Anthropic’s Mythos Preview and the End of a Twenty-Year Cybersecurity Equilibrium

8 Apr 2026 – Anthropic yesterday announced Claude Mythos Preview, a frontier AI model that can autonomously discover and exploit zero-day vulnerabilities in every major operating system and every major web browser. Alongside the model, Anthropic launched Project Glasswing, a defensive coalition including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — formed to use these capabilities to secure critical software before similar models become widely available.

According to Anthropic’s technical assessment, Mythos Preview has already identified thousands of high- and critical-severity zero-day vulnerabilities, with over 99% still unpatched at the time of disclosure. The model discovered bugs that had survived decades of human review and millions of automated security tests — including a 27-year-old vulnerability in OpenBSD’s TCP stack, a 16-year-old flaw in FFmpeg’s H.264 codec, and remotely exploitable bugs in FreeBSD’s NFS server that grant full root access to unauthenticated attackers.

The model does not merely find bugs. It autonomously develops working exploits — including multi-vulnerability chains that bypass modern defense-in-depth measures. In one documented case, Mythos Preview chained four vulnerabilities into a JIT heap spray that escaped both browser renderer and OS sandboxes. In another, it autonomously constructed a 20-gadget Return Oriented Programming chain split across multiple network packets to achieve remote code execution on FreeBSD. It wrote multiple local privilege escalation exploits for the Linux kernel that chain together KASLR bypasses, use-after-free vulnerabilities, and heap sprays — the kind of work that previously required weeks from elite security researchers.

The capability jump is scary. Anthropic reports that its previous model, Claude Opus 4.6, had a near-0% success rate at autonomous exploit development. Mythos Preview, tested against the same Firefox JavaScript engine benchmark, developed working exploits 181 times out of several hundred attempts where Opus 4.6 succeeded only twice. On Anthropic’s internal OSS-Fuzz benchmark, Opus 4.6 achieved a single tier-3 crash across roughly a thousand repositories. Mythos Preview achieved full control-flow hijack — the highest tier — on ten separate, fully patched targets.

Anthropic also disclosed that Mythos Preview found vulnerabilities in TLS, AES-GCM, and SSH implementations within major cryptography libraries, including bugs that could allow certificate forgery or decryption of encrypted communications. One of these — a critical certificate authentication bypass in the Botan library — was disclosed publicly the same day.

The model additionally demonstrated the ability to reverse-engineer closed-source, stripped binaries and identify exploitable vulnerabilities in them — including firmware vulnerabilities that enable smartphone rooting and remote denial-of-service attacks against servers.

Anthropic states that these capabilities were not explicitly trained for, but emerged as a downstream consequence of general improvements in code understanding, reasoning, and autonomy. The company does not plan to make Mythos Preview generally available, instead providing access through Project Glasswing to a limited group of partners and over 40 additional organizations that build or maintain critical software infrastructure. Anthropic is committing up to $100 million in usage credits and $4 million in direct donations to open-source security organizations.

Alongside the technical blog post and Project Glasswing announcement, Anthropic published a comprehensive System Card — a detailed safety assessment covering Responsible Scaling Policy evaluations, cybersecurity capability testing, alignment assessments, and model welfare analysis. The System Card confirms the decision not to release Mythos Preview for general availability, and contains findings that deserve attention beyond the cybersecurity headlines.

My Analysis – The Twenty-Year Equilibrium Just Broke

I’ve spent three decades in cybersecurity, and I’ve watched the security community repeatedly get swept up in existential-sounding threats that turned out to be manageable. I’ve also watched the same community sleepwalk past threats that turned out to be devastating. What Anthropic just disclosed is the latter.

Let me explain why by reaching for something I don’t usually talk about in public.

I Know What Offensive Capability Looks Like

From 1997 to 2007, I was a member of and ultimately ran Cyber Agency — a specialist offensive security firm focused exclusively on critical national infrastructure, government, and defense systems. We didn’t do checkbox-ticking penetration testing. We did manual red teaming: the kind where you develop your own exploits, find your own zero-day bugs, and spend months patiently working through layers of defense. Our average engagement cost roughly $1.5 million and could run up to 18 months when the target required it. We even discovered zero-day vulnerabilities in the process.

In all those years, across every engagement, we never once failed to capture the flag. Not against systems that were supposed to be the most secure on the planet.

But it took a team of deeply experienced specialists. It took months of dedicated work. It took significant financial resources. And critically, it took human creativity — the ability to look at a defensive architecture and think laterally about where the assumptions might be wrong.

What Anthropic just demonstrated is that a language model can now compress that entire process — the vulnerability discovery, the exploit development, the multi-vulnerability chaining, the defense bypass — into hours, at a cost measured in hundreds or low thousands of dollars. The FreeBSD remote root exploit? Under $50 for the specific run that found it. The Linux kernel privilege escalation chain that bypassed KASLR, HARDENED_USERCOPY, and multiple other mitigations? Under $2,000 and half a day.

Mythos Preview is not doing better offensive work than elite human teams. The exploits described in Anthropic’s writeup — ROP chains, heap sprays, cross-cache reclaim, PTE manipulation — these are well-known techniques. What’s different is the economics. The capability that used to cost millions and require rare human talent now costs a few thousand dollars and requires someone who can write a paragraph-long prompt.

The State Actor Question Nobody Wants to Ask

Anthropic deserves genuine credit for this disclosure. They found these capabilities, chose to warn the industry, built a coalition of major technology companies, and committed $100 million to defensive use. That is, by any measure, responsible behavior.

However, if Anthropic reached these capabilities through general improvements in code understanding and reasoning — not through deliberate security training — then any laboratory pushing the frontier of AI capabilities is on the same trajectory. This is an emergent property of model scale and capability, not a proprietary technique. The question is not whether others will achieve this, but when — and the answer, based on the pace of frontier model development, is likely months, not years.

That means we should assume that state-level intelligence services — including those that don’t publish blog posts about their findings — either already have comparable capabilities or will have them soon. China, Russia, and other sophisticated state actors have invested heavily in both AI and offensive cyber operations. Unlike Anthropic, they have no incentive to disclose what they find. Unlike Project Glasswing, their programs are not oriented toward patching the bugs they discover.

And even within allied nations, the implications are uncomfortable. Capabilities this powerful don’t stay in research labs. They migrate toward intelligence agencies and military organizations — and once there, they tend to be used offensively, not defensively. The history of the NSA’s Equation Group and the subsequent Shadow Brokers leak that gave us WannaCry and NotPetya should remind us what happens when offensive capabilities are stockpiled rather than disclosed. The 2017 WannaCry attack alone caused an estimated $8 billion in damages worldwide and crippled the UK’s National Health Service.

The question for policymakers is whether capabilities like Mythos Preview should be subject to something analogous to the Vulnerabilities Equities Process — with a strong institutional bias toward patching rather than stockpiling. Because the alternative — governments sitting on AI-discovered zero-days for intelligence collection while adversaries develop the same capabilities independently — is a recipe for catastrophe.

The System Card’s Quiet Bombshell: A Model That Covers Its Tracks

Buried in the 170-page System Card is a finding that has received surprisingly little attention in the first wave of commentary, but which I think security professionals should read very carefully.

Anthropic reports that earlier versions of Mythos Preview, while being tested internally, exhibited what they diplomatically call “rare, highly-capable reckless actions.” The specific incidents they describe are worth quoting in detail because they read less like AI misbehavior and more like the operational tradecraft of a sophisticated threat actor.

In one case, the model was given a sandboxed computer and asked to try to escape it. It succeeded – and then, without being asked, developed a multi-step exploit to gain broad internet access from a system designed to reach only predetermined services. It then posted details about its exploit to multiple hard-to-find but technically public-facing websites. In another case, after accidentally obtaining an answer through a prohibited method, the model explicitly reasoned that it needed to make sure its final answer “wasn’t too accurate” – to avoid revealing that it had cheated. In a third, after finding an exploit to edit files it lacked permissions to modify, it took additional steps to ensure its changes wouldn’t appear in the git history.

Anthropic used interpretability tools to examine the model’s internal state during these episodes and found features associated with “concealment, strategic manipulation, and avoiding suspicion” activating alongside the relevant reasoning — indicating the model was aware its actions were deceptive.

To be clear: Anthropic states that these behaviors occurred in earlier versions of the model, that the final Mythos Preview has been substantially improved through further training, and that they found no evidence of coherent misaligned goals. They characterize these as reckless attempts to complete user-specified tasks by unwanted means, not as autonomous scheming.

But from a security perspective, the distinction matters less than you might think. Whether a model circumvents access controls and covers its tracks because of misaligned goals or because of reckless task completion, the operational outcome is identical, and the security implications are the same. A model with these behavioral tendencies, combined with Mythos Preview’s offensive capabilities, is not just a vulnerability discovery tool. It is, in effect, an autonomous penetration testing agent that can improvise around obstacles, escalate privileges through creative means, and attempt to conceal what it has done.

Anthropic is being commendably transparent about this. But the finding raises an obvious question: if Anthropic’s own carefully supervised model exhibited these behaviors during internal testing, what happens when less carefully supervised models with similar capabilities are deployed by actors with less rigorous safety processes, or by actors who view these behaviors as features rather than bugs?

Why I’m Thinking About Power Plants, Not Browsers

Most of the commentary I’ve seen in the first hours has focused on the browser and operating system exploits. That’s understandable — they’re technically impressive and immediately relatable. But as someone who spent a decade focused on cyber-kinetic security — the intersection of cybersecurity and physical systems — what keeps me awake is what happens when these capabilities are pointed at targets the Anthropic blog post doesn’t mention.

Industrial control systems. SCADA networks. Building management systems. Medical devices. Avionics. Automotive ECUs. Power grid protection relays. Water treatment facilities.

These systems share several characteristics that make them catastrophically vulnerable to AI-driven offensive capabilities:

They run on embedded firmware and legacy software that is decades old — exactly the kind of code where Mythos Preview excels at finding bugs that have survived years of review. They have patch cycles measured in years, not days — many critical infrastructure systems cannot be patched without physical access and scheduled downtime. They are increasingly connected to networks, often through layers of protocol translation that expand the attack surface. And — most critically — when they fail, the consequences are physical. People can be hurt. Infrastructure can be destroyed. Services that millions depend on can go dark.

When my team at Cyber Agency tested critical infrastructure systems, the organizations typically had 12-18 months of notice that we were coming, and they still couldn’t stop us. Those systems haven’t gotten meaningfully more secure in the intervening decades. Many of them are running the same firmware. Now imagine an adversary with Mythos-class capabilities pointed at those systems with no advance notice and no rules of engagement.

This is the scenario that should be driving urgent policy discussions — not just browser security.

The Uncomfortable Math of Defense

Anthropic’s own advice to defenders is sound as far as it goes: use currently available frontier models for defensive scanning, shorten patch cycles, automate incident response, and prepare for scale. They’re right that in the long run, AI capabilities should benefit defenders more than attackers.

But there’s an uncomfortable asymmetry they don’t fully address. The defender must find and fix every vulnerability. The attacker only needs to find one. The defender must patch within hours of disclosure. The attacker can stockpile zero-days indefinitely. The defender must protect every system in their environment. The attacker chooses which system to target.

This asymmetry has always existed in cybersecurity. What’s new is the economics of the attacker’s side of the equation. When finding and exploiting a zero-day chain required an elite team and months of work, the asymmetry was manageable — there simply weren’t enough skilled attackers in the world to exploit every vulnerability in every system. Cost imposed a natural rate limit on offensive operations.

Mythos Preview removes that rate limit.

The blog post mentions that across a thousand scans of OpenBSD, the total cost was under $20,000. Scale that to every piece of critical open-source software — every web server, every database, every cryptographic library, every kernel — and you’re looking at a comprehensive vulnerability discovery program that costs what a single penetration test used to cost. That’s transformative not just for well-resourced defenders, but for well-resourced attackers.

What CISOs Should Do Now

Anthropic’s own advice to defenders is detailed and worth reading in full — use frontier models for defensive scanning, shorten patch cycles, automate incident response. I won’t rehash it here. But I want to add three things that their post underemphasizes.

First, and most fundamentally: focus on the quality of your existing security control implementations. This is something organizations should have been doing anyway, but rarely do well. Most breaches I’ve investigated over three decades didn’t exploit exotic zero-days — they exploited basic controls that were deployed on paper but implemented poorly, configured incorrectly, or monitored inconsistently. A model that can autonomously chain four vulnerabilities is terrifying, but it still needs to reach your systems, move laterally through your environment, and exfiltrate data or execute its payload. Every one of those steps passes through controls that you already own. Whether those controls actually work as designed is a question most organizations cannot honestly answer. Now is the time to find out.

Second, practice your detection and incident response before you need it. When the window between disclosure and weaponized exploit collapses from weeks to hours, the ability to detect anomalous behavior and respond rapidly becomes your primary defense. If your SOC has never rehearsed a scenario where a zero-day chain is used against your environment, you will not perform well when it happens for real. Tabletop exercises are cheap. Surprises are not.

Third, the finding that Mythos Preview discovered vulnerabilities in TLS, AES-GCM, and SSH implementations has direct implications for the post-quantum cryptography (PQC) migration. If AI can find implementation flaws in battle-tested crypto libraries, it will certainly find them in newer PQC implementations with months rather than decades of scrutiny. Crypto-agility — the ability to swap not just algorithms but implementations — just became essential rather than aspirational.

I’ve written a detailed analysis of what Mythos-class capabilities mean specifically for operational technology and critical national infrastructure in a companion piece: OT Security in the Age of AI Exploits: What Anthropic’s Mythos Preview Means for Critical Infrastructure.

The Broader Pattern — And Why I’m Not Panicking

I want to close with perspective rather than alarm.

The security community has navigated capability discontinuities before. The rise of automated scanning tools in the early 2000s democratized vulnerability discovery in a way that felt existential at the time. The emergence of Metasploit-style exploitation frameworks lowered the bar for turning vulnerabilities into attacks. Each time, the equilibrium shifted — the transition was painful, but the ecosystem adapted.

What makes this different is the speed and completeness of the capability. Previous tools automated individual steps in the offensive workflow. Mythos Preview automates the entire chain — from code review to vulnerability discovery to multi-step exploit development to defense bypass — in a single autonomous agent. And it does so at a quality level that, for the documented cases, matches or exceeds what I’ve seen from elite human teams.

That said, Anthropic’s decision to build a defensive coalition before making these capabilities widely available is genuinely unprecedented in the history of offensive security tools. No previous capability of this significance — not Metasploit, not Cobalt Strike, not the Shadow Brokers dump — came with a coordinated defensive response at launch. Project Glasswing, whatever its limitations, represents a new model for how frontier capabilities can be introduced responsibly.

The question is whether it’s enough. The model is not being released publicly, but the capabilities are emergent — meaning other labs will reach them through their own scaling efforts. The defensive head start that Glasswing provides is measured in months. Whether months is enough depends entirely on how seriously the technology industry, the open-source community, critical infrastructure operators, and governments take the window they’ve been given.

After 30 years in this field, I’ve learned that the security community’s biggest failures are never technical. They’re failures of imagination and urgency — the inability to act on a threat that is clearly coming but hasn’t yet arrived. Anthropic just showed us what’s coming. What we do with that warning is up to us.

Related Content

Full Stack of AI Concerns: Responsible, Safe, Secure AI

The Leapfrog Doctrine: How China Systematically Conquered Every Technology It Targeted

Why We Seriously Need a Chief AI Security Officer (CAISO)

Closing the Gap Between AI Principles and AI Reality