The cybersecurity community went on alert when Anthropic announced on April 7, 2026, that its latest and most capable general-purpose large language model, Claude Mythos Preview, had demonstrated remarkable – and unintended – capabilities. The artifical intelligence system was able to find and exploit software vulnerabilities – the most serious type of software bugs – at a rate not seen before.
The news ignited concern among the public, world governments and the information technology sector about the capabilities of today’s AI to undermine cybersecurity, with some people framing the model as a global cybersecurity threat.
Claiming that it would be too risky to release the model, and that the company had the moral responsibility to disclose these vulnerabilities, Anthropic said it would not immediately offer the model to the public. Instead, it granted exclusive access to tech giants to test the model’s capabilities, a process Anthropic dubbed Project Glasswing.
As a cybersecurity researcher, I think Mythos’ capabilities are impressive, but the AI system does not represent a radical departure. Mythos is less a new threat than a mirror reflecting how people behave and how fragile modern systems already are.
What Mythos did
During a controlled evaluation, engineers with minimal security experience prompted Mythos to scan thousands of software codebases for vulnerabilities. The model showed striking capabilities in conducting multistep, autonomous attacks that take experts weeks or even months to put together. Mythos was not only able to discover 271 vulnerabilities in Mozilla’s Firefox, it also developed exploits to take advantage of 181 of those.
Overall, Anthropic’s red team, which takes on the role of an attacker to test defenses, and the United Kingdom’s AI Security Institute reported that Mythos found thousands of zero-day, or previously unreported, vulnerabilities in major operating systems, web browsers and other applications – software flaws that have not yet been patched and can be turned into exploits immediately. National Security Agency officials testing Mythos have been impressed by the tool’s speed and efficiency in finding software vulnerabilities, according to a news report.
Anthropic’s announcement of Mythos and the cybersecurity threat it poses garnered widespread media attention.
Among the most widely reported were Mythos’ ability to identify a dormant 27-year-old security flaw in OpenBSD, a security-focused operating system, and a 16-year-old bug in FFmpeg, a video/audio processing tool. Some of these flaws allow unauthenticated users to gain control of the machines hosting these applications.
Even more striking, the relatively inexperienced engineers running Mythos’ evaluations were able to use Mythos to complete attacks overnight, from finding vulnerabilities to exploiting them – something that can take…
