1
min read

Claude Mythos: The Race Between Exploit Discovery and Defense

Author:
Jamie Gale
Category:
AI Security

What Is Anthropic Claude Mythos? 

Anthropic Claude Mythos Preview is a new general-purpose frontier AI model from Anthropic, announced on April 7, 2026, and currently restricted from general public release while Anthropic develops cyber safeguards, because of its strong cybersecurity capabilities.. 

Anthropic says the model performs well across domains but is “strikingly capable” at computer security tasks, including finding and exploiting previously unknown software vulnerabilities. To manage the risk, Anthropic launched Project Glasswing, a limited-access defensive initiative that gives selected organizations early access to Mythos so they can harden critical software before similar capabilities become widely available.

This is part of a series of articles about AI security.

Why Claude Mythos Is Getting So Much Attention 

Advanced Cybersecurity Capabilities

Mythos is drawing attention because Anthropic describes a jump from vulnerability detection to full exploit development. In testing, the model did not merely flag suspicious code; it identified zero-day vulnerabilities across major operating systems and browsers, then produced working exploit chains in some cases. 

Anthropic says Mythos wrote a browser exploit that chained four vulnerabilities, escaped sandbox protections, produced local privilege-escalation exploits against Linux and other systems, and created a FreeBSD NFS remote-code-execution exploit that granted unauthenticated root access.

Project Glasswing examples show why that matters for real-world infrastructure: Mythos found a 27-year-old OpenBSD bug, a 16-year-old FFmpeg flaw missed despite extensive automated test coverage, and a Linux-kernel exploit chain that could elevate an ordinary user to full machine control.

Zero-Day Vulnerability Concerns

The biggest concern is that Mythos-class models could lower the cost and expertise required to discover and weaponize zero-day flaws. Anthropic says more than 99% of the vulnerabilities it found were still unpatched at the time of disclosure, which is why the company withheld technical details. 

The risk is dual use: the same model that helps defenders find and fix hidden flaws could also help attackers locate unknown weaknesses faster than organizations can patch them. This is why Anthropic says it does not plan to make Claude Mythos Preview generally available, while Project Glasswing is intended to give major infrastructure and software organizations a defensive head start.

Expert-Level Security Research Potential

Mythos is also significant because it appears to push AI closer to expert-level security research rather than simple code assistance. Anthropic reports that engineers without formal security training were able to ask Mythos to find remote code execution vulnerabilities and receive working exploits. 

AISI found that Mythos succeeded on expert-level CTF tasks 73% of the time and was the first model to complete its 32-step corporate network attack simulation end to end, doing so in 3 out of 10 attempts. That does not prove it can break into well-defended real-world systems, but it shows why security teams, regulators, and AI safety researchers are treating Mythos as a major cybersecurity milestone.

Why Anthropic Limited Access to Claude Mythos 

Misuse Risks

Anthropic is limiting access because the same capabilities that make Mythos valuable to defenders could be dangerous in the hands of attackers. In its own testing, Anthropic says Mythos can identify and exploit zero-day vulnerabilities in major operating systems and browsers when directed to do so, including complex exploit chains and remote code execution scenarios. 

The company also reports that non-expert engineers were able to use Mythos to obtain working exploits, which raises the risk that exploit development could become available to people who previously lacked specialist training. Anthropic says it does not plan to make Claude Mythos Preview generally available while it works on safeguards.

Cybersecurity and National Security Concerns

Beyond ordinary cybercrime, there is concern that Mythos-class models could accelerate attacks against critical infrastructure, widely used open-source software, browsers, operating systems, cloud systems, and financial or government networks. AISI’s evaluation found that Mythos autonomously executed multi-stage attacks in controlled vulnerable network environments. 

Anthropic says many of the vulnerabilities it found were still unpatched, making broad disclosure unsafe. Because such systems underpin public services, commerce, communications, and national infrastructure, Anthropic has restricted access to vetted defensive partners and is using Glasswing to patch high-impact software before these capabilities spread more widely.

The Dual-Use AI Problem

Claude Mythos illustrates the central dual-use problem in frontier AI: the same model can help defenders discover and repair hidden weaknesses, but it can also help attackers discover and weaponize those weaknesses. Anthropic says the model’s cyber abilities were not separately trained as an offensive feature but emerged from broader gains in coding, reasoning, and autonomy. 

That makes governance harder because reducing harmful cyber use without blocking legitimate vulnerability research, red teaming, and defensive engineering requires more than banning “cybersecurity” tasks. Anthropic’s current approach is staged access: use Mythos through Project Glasswing for trusted defensive work, test cyber safeguards first on less capable public models, and move toward broader Mythos-class deployment only if they prove reliable.

Related content: Read our guide to LLM security: risks, examples, and best practices.

Risks of Claude Mythos 

Automated Exploit Discovery

The core shift is scale: Mythos makes vulnerability discovery and exploit development faster, cheaper, and more autonomous. In controlled settings, it executed multi-stage network attacks end to end, though those test environments lacked active defenders and real-world security tooling. The practical risk is that similar models could let attackers run more vulnerability-research attempts, triage code faster, and chain smaller weaknesses into serious exploits.

Access Control and Leakage Risks

A second risk is that limited release does not eliminate the danger if access controls fail. Anthropic’s strategy depends on keeping Mythos in the hands of vetted defensive partners while it develops stronger cyber safeguards, but even restricted models can leak through vendors, partner environments, misconfigured access, insider misuse, or supply-chain exposure. Even when contained, leakage through any of these channels shows why a model with strong offensive cyber capabilities creates a governance problem beyond ordinary API moderation. 

Implications of Mythos and AI-Vulnerability Exploitation 

Exploitation Time Goes from Days → Hours → Minutes

Claude Mythos points to a security world where the gap between vulnerability discovery and exploitation keeps shrinking. CrowdStrike’s CTO said in Anthropic’s Project Glasswing launch materials that “the window between a vulnerability being discovered and being exploited by an adversary has collapsed,” moving from months to minutes as AI enters the workflow. 

Takeaways:

  • Mythos is capable not only of finding vulnerabilities, but also of producing exploit chains and proofs of concept 
  • This means the slowest part of an attack may no longer be human reverse engineering, exploit writing, or trial-and-error testing.
  • The implication is that organizations can no longer assume they have days or weeks after disclosure to assess risk, test patches, and roll out fixes. 

Even before Mythos, CISA maintained the Known Exploited Vulnerabilities catalog specifically because attackers routinely exploit real-world flaws in the wild, and recent industry analysis shows that public disclosure increasingly triggers a race between attackers and defenders. With AI-assisted exploit development, that race becomes faster and more automated.

Patching Becomes Even Harder

Mythos can help defenders find more bugs, but it also creates a volume problem. Mozilla’s Firefox 150 example shows the scale: Claude Mythos Preview identified 271 security-relevant defects in Firefox 150 during a single evaluation pass, over 12 times the 22 bugs an earlier Opus 4.6 scan surfaced in Firefox 148. 

Takeaways:

  • This is good news when the bugs are found by defenders first, but it also shows how quickly AI can expand the backlog of issues.
  • Security teams, engineering teams, open-source maintainers, vendors, and downstream customers must triage, verify, prioritize, patch, test, and deploy these bugs.
  • If AI increases the rate of vulnerability discovery faster than organizations can safely patch, then even well-run teams may face a growing exposure window. 

The hard part is that patching is not just “apply the fix.” Production systems may depend on legacy software, fragile integrations, uptime requirements, third-party vendors, embedded devices, customer update cycles, or regulatory change-control processes. 

Focusing on Attack Techniques and Paths Becomes More Important Than Focusing on CVEs

In a Mythos-style threat environment, CVEs remain important, but they are no longer enough. A CVE describes a known vulnerability; an attack path describes how an attacker can combine weaknesses, misconfigurations, privileges, identities, network reachability, and business logic to reach a damaging outcome. 

Takeaways:

  • Mythos can produce potential attack chains, assess binaries without source code, perform penetration-testing-style work, and evaluate endpoint or system misconfigurations, not just list isolated bugs. 
  • That shifts defensive priorities: Security teams still need CVE management, but they also need to ask: Can this weakness be reached from the internet? Can it be chained with identity abuse or lateral movement? Does it expose a crown-jewel system? Is there an exploit path even if no CVE has been assigned yet? 

Runtime Protection Becomes an Essential Security Control

If exploitation can happen before a patch is available or before an organization can safely deploy it, runtime protection becomes essential. Traditional vulnerability management assumes that defenders can find, prioritize, and patch fast enough. Mythos challenges that assumption because it can increase both the speed of discovery and the speed of exploit development. 

In that environment, organizations need controls that can detect, block, or contain exploitation while the application or system is running, not only after a code fix is shipped. Runtime security controls that detect, block, or contain exploits become more important because they reduce dependence on perfect patch timing. 

How Oligo Stops AI-Powered Exploits Before They Become Breaches

When exploitation outpaces patching, the question isn’t about which vulnerabilities exist, it’s about which one is being used right now. Oligo's runtime security platform protects applications in real time by watching what actually executes in production. It blocks application-layer attacks as they happen, and proves which vulnerabilities are truly exploitable, so teams can act on real risk instead of drowning in noise.

Key capabilities of Oligo:

  • Identifies application-layer attacks using technique rulesets and behavioral anomaly detection.
  • Blocks attacks at the source while the application is running rather than waiting for a code fix to ship.
  • Determines true exploitability without relying on reachability assumptions or severity scoring systems, proving exactly which vulnerable functions are executed and cutting vulnerability noise by more than 90%.
  • Fixes "unfixable" risks caused by transitive dependencies, non-CVE vulnerabilities, and unpatched zero-days — the categories that traditional vulnerability management tools struggle to address.
  • A patented eBPF sensor sees directly into the Linux kernel and detects all of an application's library and function executions.
  • Works on every application, protecting every app you buy, use, or build.
  • Extends runtime security to AI by protecting LLMs and AI agents wherever they are tested and run, bringing the same real-time detection and response to AI workloads.

When exploits ship faster than patches, runtime is where you stop them. Learn more about the Oligo runtime security platform.

Expert tips

Gal Elbaz
Co-Founder & CTO, Oligo Security

Gal Elbaz is the Co-Founder and CTO at Oligo Security, bringing over a decade of expertise in vulnerability research and ethical hacking. Gal started his career as a security engineer in the IDF's elite intelligence unit. Later on, he joined Check Point, where he was instrumental in building the research team and served as a senior security researcher. In his free time, Gal enjoys playing the guitar and participating in CTF (Capture The Flag) challenges.

In my experience, here are tips that can help you better prepare for the post-Mythos world of vulnerability and exploit management:

  1. Assume any internet-reachable path will be found and weaponized. Mythos-class models produce working exploit chains, not just findings, so plan for flaws that are exploitable before a patch exists.
  2. Instrument what executes in production, not what exists in your SBOM. Prioritize off real execution and exposure, because that's the set an AI-assisted attacker can actually weaponize.
  3. Treat zero-days, transitive dependencies, and "won't-fix" CVEs as a runtime-detection problem, not a backlog problem. Detection and containment at runtime shrinks the exposure window when the patch isn't ready, or never comes.
  4. Baseline normal library and function behavior to catch exploitation with no CVE attached. As AI compresses discovery-to-exploit, you'll face attacks on flaws that have no advisory yet.
  5. Handle AI-generated exploit detail like sensitive credentials: restricted access, logged, never dropped into normal issue trackers.

Stop modern attacks and keep your business moving

Request a demo
Request a demo