In April of 2026 Anthropic released a new AI model named Claude Mythos. This isn't the typical mixture of experts (MoE) model you'd use to find a recipe or answer a health question. It's trained specifically to find software security vulnerabilities at scale.
Identify vulnerabilities at scale across major operating systems, browsers, and critical infrastructure
Generate working exploits for the vulnerabilities it finds
Operate at a speed and volume that has no human equivalent in offensive security research
Find vulnerabilities that have been missed for decades
Operate largely autonomously, without human steering
In one documented example, the model identified a 27-year-old vulnerability in OpenBSD, which Anthropic describes as “one of the most security-hardened operating systems in the world.” OpenBSD is not a consumer operating system. It runs firewalls, VPN gateways, and critical network infrastructure across financial institutions and government networks globally. The MacBook Pro I'm using to write this post uses an operating system (macOS) that is also based on BSD Unix.
The conventional approach to managing vulnerabilities has been a race between patch cycles and attacker awareness. Mythos-class AI accelerates the creation of exploits in ways that strain the ability to code against them.
Needless to say, exploiting a single vulnerability like the one found in OpenBSD could wreak havoc globally across industries overnight. So Anthropic decided to create Project Glasswing, a controlled-access program providing Mythos Preview to twelve major technology organizations, including AWS, Microsoft, Google, Cisco, CrowdStrike, Nvidia, and Palo Alto Networks, backed by $100 million in usage credits. Usage credits are key because the current cost to scan these kinds of codebases can be in the tens of thousands of dollars.
This controlled access gives the good guys a head start on plugging the most critical security holes before this technology gets into the wrong hands. Attackers, according to Anthropic's offensive cyber research lead Logan Graham, will get equivalent capability from other labs within six to eighteen months. OpenAI is reportedly finalizing a model with comparable offensive cybersecurity capability. And while Anthropic has committed to investing in improved guardrails for future models, guardrails can be broken.
We're in the early days of this new paradigm. The industry is handling it well, for the moment, albeit the head start won't last forever. Like the fabled tortoise in The Tortoise and the Hare, eventually the threat actors will catch up.
We're on the verge of seeing an increase in software security exploits. So it's important to focus on the basics, like upgrading your web platforms to their latest versions, and updating the OS and firmware of your Internet-connected computers and devices.
Start the process now. Your window of opportunity will eventually close.
There's usually more to the story so if you have questions or comments about this post let us know!
Do you need a new software development partner for an upcoming project? We would love to work with you! From websites and mobile apps to cloud services and custom software, we can help!
