Anthropic Claude Mythos: Security Risks, Opportunities, and What Comes Next

Key Takeaways

• AI just broke the cost curve for exploitation: Claude Mythos found a 27-year-old OpenBSD vulnerability in under $50 of compute. When exploit development costs this little, periodic testing cannot keep up with attacker speed.
• Defenders have a closing window to get ahead: Project Glasswing gives 12 major partners and 40+ vetted organizations early access to Mythos-class capabilities for defensive use. That advantage has a shelf life measured in months.
• Continuous pentesting is now a baseline requirement: With 28.3% of CVEs exploited within 24 hours of disclosure, quarterly pentests leave most of the attack surface untested when it matters most.

---

Anthropic spent less than $50 in compute to find a vulnerability that had survived 27 years of expert review in one of the most security-hardened operating systems on the planet.

The vulnerability sat in OpenBSD’s TCP SACK implementation since 1998. It survived millions of automated fuzz tests and multiple expert audits. Claude Mythos Preview, Anthropic’s unreleased frontier model, found it autonomously in a single scaffold run. And that was just one of thousands of critical zero-day vulnerabilities the model identified across every major operating system and every major web browser.

This matters beyond Anthropic’s research lab. The cost and expertise required to find and exploit software vulnerabilities just dropped by orders of magnitude. AI models can now do in hours what took elite security researchers months. Attackers will have access to similar capabilities soon enough. 

The question for security teams is straightforward: how do you defend against an attacker that never stops probing, operates at machine speed, and costs almost nothing to run?

The answer starts with understanding what Mythos actually does, the risks it introduces, and the opportunities it creates for defenders who are willing to move from periodic testing to continuous, AI-driven security validation.

Why Claude Mythos Is a Turning Point for Offensive Security

The gap between Claude Mythos Preview and its predecessor is generational.

A few months before Mythos, Anthropic’s best model, Claude Opus 4.6, had a near-zero success rate at autonomous exploit development. On a benchmark using Mozilla Firefox JavaScript engine vulnerabilities, Opus 4.6 produced working exploits just twice out of several hundred attempts. Mythos Preview produced 181 working exploits on the same test set, plus 29 additional cases where it achieved register control. That is roughly a 90x improvement in a single model generation.

What makes this more significant is that these capabilities were not specifically trained. According to Anthropic’s Frontier Red Team, Mythos Preview’s security abilities emerged as a downstream result of general improvements in code reasoning, long-context understanding, and autonomous execution. The model was not built to hack. It learned to hack because it got better at reading and reasoning about code.

Anthropic responded by withholding the model from public release. This is the first time a leading AI company has restricted a frontier model due to offensive security concerns, since OpenAI withheld GPT-2 in 2019. 

The decision signals a new reality: AI models are now competitive with elite human researchers at finding and exploiting software vulnerabilities. And the economics of AI in offensive security are shifting fast.

What Claude Mythos Can Actually Do

The Frontier Red Team’s findings break down into three core capabilities that separate Mythos from everything that came before it.

1. Autonomous Zero-Day Discovery

Mythos Preview identified thousands of previously unknown vulnerabilities across every major operating system and every major web browser. 

The AI vulnerability discovery capabilities go well beyond pattern matching. The model reads source code, reasons about how the software behaves, and identifies flaws that automated scanning tools have missed for decades. 

The 27-year-old OpenBSD TCP SACK bug is the most striking example, but it also found a 16-year-old vulnerability in FFmpeg’s H.264 decoder, in a line of code that automated testing tools had executed five million times without catching the problem.

2. Exploit Chaining and Weaponization

Finding a vulnerability is one thing. Turning it into a working exploit is another. Mythos Preview does both. 

In one documented case against the Linux kernel, the model bypassed KASLR using one vulnerability, read the contents of a critical struct using a second, wrote to a previously freed heap object using a third, then chained it with a heap spray to land root permissions. 

It also built a fully autonomous remote code execution exploit for a 17-year-old FreeBSD NFS vulnerability that a previous study showed Opus 4.6 could only exploit with human guidance.

3. Self-Directed Validation

Mythos does not just report potential issues. It attempts to exploit its own findings to confirm they are real before surfacing them. This reduces noise at the discovery stage and produces findings that come with working proof of exploitability, replication steps, and evidence trails.

The Security Risks Claude Mythos Introduces

The defensive implications of Mythos-class AI go beyond a single model. The capabilities it demonstrates are a preview of what attackers will have access to as frontier models continue to improve and proliferate. 

Two major risks stand out:

1. The collapse of the exploitation timeline: Claude Mythos security concerns center on what happens when exploit development drops from months and thousands of dollars to hours and double digits. The data already supports this trajectory. According to Mandiant’s M-Trends 2026 report, the average time to exploit a disclosed vulnerability has collapsed from 63 days in 2018 to an estimated negative seven days in 2025. That means exploitation routinely begins before a patch even exists. VulnCheck’s Q1 2025 research found that 28.3% of CVEs were exploited within 24 hours of disclosure, while the Verizon 2025 DBIR confirmed vulnerability exploitation now drives 20% of all breaches, up 34% year over year. Mythos-class AI will only accelerate these numbers.
2. Remediation overload: If an AI model can find thousands of critical vulnerabilities in a single codebase, the bottleneck is no longer discovery, but rather remediation. Security teams already struggle with vulnerability backlogs numbering in the hundreds of thousands. A sudden surge in high-confidence, validated findings does not help if the organization cannot triage, prioritize, and fix them fast enough. The value of finding more vulnerabilities depends entirely on the ability to close them before attackers do.

The Security Opportunities: How Defenders Can Use Mythos-Class AI

The same capabilities that make Mythos dangerous in the wrong hands make it extraordinarily useful for defenders. 

AI has already reshaped offensive security. Defenders now need to adopt the same level of capability fast enough to keep up.

Reasoning-Based Testing Over Pattern Matching

Traditional scanners match patterns against known vulnerability signatures. AI agents reason about how an application actually behaves, map data flows, test whether a vulnerability is reachable from the outside, and confirm whether it is exploitable. 

This produces fewer, higher-confidence findings that teams can act on immediately. According to the IBM Cost of a Data Breach Report 2025, organizations using AI extensively in their security operations reduced breach lifecycle by 80 days and saved nearly $1.9 million on average.

Continuous Exposure Validation

Periodic pentesting covers a fraction of the attack surface at a single point in time. Agentic AI pentesting runs against the full environment on demand or when code changes are introduced, testing thousands of endpoints simultaneously. 

This is especially critical for organizations with large application portfolios, legacy systems, and third-party components that rarely get tested manually.

Human-AI Collaboration

AI handles breadth by running continuous, automated testing across every asset. Human red teams focus on depth, applying creative judgment to complex business logic, novel attack scenarios, and strategic chaining. 

This extends to AI red teaming for LLM-powered applications, where human oversight and AI-driven testing work together to cover prompt injection, agent manipulation, and other emerging attack vectors. Neither replaces the other. Together, they cover ground that neither could alone.

What Project Glasswing Tells Us About the Future of AI Security Access

Anthropic did not just withhold Claude Mythos from public release. It built an entire defensive infrastructure around the model before giving anyone access.

Project Glasswing is a consortium of 12 launch partners, including Amazon Web Services, Apple, Google, Microsoft, CrowdStrike, JPMorganChase, Cisco, Broadcom, NVIDIA, Palo Alto Networks, and the Linux Foundation. An additional 40+ vetted organizations that build or maintain critical software infrastructure have also been granted access. Anthropic is committing up to $100 million in usage credits for Mythos Preview across these efforts, along with $4 million in direct donations to open-source security organizations.

The access model is significant. Glasswing partners can use Mythos Preview strictly for defensive security work: scanning and securing first-party and open-source systems. This is gated, use-case-restricted access to a frontier AI model. It sets a precedent for how the most capable AI systems may be distributed going forward, with access tiered by purpose and security posture rather than offered broadly.

For security teams outside the consortium, the practical takeaway is timing. Mythos-class capabilities will proliferate, open-source models will close the gap, and the defensive head start that Glasswing provides its partners is measured in months, not years. Organizations that wait for these capabilities to become widely available before adapting their security programs will already be behind. 

Related Content: Claude Mythos and Project Glasswing Are Research Breakthroughs, Not Security Programs

Stay Ahead of Mythos-Class Threats with Continuous AI Pentesting

The vulnerabilities Claude Mythos found have always been there. What changed is how fast and how cheaply they can be discovered and exploited. 

Security teams that want to stay ahead need to move now, not after similar capabilities show up in attacker toolkits. Three priorities should be top of mind:

• Harden the fundamentals: Phishing-resistant MFA, complete asset inventory, and risk scoring that accounts for the reality of cheap, automated exploit synthesis. The basics have always mattered. They matter more when the cost of finding a way in drops to near zero.
• Move from periodic to continuous testing: Annual or quarterly pentests leave the majority of the attack surface untested between engagements. Continuous, AI-driven testing that runs on demand or triggers on code changes covers more ground and catches exposures before attackers reach them.
• Close the remediation gap: Discovery is no longer the bottleneck. Remediation is. Stack-specific guidance, automated retesting, and closed-loop workflows that verify fixes actually held are what separate finding vulnerabilities from actually reducing risk.

Novee’s continuous AI pentesting platform is built around these exact priorities. AI agents test web applications and external attack surfaces continuously, validate every finding with proof of exploitability, and deliver tailored remediation with automatic retesting to confirm the fix worked.

Book a demo today to see how continuous AI-driven pentesting finds and validates real attack paths across your environment.

FAQs

How does AI change the threat landscape for enterprise security?

AI compresses the time and cost of exploit development from months and thousands of dollars to hours and double digits. Attackers can probe more targets, chain more vulnerabilities, and weaponize findings faster than most security programs can detect and respond. The result is a threat landscape where speed and coverage gaps become the primary risk factors.

Can AI find zero-day vulnerabilities better than human pentesters?

For broad, systematic discovery across large codebases, yes. Mythos Preview found vulnerabilities that survived decades of human review and millions of automated tests. But humans still hold an advantage in creative business logic analysis, novel attack scenarios, and judgment calls that require contextual understanding beyond code. AI handles breadth. Humans handle depth.

What best practices can reduce prompt injection and data leakage risks?

Treat all natural-language inputs as untrusted data. Apply input validation, system prompt hardening with delimiters, and instruction shielding to separate user input from system instructions. Use deterministic guardrails for high-stakes actions and require human approval before executing sensitive operations. Monitor outputs for unintended data exposure.

How should security teams prepare for AI-powered attacks?

Start with identity hardening through phishing-resistant MFA and tighter access controls. Update risk scoring models to account for the reduced cost of automated exploitation. Move from periodic pentesting to continuous AI-driven testing across the full attack surface. Prioritize remediation speed and closed-loop verification, not just discovery volume.

How does Anthropic Claude Mythos handle sensitive or regulated business data?

Anthropic does not use customer prompts or outputs to train models on Enterprise and Team plans by default. A zero-data-retention option prevents conversation data from being stored beyond the session. Infrastructure is protected by AES-256 encryption at rest, TLS 1.2+ in transit, and SOC 2 Type II certification. Organizations in regulated industries should review Anthropic’s data processing terms against their specific compliance requirements.