Anthropic Built a Model That Finds Zero-Days in Every Major OS, and Half of All Enterprises Cannot See Their Own Agents

Anthropic announced Claude Mythos Preview on April 7, a general-purpose language model with cybersecurity capabilities that represent a qualitative leap over its predecessors. During internal testing, Mythos Preview autonomously identified and exploited zero-day vulnerabilities in every major operating system and every major web browser. The model found a 27-year-old bug in OpenBSD's TCP SACK implementation, a 16-year-old vulnerability in FFmpeg's H.264 codec, and a guest-to-host memory corruption flaw in a production memory-safe virtual machine monitor. It wrote a remote code execution exploit for FreeBSD that grants root access to unauthenticated users, chaining 20 ROP gadgets across multiple packets, with no human intervention after the initial prompt. Anthropic's internal benchmark showed Mythos Preview achieved full control flow hijack on ten fully patched targets, up from a single tier-3 crash for Opus 4.6. (red.anthropic.com)

Anthropic is not releasing Mythos Preview for general use. Instead, the company launched Project Glasswing, a coordinated effort to deploy the model defensively with critical infrastructure partners and open-source maintainers before similar capabilities become broadly available. The responsible disclosure pipeline has already identified thousands of high- and critical-severity vulnerabilities, with fewer than 1% patched so far. Anthropic's assessment is blunt: the transitional period between current capabilities and a new security equilibrium "may be tumultuous." For anyone building, deploying, or governing agents, the immediate question is not whether your software has vulnerabilities that a model can find. It does. The question is whether you will find them first.