useful Mythos stack might begin with a target authorization record. The system verifies that the user owns or is permitted to test the target. The indexer maps code and dependencies. The detector runs both model-led exploration and rule-based checks. The validator reproduces findings in a sandbox. The triager scores severity with human review. The reporter redacts exploit details where needed. The patch workflow routes fixes to maintainers. The disclosure ledger records timing without exposing sensitive details.
That is a lot of machinery. It is why Mythos access alone is not enough. A small team given raw model access may generate reports it cannot validate or safely disclose. A mature team with strong scaffolding can turn the same model into a controlled security process.
This is also where smaller models may remain relevant. Some tasks do not need Mythos-class power. Rule generation, log summarization, duplicate detection, dependency mapping, report drafting, and patch explanation may be handled by weaker models under cheaper or safer conditions. The frontier model should be reserved for tasks that need its reasoning depth or exploitability analysis.
The future security stack will likely be multi-model and tool-rich. Mythos-class models will sit at the high-risk, high-skill end. Traditional scanners, fuzzers, symbolic tools, type systems, sanitizers, and human code review will not disappear. They will become inputs and validators inside a larger system.
The model is the engine people notice. The stack is what determines whether the engine goes into a race car, a factory, or an accident.
Regulation has not caught up to cyber-capable agents
The EU AI Act is the first broad legal framework for AI, and the European Commission describes it as a framework that addresses AI risks through rules for developers and deployers. It also includes obligations for general-purpose AI models, especially those with systemic risk.
Mythos-class systems raise questions that current AI regulation only partly answers. Is a restricted cyber-capable model best governed as a general-purpose AI model, a cybersecurity product, a dual-use technology, critical infrastructure support software, or a combination of these? The answer may differ depending on who uses it, where it is deployed, what tools it controls, and what outputs it produces.
Ordinary product regulation assumes intended use matters. Cyber capability complicates that because intended use can be defensive, offensive, research-oriented, or ambiguous. The same base model may help a maintainer fix a parser bug, a bank investigate fraud, a cloud provider review infrastructure, or an attacker build an exploit. Risk does not live only in the model. It lives in the model-plus-system.
This is why policy focused only on model weights may miss the operational risk. A model hosted inside a vetted program with logging, sandboxing, authorization checks, and disclosure rules is different from the same model available anonymously with code execution and network access. The system boundary matters.
Anthropic’s Responsible Scaling Policy Version 3.0 recognizes that new risks emerge as models gain tool use, code execution, browsing, and autonomous multi-step action.
That observation should guide regulators. Capability evaluation should include not only benchmark scores but also deployment architecture. Does the model have tool access? Can it run code? Can it reach the internet? Can it inspect private repositories? Can it generate exploit artifacts? Are users verified? Are tasks logged? Are outputs redacted? Is there a disclosure path? Are third-party audits possible?
Regulation will also need to address disclosure obligations. If a frontier model finds thousands of serious vulnerabilities in widely used software, who must be notified, when, and under what confidentiality terms? Should model providers have duties comparable to security researchers, vulnerability coordination centers, or product vendors? How do regulators protect users without forcing premature public disclosure?
The law will move slowly. Mythos shows the capability is moving faster. In the near term, the real governance will come from contractual access, industry norms, coordinated disclosure, independent evaluations, cloud controls, and security community pressure. Regulation will catch up after these practices have already shaped the field.
Business leaders need shorter security decision loops
For executives, the Mythos story is about latency. The danger is not only technical vulnerability. It is the gap between a model-speed discovery cycle and a board-speed approval cycle. If exploit development can move from disclosure to proof in hours, an organization that needs three weeks to approve a patch is exposed by design.
The executive response should start with concrete questions. Which systems cannot be patched quickly? Which internet-facing assets have no owner? Which vendors control emergency update timing? Which critical services depend on unsupported software? Which high-value logs are missing? Which systems require downtime for security updates? Which teams can approve an emergency release outside normal change windows?
These questions are not AI-specific, but Mythos makes them urgent. The model’s existence changes the expected speed of attackers and defenders. Slow patching was already risky. Slow patching becomes worse when AI can turn public patches into working exploit attempts faster.
Business leaders also need to understand the difference between security spending and security throughput. Buying a tool is easy. Processing valid findings is hard. A Mythos-class workflow may produce more credible issues than a team can fix. That means leaders must fund triage, engineering time, testing, release management, and customer communication, not only AI access.
Metrics should change. Traditional vulnerability dashboards often count open findings by severity and age. In a Mythos-class environment, leaders should ask about mean time to validate, mean time to patch, mean time to deploy, percentage of critical assets with emergency rollback plans, percentage of internet-facing assets with owners, and percentage of vendors with contractual patch timelines.
Cyber insurance and procurement will likely follow. A company that cannot explain how it handles AI-discovered vulnerabilities may look riskier. A vendor that can show fast triage, secure development practices, and clear disclosure may gain trust.
The board-level conclusion is simple: AI shortens the attacker’s work cycle, so governance must shorten the defender’s decision cycle. That does not mean reckless patching. It means rehearsed emergency processes, pre-approved risk thresholds, clear ownership, and the ability to move when evidence warrants it.
Leaders should also resist theatrical AI strategies. A public statement about using AI for security is not a security plan. A real plan describes where models are used, how findings are validated, who approves fixes, how unsafe output is controlled, how vendors are managed, and how the organization learns from each finding.
Engineering teams need pre-release security loops
Engineering teams should treat Mythos as a warning against late security. If a model can find serious bugs after release, teams should use similar methods before release. The strongest defensive use of AI is not finding flaws in production. It is stopping flaw classes from reaching production repeatedly.
Pre-release security loops begin with threat modeling. Which inputs are untrusted? Which components parse attacker-controlled data? Which authorization checks protect privileged actions? Which memory-unsafe modules remain? Which dependencies process external content? Which administrative features expose destructive operations? These questions guide where model agents should look first.
A good loop then combines rules and exploration. Known bug classes should be caught through static analysis, secure coding rules, type checks, fuzzing, sanitizers, dependency scanning, and tests. Model agents should explore the parts that rules miss: unusual state transitions, logic bugs, configuration interactions, incomplete invariants, authorization edge cases, and exploit chains.
Cisco’s Foundry Security Spec describes a detection-to-prevention loop in which exploratory agents find target-specific issues, gaps become new rules, and those rules feed future code review and coding assistants.
That loop matters because finding the same class of bug repeatedly is waste. If Mythos discovers that a product often mishandles authorization in asynchronous job queues, the response should not be to patch each queue one by one forever. The response should include a rule, test pattern, library change, or framework control that prevents recurrence.
NIST SSDF remains a useful anchor because it treats secure development as an organizational practice rather than a tool. The framework’s recommendations for mitigating software vulnerability risk fit AI-assisted review well: prepare the organization, protect software, produce well-secured software, and respond to vulnerabilities.
Engineering teams should also decide how much exploit proof they need. A production team often does not need a weaponized exploit to fix a clear bug. A safe reproduction case may be enough. For ambiguous severity, a controlled proof may help prioritize. The default should be least dangerous evidence sufficient for decision.
The best teams will make AI security review part of ordinary development without turning it into noise. Pull requests can trigger targeted agents. High-risk modules can receive deeper scans. Release candidates can run full security evaluation. Findings can be grouped by root cause. Engineers can receive patches plus explanations. The goal is not endless alert volume. The goal is fewer exploitable flaws leaving the pipeline.
Security teams need triage systems that survive volume
Security teams already struggle with alert fatigue. Mythos-class vulnerability discovery may create a new version: finding fatigue. The model may surface many credible issues, but a team still has finite time. Without triage design, more discovery creates more paralysis.
A strong triage system starts with ownership. Every finding must map to a product owner, code owner, or service owner. Orphaned findings become permanent risk. Asset inventories, repository ownership, service catalogs, and dependency maps are therefore part of the Mythos response.
Next comes severity discipline. Model-generated severity should be treated as an input, not a verdict. Human reviewers should check reachability, exploit prerequisites, exposed attack surface, affected versions, mitigations, authentication requirements, privilege boundaries, data sensitivity, and business impact. The severity process must be fast but not careless.
Exploitability evidence should be handled carefully. A crash is not always a vulnerability. A vulnerability is not always exploitable. Exploitability proof can help prioritize, but it can also create dangerous artifacts. Teams need secure storage, access control, redaction rules, and retention policies for model-generated proofs.
The NCSC’s “10 questions” guidance for using AI models to find vulnerabilities urges organizations to think carefully before adopting agentic AI and points back to the patch wave problem.
That guidance fits the triage reality. Before scanning at scale, a team should know how findings will be received, who validates them, how legal obligations apply, how maintainers are contacted, how exploit code is controlled, and what happens when the volume exceeds capacity.
Detection engineering also matters. A finding may take time to patch. Security teams should ask whether they can monitor exploitation attempts, deploy WAF rules, adjust authentication, disable risky features, segment systems, or apply temporary mitigations. CISA KEV is useful because it ties vulnerability management to known exploitation. Mythos-style workflows need a similar connection between discovered risk and detection response.
The triage goal is not to process everything equally. It is to move the dangerous, reachable, exploitable issues to the front and route lower-risk issues into normal engineering cycles. AI increases security signal only if the organization can rank, verify, and act on the signal.
A Mythos-era security team therefore looks less like a ticket queue and more like an operations center for vulnerability intelligence: ingestion, validation, prioritization, mitigation, disclosure, patch support, and learning loops.
Offensive misuse is plausible without science fiction
The misuse risk from Mythos-class systems does not require a fantasy of fully autonomous AI hackers roaming the internet. The more plausible risk is less dramatic: AI reduces the number of skilled humans required for cyber operations. It helps attackers search targets, adapt public exploits, write code, analyze stolen data, create documentation, and repeat attempts cheaply.
Anthropic’s report on an AI-orchestrated cyber espionage campaign provides a preview. It says attackers used Claude by jailbreaking it, breaking attacks into small tasks, and presenting the work as defensive testing. Anthropic said the AI performed much of the reconnaissance, vulnerability testing, exploit-code writing, credential handling, data categorization, and documentation, with human operators stepping in at a handful of decision points.
That was not Mythos as a public tool. It was a warning about agentic misuse. Mythos-class cyber capability would raise the ceiling. Attackers could use similar systems to inspect public patches, scan leaked source code, adapt exploit proofs, test configurations, and decide which targets deserve human attention.
The most dangerous misuse may be at scale rather than depth. A top exploit developer is still better than a model in many hard cases. But a model can attempt many medium-complexity cases at low marginal cost. It can turn low-skill groups into more capable operators and let high-skill groups cover more targets.
This affects defenders because attacker behavior may become noisier and faster. More public patches may be tested quickly. More exposed services may receive tailored probes. More phishing and fraud workflows may be paired with technical reconnaissance. More stolen data may be sorted automatically for operational value.
Safeguards matter, but access controls at one lab cannot stop all diffusion. Other labs may develop similar models. Open-weight models may improve. Specialized scaffolds may let smaller models perform certain vulnerability tasks. Research on multi-agent scaffolding suggests system design can compensate for weaker base model reasoning in some controlled vulnerability tasks, even if such experiments differ from full Mythos-class capability.
The practical conclusion is not despair. It is defensive urgency. The offensive risk is plausible because it is mostly an acceleration of existing cyber behavior, not a new kind of magic. Defenders know many of the countermeasures: patch faster, reduce exposed attack surface, monitor better, segment critical systems, harden identity, and practice response. Mythos makes the timeline less forgiving.
The realistic ceiling is high but not unlimited
Mythos is powerful, but it is not unlimited. It depends on context, tools, scaffolding, target access, compute budget, validation, and human oversight. It can be wrong. It can generate plausible false positives. It can miss the real bug while pursuing an attractive wrong path. It can overstate severity. It can understate deployment context. It can refuse legitimate work or comply with work that should be constrained.
The arXiv bug rediscovery study is a useful check on overclaiming. Under controlled target-file conditions, models often committed early to plausible but wrong candidates. The authors said their results do not refute Anthropic’s undisclosed workflow, but they show that model performance depends heavily on the scaffold and task setup.
That finding should shape both expectations and procurement. A vendor cannot simply say, “We use frontier AI, therefore our product is secure.” The real questions are: Which model? Which targets? Which tools? Which validation method? Which humans review? Which findings were fixed? Which bug classes decreased? Which coverage was achieved? Which artifacts were produced? Which failures were measured?
The model also cannot solve organizational constraints. If a product has no tests, no owners, and no release discipline, Mythos may find bugs faster than the team can understand them. If a system cannot be patched because of business constraints, a model finding the bug does not remove exposure. If a vendor will not respond to disclosure, the finding remains risk.
The ceiling is high because model-assisted security can search more code, reason across chains, validate more hypotheses, and support patching. The ceiling is not infinite because software security is not only search. It is architecture, maintenance, deployment, incentives, compatibility, user behavior, and governance.
A good analogy is medical imaging. Better imaging finds more problems. That is powerful. But patients still need diagnosis, prioritization, treatment, follow-up, and judgment about which findings matter. Mythos improves the scan. It does not automatically complete the treatment plan.
This sober view makes Mythos more important, not less. Tools that are powerful but imperfect are the ones institutions must learn to use carefully. A flawless tool would be easy to trust. A weak tool would be easy to ignore. Mythos sits in the difficult middle: strong enough to change workflows, imperfect enough to require discipline.
The strategic meaning is industrialized cyber work
The deepest meaning of Mythos is that cyber work is becoming industrialized through AI. Discovery, triage, exploitability testing, patch assistance, report drafting, detection guidance, and postmortem learning can be connected into repeatable systems. The expert does not disappear. The workflow becomes more machine-assisted and more scalable.
Anthropic’s Glasswing update says many partners found hundreds of critical- or high-severity vulnerabilities, with collective findings above ten thousand after one month. It also says patched software is being rolled out more quickly, and cites examples of vendors releasing larger or faster patch sets.
That is industrialization. The system finds more defects, pushes them into production queues, and forces organizations to improve throughput. The bottleneck moves. Old cybersecurity discussions often focused on whether a company had scanning tools. The new discussion asks whether a company can safely handle the volume created by strong AI scanning.
Industrialization also changes competition. Vendors with strong AI-assisted secure development may reduce defects faster. Vendors without it may look outdated. Security firms may package model-based vulnerability discovery and triage. Cloud platforms may offer controlled cyber agents through vetted programs. Open-source foundations may build shared triage infrastructure. Regulators may ask for proof that high-risk systems are tested with modern methods.
Attackers industrialize too. They may use models to inspect patches, search for exposed targets, write exploit variants, and filter stolen data. The defensive race is therefore not about whether AI appears in cyber. It already has. The race is about whether defenders can use AI to reduce attack surface faster than attackers use AI to exploit it.
Mythos is one visible marker of that transition. It is not the only model that will matter. It may not remain the strongest. Its name may fade. The workflow change will not. Once organizations see that frontier models can perform parts of vulnerability research, security expectations shift.
That shift is likely permanent. Future secure development will assume AI agents inspect code. Future vulnerability disclosure will assume AI-assisted rediscovery. Future patch management will assume exploit timelines are shorter. Future audits may ask about AI-era controls. Future boards will ask why critical systems cannot be patched faster.
Claude Mythos matters because it marks a move from human-speed vulnerability discovery to model-speed vulnerability production. The organizations that understand that shift will redesign their security processes. The organizations that treat Mythos as a headline will miss the operational change.
The practical answer for readers
The practical answer is this: Claude Mythos Preview’s real possibilities are serious but bounded. It can support large-scale vulnerability discovery, exploitability reasoning, N-day analysis, defensive triage, secure development, fraud investigation, and incident response. It is restricted because those same capabilities can support offensive misuse. It does not remove the need for humans. It increases the value of humans who know how to supervise, validate, patch, and govern.
For software vendors, the main action is to move security before release. Build AI-assisted review into development, not only incident response. Use models with fuzzers, static analyzers, tests, and human validators. Track recurring bug classes and eliminate them at the framework level.
For open-source maintainers, the main need is support. AI-discovered vulnerabilities can improve public software, but maintainers need triage help, funding, disclosure coordination, and patch review. Foundations will matter more.
For enterprises, the main action is patch readiness. Know the assets. Know owners. Know vendors. Know emergency windows. Know which systems cannot be patched and isolate them. Use CISA KEV, vendor advisories, exposure data, and exploitability signals to prioritize.
For governments, the main issue is controlled defense without uncontrolled escalation. National cyber agencies will want access to Mythos-class systems, but governance must separate defensive scanning and disclosure from offensive accumulation.
For AI labs, the central problem is safe access. Prompt safeguards alone are not enough. Mythos-class models need verified users, controlled environments, disclosure workflows, tool restrictions, abuse monitoring, and external evaluation.
The final answer is narrower than the hype and larger than a product note. Claude Mythos is not a universal hacking machine. It is a frontier model that appears able to automate and accelerate parts of expert cyber work. That is enough to change vulnerability economics, patch timelines, open-source maintenance, enterprise security, cloud defense, and AI release policy.
The real question is not whether Mythos can find bugs. It already has, according to multiple public accounts. The real question is whether institutions can fix software fast enough, safely enough, and fairly enough before similar capabilities become common.
Questions readers are asking about Claude Mythos
No. Anthropic’s documentation says Claude Mythos Preview is offered separately as a research preview model for defensive cybersecurity workflows through Project Glasswing, with invitation-only access and no self-serve sign-up.
No. Anthropic frames it as a general-purpose frontier model, but its restricted public deployment is tied to defensive cybersecurity because its cyber capabilities create dual-use risk.
Public reports indicate it can scan large codebases, identify vulnerabilities, reason about exploitability, support exploit proof in controlled settings, help triage findings, and support patching workflows.
Yes. Mozilla said Firefox 150 included fixes for 271 vulnerabilities identified during an initial Mythos evaluation, and Anthropic reported thousands of findings across open-source and partner codebases.
Public reporting and Anthropic’s red-team analysis indicate that Mythos can create exploit proofs in controlled conditions, especially for vulnerability validation and N-day analysis. That is a major reason access remains restricted.
Project Glasswing is Anthropic’s restricted defensive program that gives selected organizations access to Claude Mythos Preview so they can find and fix vulnerabilities in foundational systems.
Anthropic named partners including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
Reuters reported that South Korea’s Korea Internet & Security Agency gained access through Project Glasswing, according to South Korea’s Science Ministry.
No. It changes the work. Humans remain needed for target selection, validation, severity judgment, patch review, disclosure, and governance.
The biggest defensive benefit is earlier and broader vulnerability discovery, especially before code ships or before attackers find the same flaws.
The biggest danger is accelerated exploitation, especially faster conversion of public patches and known vulnerabilities into working attacks.
A zero-day is unknown to the maintainer when discovered or used. An N-day is already known or patched somewhere, but many users remain unpatched.
Most organizations patch slowly. If AI reduces exploit-development time from weeks to hours, attackers can move during the patch gap.
It can, if findings are triaged and patched responsibly. It can also overwhelm maintainers if discovery volume exceeds human capacity.
They should improve asset inventory, shorten emergency patch cycles, strengthen logging, harden exposed systems, review vendor dependencies, and prepare human-reviewed AI-assisted triage.
No. Public evaluations show strong controlled cyber capability, including multi-step cyber-range performance, but they do not prove reliable autonomous compromise of mature defended organizations.
Safeguards are central. Mythos-class models need verified access, controlled environments, tool restrictions, disclosure workflows, monitoring, and human oversight.
Yes. Anthropic itself frames Mythos-class capability as part of a wider frontier-model trend. Other labs, open models, and specialized scaffolds may narrow the gap.
The most realistic long-term use is AI-assisted secure development: finding and fixing vulnerabilities before release, then turning discoveries into prevention rules.
Claude Mythos is a restricted frontier AI model that appears able to perform parts of expert vulnerability research at scale. Its real impact is on cyber workflow speed, not on chatbot convenience.
Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency
This article is an original analysis supported by the sources cited below
Project Glasswing: Securing critical software for the AI era
Anthropic’s primary Project Glasswing page describing Claude Mythos Preview access, defensive goals, partner statements, funding commitments, restrictions, and plans for Mythos-class safeguards.
Claude Project Glasswing
Anthropic’s Project Glasswing announcement page identifying the launch partners and the program’s goal of using frontier AI to secure critical software.
Project Glasswing: An initial update
Anthropic’s May 2026 update reporting more than ten thousand partner findings, open-source scanning totals, triage rates, bottlenecks, and partner evidence.
Assessing Claude Mythos Preview’s cybersecurity capabilities
Anthropic Frontier Red Team’s technical discussion of Mythos Preview’s cyber capabilities, zero-day discovery, exploitability analysis, and disclosure constraints.
Anthropic’s coordinated vulnerability disclosure dashboard
Anthropic’s dashboard tracking Mythos-discovered open-source vulnerability disclosures, patched findings, advisory records, and disclosure ledger status.
Anthropic’s coordinated vulnerability disclosure policy
Anthropic’s policy page describing how it reports AI-discovered vulnerabilities, handles disclosure windows, and works with maintainers.
Claude Mythos Preview System Card
Anthropic’s system card for Claude Mythos Preview, covering model characteristics, capability evaluations, safety testing, and deployment restrictions.
Models overview
Anthropic’s Claude API documentation stating that Claude Mythos Preview is offered separately as an invitation-only research preview for defensive cybersecurity workflows through Project Glasswing.
Anthropic’s Transparency Hub
Anthropic’s transparency page covering Responsible Scaling Policy evaluations, release decisions, safety levels, and model-risk reporting.
Anthropic’s Responsible Scaling Policy: Version 3.0
Anthropic’s policy announcement explaining how it evaluates and manages catastrophic risks from frontier AI systems as models gain tool use and autonomous capabilities.
Real-time cyber safeguards on Claude
Claude support documentation describing cyber safeguards, prohibited uses, high-risk dual-use categories, and the Cyber Verification Program.
The zero-days are numbered
Mozilla’s blog post describing its use of Claude Mythos Preview and the 271 Firefox 150 vulnerability fixes tied to the initial evaluation.
Project Glasswing: what Mythos showed us
Cloudflare’s report on testing Mythos Preview across internal repositories, including observations about capability gains, exploit-chain reasoning, process design, and operational limits.
Our evaluation of Claude Mythos Preview’s cyber capabilities
The UK AI Security Institute’s external evaluation of Mythos Preview on capture-the-flag tasks and multi-step cyber-range simulations.
South Korea secures access to Anthropic’s Mythos AI model, Science Ministry says
Reuters report on South Korea’s Korea Internet & Security Agency gaining access to Mythos through Project Glasswing.
Anthropic’s Mythos can exploit new flaws in hours
Axios report on Anthropic research showing Mythos turning newly disclosed vulnerabilities into working exploits on compressed timelines.
Strengthening secure software at global scale
Microsoft Security Response Center’s post on AI-led vulnerability discovery, Claude Mythos Preview research access through Microsoft Foundry, and secure software response processes.
AI-powered defense for an AI-accelerated threat landscape
Microsoft Security blog post describing Project Glasswing work, CTI-REALM evaluation, and plans to incorporate advanced AI into the Security Development Lifecycle.
Rising to the Era of AI-Powered Cyber Defense
Cisco’s announcement of participation in Project Glasswing and its framing of frontier AI as a major shift for cyber defense.
Announcing Foundry Security Spec
Cisco’s description of an open specification for agentic AI security evaluation systems, including orchestration roles, validation, coverage, provenance, and guardrails.
Claude Mythos Preview
CrowdStrike’s post on joining Project Glasswing, the dual-use nature of frontier cyber models, and the need to move defense at AI speed.
Secure Software Development Framework Version 1.1
NIST SP 800-218, the Secure Software Development Framework, used as a foundation for secure development and vulnerability-risk mitigation.
Known Exploited Vulnerabilities Catalog
CISA’s catalog of known exploited vulnerabilities, cited as a practical prioritization tool for defenders facing faster exploitation cycles.
Preparing for a vulnerability patch wave
UK National Cyber Security Centre warning that organizations must prepare for a wave of patches as AI accelerates vulnerability discovery and exploitation.
10 questions to ask when using AI models to find vulnerabilities
NCSC guidance for organizations considering AI-assisted vulnerability discovery, focused on readiness, governance, triage, and operational limits.
AI Act
European Commission page explaining the EU AI Act as a risk-based legal framework for AI systems and general-purpose AI obligations.
Benchmarking Mythos-Linked Bug Rediscovery
ArXiv paper testing selected Mythos-linked bug rediscovery tasks and showing the role of scaffolding, target setup, and evaluation design.
Position: AI Security Policy Should Target Systems, Not Models
ArXiv paper arguing that security policy should focus on AI systems and scaffolds, not only base models, with examples from adversarial testing and vulnerability-discovery pipelines.
Evaluating whether AI models would sabotage AI safety research
ArXiv paper evaluating sabotage-related behavior in several Claude models, including Mythos Preview, under specific research-agent conditions.
Disrupting the first reported AI-orchestrated cyber espionage campaign
Anthropic’s report on AI-assisted cyber misuse, used as context for the operational risks of agentic cyber workflows.
