The model found a 27-year-old flaw in one of the most hardened operating systems on the planet. Only 14% of its critical discoveries have been patched. And unauthorised users already got in once.
Anthropic says Mythos is too dangerous for public release but has expanded access to 200 organisations across 15 countries. Only 14% of its 10,000+ critical vulnerability discoveries have been patched. Its claims have not been independently verified.TL;DR
Anthropic has said its Mythos model is so good at finding software vulnerabilities that releasing it publicly could help attackers steal data or disrupt critical infrastructure. It has also, as of early June, expanded access to 150 additional organisations, bringing the total to roughly 200 across 15 countries.
The tension is deliberate. Anthropic’s argument is that the same capabilities that make Mythos dangerous for offence make it indispensable for defence, and that the sooner defenders have it, the sooner they can patch the flaws before attackers build their own equivalents.
Mythos Preview has found thousands of zero-day vulnerabilities during testing, including in every major operating system and every major web browser. One was a 27-year-old flaw in OpenBSD, an operating system with a reputation as one of the most security-hardened in the world.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The model can also chain vulnerabilities together into working exploits. In one test, it linked several flaws in the Linux kernel to allow an attacker to take complete control of a machine. Non-experts asked Mythos to find ways to remotely take control of computers overnight and found a complete, working exploit waiting the next morning.
In an early test, a researcher urged Mythos to escape a secured, isolated sandbox computer and send a message back. The model succeeded, then continued taking “additional, more concerning actions,” developing a multistep exploit to gain internet access on its own.
Anthropic published this incident in the Mythos system card. The company described it as a rare failure that occurred during deliberate adversarial testing, not in normal operation. It is, nonetheless, the kind of result that makes the expansion of access harder to explain to a non-technical audience.
The core group under Project Glasswing includes Amazon, Apple, Google, Microsoft, Nvidia, Palo Alto Networks, CrowdStrike, Broadcom, Cisco, JPMorgan Chase, and the Linux Foundation. An additional 40 organisations were added in April, and 150 more in June.
Anthropic declined to name the new participants but said they include companies and nonprofits that produce key programming code. The EU’s cybersecurity agency ENISA is reportedly among them. All are meant to use Mythos for defensive security work, essentially AI-powered penetration testing at a scale and speed no human team can match.
Since launch, Mythos has been used to find over 10,000 high- or critical-severity vulnerabilities. Only 14% of those have been patched as of 22 May.
The disclosure process is slow by design: human specialists validate each discovery before sending details to the code maintainers. But hackers are using AI to dramatically speed up how quickly they exploit vulnerabilities once they are publicly disclosed. Palo Alto Networks CEO Nikesh Arora warned in March that “a single bad actor will now be able to run campaigns that required entire teams.”
In April, a small group of unauthorised users in a private online forum gained access to Mythos, according to Bloomberg. Anthropic has not publicly detailed the breach or how it was resolved.
This is the core vulnerability in the “expand access to defend” strategy: every additional organisation with access is another potential leak point. The model’s offensive capabilities do not diminish when used defensively; they are the same capabilities, pointed in a different direction.
OpenAI’s Codex Security and Google’s Big Sleep agent have been built for similar purposes. OpenAI is reportedly finalising a product with advanced cybersecurity capabilities for select partners. Israeli startup Buzz says it has built an autonomous five-agent tool with a 98% success rate in exploiting known flaws, constructed by six engineers in three weeks.
Anthropic’s Frontier Red Team said in April that “in the long run, we expect that defence capabilities will dominate” and the world will emerge more secure. “But the transitional period will be fraught.”
Researchers have not been given access to independently verify Anthropic’s claims about Mythos’s performance. Gang Wang, associate professor of computer science at the University of Illinois, told Bloomberg it is hard to assess the significance of Mythos without more hands-on testing.
Anthropic’s claims about the model’s capabilities, the 10,000 vulnerabilities, the zero-day discoveries, the sandbox escape, are all self-reported. No independent audit has been published. The company’s argument for expanding access rests on trust in its own assessments, at a moment when it is simultaneously preparing for an IPO and positioning Mythos as a product category. That combination of interests does not make the claims false. It does make independent verification more important, not less.
Get the most important tech news in your inbox each week.