Mythos autonomously exploited vulnerabilities that survived 27 years of human review. Security teams need a new detection playbook

Hey there! Imagine a sneaky 27-year-old bug hiding inside OpenBSD’s TCP stack while experts pored over the code, testers put it through the wringer, and the system solidified its status as one of the most secure platforms in the world. Shockingly, just two packets could bring down any server running on it. The hunt for this bug set back an Anthropic discovery campaign around $20,000, with the specific model that pinpointed the flaw costing less than $50.

Enter Anthropic’s Claude Mythos Preview. This AI powerhouse autonomously uncovered the bug, without any human intervention post-initial setup.

Not just a small step forward

When it comes to exploit writing on Firefox 147, Mythos outperformed Claude Opus 4.6 by a landslide, succeeding 181 times compared to just 2. That’s a whopping 90x improvement in a single generation. The numbers speak for themselves: SWE-bench Pro: 77.8% versus 53.4%. CyberGym vulnerability reproduction: 83.1% versus 66.6%. Mythos completely dominated Anthropic’s Cybench CTF at 100%, pushing the red team to transition to real-world zero-day discovery as the ultimate test. Subsequently, it unveiled thousands of zero-day vulnerabilities across major operating systems and browsers, some dating back one to two decades. In a jaw-dropping display, Anthropic engineers lacking formal security training tasked Mythos with finding remote code execution vulnerabilities overnight, only to wake up to a fully functional exploit the next morning, as reported by Anthropic’s red team assessment.

Anthropic rallied a defensive alliance dubbed Project Glasswing, comprising 12 partners including CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Foundation. Armed with $100 million in usage credits and $4 million in open-source grants, these partners, along with over 40 other critical software infrastructure organizations, have been subjecting Mythos to rigorous testing on their own systems for weeks. Anthropic has committed to releasing a public findings report “within 90 days,” slated for early July 2026.

Security leaders are in for a wake-up call

“I’ve been in this industry for 27 years,” shared Cisco’s SVP and Chief Security and Trust Officer Anthony Grieco in an exclusive interview with VentureBeat at RSAC 2026. “I have never been more optimistic about the potential to revolutionize security given the velocity at which we are moving. However, it’s also slightly terrifying because of the rapid pace of change. Our adversaries possess the same capabilities, so it’s imperative that we keep up.”

This week, security heads have been bombarded with analyses of the Mythos findings, including a VentureBeat exclusive interview with Anthropic’s Newton Cheng. One standout post highlighted how the model cracked cryptography libraries, infiltrated a production virtual machine monitor, and equipped security novices with working exploits overnight. Yet, amidst the coverage, critical questions remained unanswered: Where do their current detection methods fall short, and what adjustments must be made before July?

Seven critical vulnerability classes that expose detection limitations

  1. OpenBSD TCP SACK, 27 years old. A flaw allowing any server to crash with just two specially crafted packets. Traditional testing methods like SAST, fuzzers, and audits failed to catch a logic error necessitating a deeper understanding of TCP options under adversarial scenarios. Campaign expenses amounted to approximately $20,000. Anthropic notes that the hindsight cost of $50 per run is remarkably low.

  2. FFmpeg H.264 codec, 16 years old. Despite fuzzers running the vulnerable code path 5 million times without triggering the flaw, Mythos successfully identified the issue by delving into code semantics. Campaign cost approximately $10,000.

  3. FreeBSD NFS remote code execution, CVE-2026-4747, 17 years old. Anthropic confirmed the possibility of unauthenticated root access from the internet, further substantiated by an independent reproduction. With complete autonomy, Mythos constructed a 20-gadget ROP chain spanning multiple packets.

  4. Linux kernel local privilege escalation. Mythos successfully strung together two to four low-severity vulnerabilities to achieve full local privilege escalation through race conditions and KASLR bypasses. Although Mythos faltered in remote kernel exploitation, it excelled locally. No existing automated tool can replicate this capability.

  5. Browser zero-days across every major browser. Mythos unearthed thousands of vulnerabilities, some of which necessitated collaboration with human models. Notably, Mythos managed to chain four vulnerabilities into a JIT heap spray, successfully evading both the renderer and OS sandboxes. The stark comparison between Firefox 147 and Opus 4.6 speaks volumes: 181 working exploits against two.

  6. Cryptography library vulnerabilities (TLS, AES-GCM, SSH). Mythos identified implementation flaws in battle-tested libraries that enabled certificate forgery or decryption of encrypted communications. Noteworthy discoveries included a critical Botan library certificate bypass, coinciding with the Glasswing announcement. These vulnerabilities lay within the code implementing mathematical operations, rather than attacks on the math itself.

  7. Virtual machine monitor guest-to-host escape. Mythos detected guest-to-host memory corruption in a production VMM, shattering the assumption of workload isolation in cloud security architectures.

Nicholas Carlini, speaking at Anthropic’s launch briefing, revealed, “I’ve uncovered more bugs in the last couple of weeks than I have in my entire life.”

VentureBeat’s strategic guide

Vulnerability Class

Why Current Methods Miss It

What Mythos Does

Security Director Action

OS kernel logic (OpenBSD 27yr, Linux 2-4 chain)

SAST lacks semantic reasoning. Fuzzers overlook logic flaws. Pen testers constrained by time. Bounties typically exclude kernel vulnerabilities.

Chains low-severity findings for local privilege escalation. Campaign cost around $20K.

Integrate AI-supported kernel reviews into pen test requests. Expand bounty scopes. Request Glasswing findings from OS vendors prior to July. Evaluate findings based on chainability.

Media codec (FFmpeg 16yr H.264)

SAST fails to flag vulnerabilities. Fuzzers unable to trigger flaw despite extensive testing.

Utilizes semantic reasoning beyond brute force to uncover vulnerabilities. Campaign cost approximately $10K.

Catalog FFmpeg, libwebp, ImageMagick, libpng. Cease equating fuzz coverage with security assurance. Monitor Glasswing codec CVEs post-July.

Network stack RCE (FreeBSD 17yr, CVE-2026-4747)

DAST limited in protocol analysis. Pen tests often overlook NFS vulnerabilities.

Autonomously constructs a full chain leading to unauthenticated root access. Develops a 20-gadget ROP chain.

Apply patches for CVE-2026-4747 immediately. Audit NFS/SMB/RPC services. Incorporate protocol fuzzing into 2026 security cycles.

Multi-vuln chaining (2-4 sequenced, local)

No existing tool chains vulnerabilities together. Pen testers constrained by time limits. CVSS scores do not consider interdependencies.

Independently chains local vulnerabilities through race conditions and KASLR bypasses.

Mandate AI-supported chaining in pen testing methodologies. Establish chainability scoring. Allocate budget for AI red teams in 2026.

Browser zero-days (thousands, 181 Firefox exploits)

Bounties and continuous fuzzing overlook numerous vulnerabilities. Some vulnerabilities require human-model collaboration.

Experiences a 90x improvement over Opus 4.6. Chains four vulnerabilities into a JIT heap spray, escaping both renderer and OS sandboxes.

Reduce critical patch SLAs to 72 hours. Prepare pipelines for July cycle. Press vendors for Glasswing timelines.

Crypto libraries (TLS, AES-GCM, SSH, Botan bypass)

SAST limitations in crypto logic detection. Pen testers rarely examine crypto intricacies. Formal verification not standard practice.

Identifies flaws enabling certificate forgery and encrypted communication decryption in established libraries.

Conduct comprehensive audits of all crypto library versions. Monitor crypto CVEs post-Glasswing release in July. Accelerate post-quantum cryptography migration.

VMM / hypervisor (guest-to-host memory corruption)

Cloud security relies on isolation assumptions. Few pen tests focus on hypervisor vulnerabilities. Bounties typically exclude VMM assessments.

Uncovers guest-to-host memory corruption within a production VMM.

Document hypervisor/VMM versions. Request Glasswing findings from cloud providers. Reassess assumptions regarding multi-tenant isolation.

Attackers are outpacing defenders

The CrowdStrike 2026 Global Threat Report reveals a startling 29-minute average eCrime breakout time, 65% faster than in 2024, with an 89% surge in AI-driven attacks year over year. In an exclusive interview with VentureBeat, CrowdStrike CTO Elia Zaitsev emphasized the need for rapid response to combat adversaries utilizing AI for swift attacks. A $20,000 Mythos campaign, completed within hours, replaces months of research typically undertaken by nation-states.

CrowdStrike CEO George Kurtz echoed this sentiment on LinkedIn, underscoring the transformative impact of AI on security. The regulatory clock further complicates matters, with the EU AI Act enforcing stringent cybersecurity requirements, incident reporting mandates, and penalties up to 3% of global revenue from August 2, 2026. Security directors face a dual challenge: first, the disclosure cycle in July prompted by Glasswing, followed swiftly by the compliance deadline in August.

Mike Riemer, Field CISO at Ivanti and a cybersecurity veteran, highlighted the alarming trend of threat actors reverse-engineering patches with AI, enabling them to exploit vulnerabilities within 72 hours of patch releases. Grieco reinforced this urgency at RSAC 2026, emphasizing the need for organizations to move beyond annual patch cycles to effectively counter modern threats.

CSA’s Mogull emphasized the advantage defenders hold in the long term by fixing vulnerabilities across all deployments. However, the current landscape, where attackers rapidly reverse-engineer patches while defenders lag behind in patching frequency, tilts the scales in favor of attackers.

While Mythos has been making headlines, researchers at AISLE, an AI cybersecurity startup, conducted tests on smaller, cost-effective models and found that they were also adept at detecting vulnerabilities, with one model even identifying the FreeBSD exploit. AISLE’s research underscores that the challenge lies in the overall system architecture rather than the specific model. Detection limitations are a systemic issue, not exclusive to Mythos. The July deadline looms closer, demanding swift action from security teams.

With over 99% of the vulnerabilities identified by Mythos still unpatched, as per Anthropic’s red team blog, the upcoming Glasswing report in early July 2026 is poised to trigger a wave of critical patches across various systems and software. Security leaders must enhance their patching processes, expand bug bounty programs, and prioritize chainability scoring to brace for the impending patch tsunami. July isn’t just a disclosure event; it’s a call to arms for a robust defense strategy.

Navigating the boardroom

Security directors often assure the board that “everything has been scanned.” However, as Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, points out, this claim falls short in the face of Mythos without context.

“What security leaders truly mean is: we have scanned exhaustively for vulnerabilities our tools are equipped to detect,” Baer explained in an exclusive interview with VentureBeat. This nuance underscores the importance of redefining residual risk for board members across three tiers: known-knowns (vulnerability classes effectively detected by existing tools), known-unknowns (vulnerabilities acknowledged but not fully covered by current tools, such as stateful logic flaws and authentication boundary ambiguity), and unknown-unknowns (emerging vulnerabilities resulting from component interactions). Baer emphasized that this is where Mythos excels.

Baer recommended reframing the conversation around residual risk for the board, stating, “We are highly confident in detecting known vulnerability classes. Our remaining risk lies in complex, multi-step vulnerabilities that evade conventional scanners. We are actively investing in capabilities to raise our detection ceiling.”

Regarding chainability, Baer emphasized its critical role in security programs. “Chainability must be a primary scoring factor,” she stressed. Security teams must transition from severity-based scoring to assessing exploit pathways, from listing vulnerabilities to mapping interconnected relationships spanning identity, data flow, and permissions, and from focusing on patch SLAs to prioritizing path disruption, where fixing any point in a vulnerability chain takes precedence over addressing individual vulnerabilities based on CVSS scores.

“Mythos isn’t merely uncovering missed bugs,” Baer concluded. “It’s challenging the assumption that vulnerabilities exist in isolation. Security programs that fail to adapt from a coverage-centric to an interaction-centric approach will be blindsided by attack pathways disguised among green dashboard reports.”

As interviews progress, VentureBeat will provide additional operational insights from Glasswing’s founding partners to enrich this narrative.

Leave a Reply

Your email address will not be published. Required fields are marked *