Claude Mythos and the End of 'Hard to Exploit'

TL;DR

• Anthropic's Claude Mythos autonomously found thousands of zero-day vulnerabilities that persisted through up to 27 years of human review and millions of automated tests.
• The idea that "hard to find equals hard to exploit" is now obsolete.
• Attackers may gain access to similar AI capabilities within 6 to 18 months.
• Most security teams still prioritize vulnerabilities based on exploitability assumptions that Mythos has now invalidated.

What Is Project Glasswing?

Project Glasswing is a cybersecurity initiative launched by Anthropic on April 7, 2026, bringing together 12 organizations, including AWS, Apple, Google, Microsoft, CrowdStrike, and Palo Alto Networks, to use a new AI model, Claude Mythos Preview, to find and fix vulnerabilities in critical software. Within weeks, Mythos identified thousands of zero-day vulnerabilities across all major operating systems, web browsers, and widely used open-source libraries. Anthropic has committed $100 million in usage credits and $4 million to open-source security organizations to support this initiative.

The model is not publicly available. Access is limited to Glasswing partners and roughly 40 additional organizations through a Cyber Verification Program. Anthropic will not release Mythos Preview more broadly until new safeguards are established. 

What Did Claude Mythos Actually Find?

Mythos not only identified numerous bugs but also uncovered vulnerabilities that decades of human expertise and automated tools had missed.

One vulnerability persisted in OpenBSD for 27 years. Another remained in FFmpeg for 16 years, despite over five million automated fuzz tests. A third, a remote code execution flaw in FreeBSD, went undetected for 17 years. Mythos discovered and exploited it autonomously, with no human intervention after the initial prompt. 

In a Firefox JavaScript engine benchmark, Mythos converted known vulnerabilities into working shell exploits 72.4% of the time. The previous best model, Opus 4.6, managed 14.4%, while its predecessor, Sonnet 4.6, hit 4.4%. That progression is more significant than any individual result.

Anthropic's own red team reports these capabilities were not the result of security-specific training, but emerged as "a downstream consequence of general improvements in code, reasoning, and autonomy." This distinction is important. Anthropic developed a general-purpose model that became proficient enough at code reasoning to enable vulnerability discovery. Any leading lab advancing code understanding and autonomous reasoning could develop similar capabilities, intentionally or not. This is not a single company's feature but a threshold for the entire field.

We asked Elad Luz, Head of Research at Oasis Security, what to make of the Mythos results. Luz has used Claude Code for original vulnerability research, including a prompt-injection and data-exfiltration flaw in Claude.ai itself and an agent-takeover vulnerability in OpenClaw. His take: current models often can't make creative cross-domain leaps on their own, requiring significant hand-holding to bridge between disparate protocols and subsystems. The Mythos results suggest that the gap may be closing. The One-Byte Read exploit chain, for example, required bridging a Unix socket primitive into an unrelated traffic-control scheduler by exploiting overlapping struct layouts: the kind of lateral reasoning that was missing in his experience.

However, the cost figures provide important context. The OpenBSD zero-day required roughly 1,000 automated runs at around $20,000, while the FFmpeg work involved several hundred attempts for approximately $10,000. That looks more like massively parallelized fuzzing with an LLM as the engine than an agent reasoning its way to a novel finding. Impressive, but achieved through brute-force iteration rather than directed research. The capabilities are real. The efficiency isn't there yet.

How Long Before Attackers Have the Same Capabilities?

The window is likely 6 to 18 months. Currently, only about 52 organizations worldwide have access to Mythos-class capabilities. This asymmetry will not last.

Wiz estimates 12 to 18 months before what they call a "Y2K moment" for AI cybersecurity: the point where these capabilities are no longer restricted to a small coalition. Given the pace of open-source model development, the window could be shorter.

Anthropic will not make Mythos Preview generally available and has not set a timeline for public release. The plan is to deploy Mythos-class capabilities at scale only after implementing new safeguards. Meanwhile, security professionals with legitimate needs can apply for access through the Cyber Verification Program.

This raises a practical question: how can defenders benefit from these capabilities before attackers develop their own? Glasswing's coalition model offers one solution, as 52 organizations can identify and patch vulnerabilities before public disclosure. However, this approach only covers software maintained by coalition members. The many other codebases, internal tools, and custom applications within enterprises remain outside Glasswing, leaving individual security teams responsible for patching and hardening under tight timelines.

The tools that discovered these vulnerabilities will eventually become publicly accessible, and not all identified vulnerabilities will be patched beforehand. According to Anthropic, over 99% of Mythos-discovered vulnerabilities remain unpatched today.

What Should Security Teams Do About Project Glasswing?

The typical response is to "patch faster." While necessary, this approach is insufficient. Additional changes are required.

1. Recalibrate your risk scoring. Most vulnerability management programs use exploitability as a key factor in prioritization. A bug that's hard to exploit gets a lower score, a longer remediation window, and sometimes an accepted exception. Mythos demonstrated that the gap between "discovered" and "exploited" can collapse to hours, at low cost, with no human expertise required. Scores built on the assumption that exploitation requires rare skill need revisiting. For many organizations, this single change will surface more real risk than any new tool purchase.
2. Revisit your exception backlog. Pull your vulnerability exception list. Look at every item where "low exploitability" or "requires advanced skill" was part of the rationale. Test whether that reasoning still holds when a general-purpose model can chain exploits autonomously. That doesn't mean every exception is wrong. It means each one needs to be tested against a new baseline.
3. Shorten your patch windows. When Glasswing's findings start flowing through responsible disclosure channels, vendors will release patches. That means a sustained period of higher-than-normal patch volume across core infrastructure. Pre-approve mitigation steps, such as blocking public access, so your team has options while testing patches. If you're still patching on a monthly cycle, start planning for a faster cadence now.
4. Reduce your blast radius. Internet-facing resources with sensitive data, secrets, or elevated privileges are the highest-risk targets as AI-assisted exploitation accelerates. Minimize public exposure of those resources even if they aren't currently known to be vulnerable. Defense in depth isn't new advice, but the urgency behind it just changed.
5. Pressure-test your detection approach. If bugs that survived 27 years of human review and millions of automated test runs were invisible until now, similar undiscovered bugs are almost certainly present in software your organization relies on today. The question isn't whether they exist. It's whether your detection tools and processes account for a class of vulnerability that was, until recently, effectively invisible.

The Bottom Line

The window between defensive access and broad availability is measured in months, not years. The organizations that use it to stress-test their assumptions will be better positioned when it closes. The ones that treat Glasswing as another AI headline won't be.

The ground moved. Most teams are still standing in the same spot.