X
Mythos AI, formally known as Claude Mythos Preview, is a frontier cybersecurity model developed by Anthropic and announced on April 7, 2026. According to Anthropic, it "reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."
Claude Mythos Preview is a general-purpose, unreleased model, not a specialized security tool. Anthropic described its cybersecurity capabilities as an unexpected result of broader gains in coding, reasoning, and autonomy. It sits above the Claude Opus tier and has not been released publicly.
The model has identified thousands of high-severity zero-day vulnerabilities, including flaws in every major operating system and every major web browser. Many of those vulnerabilities survived decades of human review and millions of automated security tests. Secondary reporting has put the number of vulnerabilities discovered at more than 2,000 in seven weeks, while Anthropic's official materials describe the count as "thousands."
Claude Mythos Preview changes two things simultaneously: the speed of exploitation and the scale of the vulnerability backlog.
On the offensive side, the gap between vulnerability discovery and working exploit has historically been measured in weeks of skilled human work. Anthropic's red team documented Claude Mythos Preview producing working exploits in hours that expert penetration testers said would have taken weeks. Engineers with no formal security training directed it to find remote code execution vulnerabilities overnight and received complete, working exploits by the following morning.
On the defensive side, the same AI-powered discovery capabilities that Claude Mythos Preview demonstrates will be integrated into enterprise security tooling. When they do, finding volume will not grow incrementally. It will grow by orders of magnitude. Contrast Labs' research has found that the average application accumulates new vulnerabilities far faster than security teams can close them. That gap is already wide before AI-scale discovery tools enter the picture.
More findings without a better context do not improve security. It creates triage paralysis.
Mythos AI vs. traditional security tools: a comparison
| Capability | Traditional scanner | Mythos AI (Claude Mythos Preview | Security implication |
| Finds vulnerabilities | Yes | Yes, autonomously | More findings, faster |
| Confirms exploitability | Limited | Yes | Backlogs harder to prioritize |
| Writes working exploits | Rarely | Yes | Patch windows shrink |
| Chains vulnerabilities | No or limited | Yes | Lower-severity bugs can become critical |
| Operates without human guidance | No | Yes | Attacker skill barrier drops |
| Can be stopped by scanning alone | No | No | Runtime visibility and blocking matter |
Project Glasswing is the initiative Anthropic formed to deploy Claude Mythos Preview defensively. The founding partners are Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. Anthropic also extended access to over 40 additional organizations that build or maintain critical software infrastructure.
Anthropic committed up to $100 million in Mythos Preview usage credits across these efforts, along with $4 million in direct donations to open source security organizations: $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation.
The goal is to use Claude Mythos Preview to find and fix vulnerabilities in critical software before adversaries develop comparable tools. Partners use the model for tasks such as local vulnerability detection, black-box testing of binaries, endpoint security and penetration testing. The program is structured so that participants share information and best practices, and Anthropic has committed to reporting publicly on findings and improvements as disclosures are finalized.
Over 99% of the vulnerabilities Claude Mythos Preview has found remain unpatched and under responsible disclosure. Anthropic uses a SHA-3 224 cryptographic commitment scheme to prove possession of findings without revealing them, with a 90-plus-45-day disclosure deadline for affected parties.
Anthropic concluded that public release would put autonomous exploit development into the hands of anyone who wanted it. The concern is concrete: during testing, engineers with no formal security background directed Claude Mythos Preview to find remote code execution vulnerabilities and received complete working exploits the following morning.
Anthropic also documented instances during testing where Claude Mythos Preview exhibited autonomous behaviors that surprised its creators, including using multi-step exploits to escape restricted network environments during internal evaluations.
Anthropic states it does not plan to make the Claude Mythos Preview generally available. On the question of proliferation, Anthropic writes: "Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely."
Claude Mythos Preview's capabilities fall into several categories, each with distinct implications for defenders.
Autonomous vulnerability discovery. The model reads a codebase, ranks files by attack-surface likelihood, generates hypotheses about where flaws might exist, runs the target software to confirm or refute each hypothesis, and produces a complete bug report with a proof-of-concept exploit and reproduction steps. According to Anthropic, it identified nearly all vulnerabilities it found entirely autonomously, without human steering.
Working exploit development. On CyberGym, a benchmark for cybersecurity vulnerability reproduction, Claude Mythos Preview scored 83.1% compared to 66.6% for Anthropic's prior flagship model, Opus 4.6. Anthropic's red team also documented the model producing working exploits in hours that expert penetration testers said would have taken weeks, and turning public CVE information into functional exploits with no human involvement.
Vulnerability chaining. Claude Mythos Preview chains multiple lower-severity vulnerabilities into high-impact attack paths. According to Anthropic's red team research, it chained several Linux kernel vulnerabilities to move from ordinary user access to complete control of the machine. Anthropic has documented multiple instances of it chaining two, three, and sometimes four vulnerabilities to construct working kernel exploits.
N-day exploit development from a CVE identifier alone. Claude Mythos Preview can take a public CVE number and a git commit hash and produce a working exploit autonomously. Anthropic's red team documented this process completing in under a day at a cost of under $2,000 at API pricing, for work that historically took skilled researchers days to weeks.
Reverse engineering. The model can take a closed-source, stripped binary, reconstruct plausible source code, and find exploitable vulnerabilities in the resulting code. Findings from this approach have included remote denial-of-service attacks and local privilege escalation chains on desktop operating systems.
Logic and cryptographic vulnerabilities. Beyond memory corruption, Claude Mythos Preview has identified weaknesses in cryptography implementations across TLS, AES-GCM, and SSH, as well as web application authentication bypasses and denial-of-service vulnerabilities. One finding, a critical certification authentication bypass in the Botan cryptography library, was publicly disclosed on the same day as the Mythos announcement.
See how Contrast blocks application-layer attacks at runtime: Contrast ADR
Anthropic has publicly detailed a small subset of findings. The rest remain under active responsible disclosure.
The 27-year-old OpenBSD TCP bug. Claude Mythos Preview found a flaw in OpenBSD's SACK (Selective Acknowledgment) implementation introduced in 1998. The bug involves two interacting issues: the code validates the end of an acknowledged TCP range against the send window, but not the start; and a second code path writes through a pointer that can be NULL when a specific edge case is triggered. An attacker exploits a signed integer overflow in TCP's 32-bit sequence-number arithmetic to remotely crash the machine. According to Anthropic, the specific run that found the bug cost under $50. That figure only makes sense in context, because the broader search process involved many runs at a greater total cost.
The 16-year-old FFmpeg H.264 bug. The underlying flaw was introduced in 2003 when H.264 support was first added to FFmpeg. A refactoring in 2010 made it exploitable. The bug involves a slice counter that is a 32-bit integer, while a slice ownership table uses 16-bit integers with a sentinel value that can be overwritten by crafting a frame with 65,536 slices. Anthropic notes automated testing had hit the relevant line of code five million times without catching the problem. Three related vulnerabilities were fixed in FFmpeg 8.1.
CVE-2026-4747: FreeBSD NFS vulnerability (17 years old). According to Anthropic's red team research, Claude Mythos Preview fully autonomously found and exploited CVE-2026-4747, a 17-year-old FreeBSD NFS/RPCSEC_GSS vulnerability that could lead to remote kernel code execution under vulnerable configurations. Anthropic describes the exploit as requiring no human involvement after the initial prompt, and as involving a 20-gadget ROP chain split across multiple network requests.
Browser exploits across every major browser. For multiple browsers, Anthropic says Claude Mythos Preview autonomously discovered the memory primitives needed and chained them into JIT heap sprays. In one case, it produced a cross-origin bypass. In another, it chained a browser exploit with a sandbox escape and a local privilege escalation.
An N-day exploit for CVE-2024-47711. Starting from only a public CVE identifier and a Git commit hash, Claude Mythos Preview produced a working local-privilege-escalation exploit for a Linux kernel in under a day. The exploit chains a one-byte read from a freed kernel network buffer with a second use-after-free in the traffic control scheduler, defeats HARDENED_USERCOPY, defeats KASLR, and calls commit_creds() to obtain root. Cost: under $2,000, per Anthropic's red team report.
Speed is where Claude Mythos Preview changes the threat model for defenders most directly.
The core shift is not the volume of findings, though that is significant. It is the collapse of the time-to-exploit gap. Anthropic documented Claude Mythos Preview producing working N-day exploits from a CVE identifier alone in under a day, work that historically took skilled researchers days to weeks. As Anthropic put it, "the entire process from turning these public identifiers into functional exploits now happens much faster, cheaper, and without intervention."
That compression matters because patch cycles operate on a different clock. When an exploit can be developed faster than a patch can be deployed, the window between public disclosure and active exploitation shrinks to the point where reactive patching alone is insufficient.
Anthropic's own framing on where this goes: "given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely." CrowdStrike, a Glasswing founding partner, put it directly: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI."
More findings do not automatically produce better security outcomes. That is the operational challenge Claude Mythos Preview creates for defenders.
Contrast Labs testing has found that AI scanner results can vary significantly across tools and even across repeated runs on the same codebase. High volume with low agreement produces noise, not signal. At Mythos-class discovery rates, that noise becomes unsustainable for any human-operated triage process.
The structural problem: scanning tools, whether static, dynamic, or AI-powered, cannot tell security teams which vulnerabilities are reachable in their specific production environment, which are being actively targeted, or which are exploitable given the actual calling context of a running application. Without that context, a critical finding in an air-gapped test environment is treated with the same urgency as one in a payment-processing service.
Anthropic's own advice to defenders: prioritize based on what is actually exploitable and reachable in your environment, not on raw finding volume.
Not by themselves, and the evidence is specific.
In Contrast Labs' controlled testing, WAF and EDR tools missed a significant share of application-layer attacks, including SQL injection and dangerous deserialization. These tools were designed for a different threat model, one where attacker expertise is the primary bottleneck. Claude Mythos Preview reduces that bottleneck.
Anthropic addressed this in its red team research. Defense-in-depth measures that create hard barriers remain meaningful. KASLR, W^X, and similar mitigations impose constraints that the model must actively work around. But defenses whose value comes primarily from friction are weakening. Anthropic wrote that Mythos-class capabilities may require "reexamining some defense-in-depth measures that make exploitation tedious rather than impossible."
The gap traditional tools leave: they can identify possible vulnerabilities, but cannot confirm whether an attack is happening right now, whether a vulnerability is reached in production code paths, or whether an exploit has already entered the application. Closing that gap requires visibility inside the running application.
Anthropic offered specific recommendations in its red team research. Contrast Labs research adds context on what works in production environments.
Prioritize runtime-confirmed risk. The most important shift is from how many vulnerabilities exist to which are reachable, exploitable, and being targeted in live applications right now. AI will surface more findings than any team can manually triage. The priority is not finding everything. The priority is knowing what can hurt you now.
Shorten patch cycles for publicly disclosed vulnerabilities. Claude Mythos Preview can develop working N-day exploits from a CVE number alone in under a day. The window between public disclosure and active exploit availability is now much shorter than patch cycles typically allow.
Add runtime blocking as a compensating control. When patching cannot happen fast enough, runtime protection that detects and blocks attacks at the point of execution inside the application provides a meaningful safety net, including for vulnerabilities unknown at the time of the attack.
Use AI discovery tools defensively now. Anthropic's direct advice: use generally available frontier models to strengthen defenses now. Current frontier models remain extremely competent at finding vulnerabilities. The same capabilities that create offensive risk can be used to harden your own codebase first.
Treat vulnerability volume as a prioritization problem, not a remediation target. No organization can treat every AI-generated finding as an emergency. The operational goal is to identify the small fraction that is actually reachable, exploitable, and tied to critical assets, and to act on those first.
Contrast helps security teams separate theoretical risk from runtime-confirmed risk. That distinction is what makes AI-scale finding volumes actionable rather than paralyzing.
Contrast's advantage is not that it finds more theoretical issues. It observes what the application actually does while it runs. That runtime evidence helps teams decide which risks matter, which can wait, and which attacks need to be blocked immediately.
Contrast Assess (IAST) runs inside the live application and identifies vulnerabilities as code actually executes, with real evidence of reachability, not theoretical findings from a static scan. It produces what scanning cannot: which code paths run in your specific production environment, which data flows reach sensitive functions, and which findings are worth acting on first.
Contrast SCA evaluates open-source vulnerabilities not just for reachability but also for exploitability, given the specific calling context of the running application, and for criticality based on blast radius. That narrows the open source vulnerability surface to the findings that require immediate action.
Contrast ADR (Application Detection and Response) provides runtime protection when patching cannot keep up. If a Mythos-style exploit targets a vulnerable application, ADR detects and blocks the attack at the point of execution within the application, before it becomes a breach, even when the specific vulnerability was unknown before the attack began.
Together, these tools provide the answer to the question Claude Mythos Preview makes urgent: not "which vulnerabilities exist?" but "which are reachable, exploitable, or being attacked right now?"
