Anthropic’s Claude Mythos Preview, announced April 7, 2026, detects and exploits zero-day vulnerabilities across every major operating system and web browser. The model uncovers subtle flaws, including a 27-year-old bug in OpenBSD—a system prized for its security pedigree. Over a month of testing, Anthropic’s team found over 99% of these vulnerabilities remain unpatched, holding back details under responsible disclosure protocols. This isn’t incremental progress; it signals AI’s arrival as a dominant force in cybersecurity offense and defense.
The company launched Project Glasswing alongside the announcement, deploying Mythos Preview to harden critical software. A team of 25 researchers, including Nicholas Carlini and experts from Google DeepMind and elsewhere, ran rigorous evaluations. They directed the model to hunt bugs in real open-source codebases, reverse-engineer closed-source exploits, and convert known N-day vulnerabilities (disclosed but unpatched) into working attacks. Results: consistent success on high-value targets.
Zero-Day Hunting in the Wild
Mythos Preview excels at zero-days—unknown flaws with no patches or defenses. It scours code for logical errors, memory corruptions, and race conditions that humans miss. In tests, it targeted Linux kernels, Windows components, macOS drivers, Chrome, Firefox, Safari, and Edge. Many bugs dated back 10-20 years, evading decades of audits. The OpenBSD find stands out: a 1999 vulnerability patched only after AI flagged it.
Anthropic discloses just 1% of findings to avoid aiding attackers. Examples include buffer overflows in widely used libraries and privilege escalations in browser sandboxes. The model doesn’t just spot issues; it crafts proof-of-concept exploits, chaining vulns for remote code execution. This matches real-world threats from nation-states, but at machine speed.
Reverse-engineering closed-source binaries proved equally potent. Given a black-box executable, Mythos Preview deduced exploit logic, rebuilt payloads, and adapted them to N-day CVEs. For instance, it turned a 30-day-old WebKit flaw into a full sandbox escape for iOS.
Why This Changes Everything
If verified—and Anthropic’s track record on safety lends credibility—this upends cybersecurity economics. Zero-days fetch $1-10 million on black markets; exploits for iOS or Chrome command top dollar from spyware vendors like NSO Group. Historically, discovery relied on manual fuzzing, symbolic execution, or luck. Tools like AFL or Angr automate parts, but hit plateaus on complex code.
AI shatters those limits. Mythos Preview processes entire codebases contextually, reasoning like a senior pentester. Attackers gain an edge: script kiddies could prompt similar models for custom exploits. Defenders counter by accelerating triage—AI flags vulns faster than human teams, as Google and Microsoft already experiment with.
Yet risks loom. Open-weight models like Llama could replicate this soon, proliferating tools to criminals. Anthropic notes future models will amplify threats; their coordinated disclosure delays patches on 99% of bugs, buying time but sparking debates on secrecy versus speed.
Implications hit finance and crypto hard. Exchanges, wallets, and DeFi protocols run on vulnerable OSS like OpenSSL or Rust crates. A zero-day in a browser wallet could drain billions. States hoarding vulns (e.g., NSA’s EternalBlue) face obsolescence if AI exhausts stockpiles.
Anthropic urges immediate action: integrate AI into fuzzers, prioritize memory safety (Rust adoption up 300% since 2020), and form industry bug bounties for AI-discovered flaws. Skeptically, benchmarks often overstate real-world utility—lab exploits rarely chain perfectly in the wild. But with specifics like OpenBSD, this feels substantive.
Bottom line: cybersecurity enters an AI arms race. Defenders who adopt now—via tools like Mythos or rivals—stay ahead. Ignore it, and zero-days become daily news. Expect vendors to scramble; watch for patches in coming weeks as disclosures roll out.
