IMPLICATOR
The bug lived inside OpenBSD for 27 years. It hid in the TCP stack, the most fundamental piece of networking code an operating system runs. OpenBSD is synonymous with security. The first five words of its Wikipedia page say so. Auditors reviewed it. Fuzzers hammered it with millions of random inputs. And for nearly three decades, the signed integer overflow that let a remote attacker crash any OpenBSD host sat there, undisturbed, in a function that handled selective acknowledgements.
Anthropic's Claude Mythos Preview found it in a single agentic session. That particular run cost under $50, though the full campaign across a thousand runs through the same scaffold totaled under $20,000.
That ratio is the one you should remember from Tuesday's announcement. Not the $100 million in usage credits. Not the coalition of 12 blue-chip partners or the 40 additional organizations now scanning their own code for zero-days. The economics matter because they tell you the old cost structure of cybersecurity is already dead.
Key Takeaways
- Anthropic's Mythos Preview found zero-day vulnerabilities in every major OS and browser, some hiding for 27 years, at a cost of under $50 per successful run
- Project Glasswing gives 12 major tech companies and 40+ organizations early access to the model for defensive scanning, backed by $100M in credits
- Anthropic's own timeline: similar capabilities from other labs within 6 to 18 months, meaning the defender head start is measured in months, not years
- The company that leaked its own model's existence twice in two weeks now positions itself as the cybersecurity industry's indispensable gatekeeper
AI-generated summary, reviewed by an editor. More on our AI guidelines.
The moat was always an illusion
For decades, the security industry operated on an unspoken bargain. Software had bugs. Lots of them. But finding the dangerous ones required scarce, expensive human expertise. A skilled researcher could burn weeks pulling apart a binary, tracing where control flow goes sideways, trying to chain one vulnerability into another. The cost of that effort functioned as a moat. Most software was mostly safe not because it was secure, but because attacking it was hard.
Mythos Preview didn't just breach that moat. It proved the moat was always an illusion.
In testing, the model hunted down and exploited zero-day vulnerabilities across every major operating system and browser. Every single one. A 16-year-old flaw in FFmpeg, the video library behind virtually every streaming service you use, had been hiding in a line of code that automated tools ran over five million times. None of them caught it. Mythos found it by reasoning about the code, not by brute-forcing inputs. In another test, the model chained together four vulnerabilities in a web browser to build a JIT heap spray that escaped both the renderer sandbox and the operating system sandbox, a feat that would have taken an expert penetration tester weeks. Mythos did it overnight, without human guidance.
On CyberGym, the benchmark that measures whether a model can reproduce and exploit real vulnerabilities, Mythos scored 83.1%. Claude Opus 4.6, the company's current public flagship, scored 66.6%. On SWE-bench Verified, the gap is wider: 93.9% versus 80.8%. When Anthropic re-ran a Firefox exploit benchmark that Opus 4.6 had succeeded on just twice in several hundred attempts, Mythos Preview produced working exploits 181 times.
These are not incremental gains. They represent a phase transition.
The company that can't secure its CMS wants to secure the internet
Here is where the story gets uncomfortable for Anthropic, and where the company looks most exposed. The organization asking the world to trust it as the gatekeeper of a model with what it calls extreme cyber capabilities is the same one that, in March, left a draft blog post about Mythos in a publicly searchable data store because someone misconfigured a content management system. Days later, a packaging error in Claude Code exposed more than half a million lines of Anthropic's own source code to anyone who ran npm install during a three-hour window.
Newton Cheng, the cyber lead for Anthropic's frontier red team, told VentureBeat these were "human errors in publishing tooling, not breaches of our security architecture." The company sounded defensive. That distinction is technically accurate. It is also the kind of distinction that evaporates under the weight of the claim Anthropic is now making: that it has built a model capable of autonomously cracking the most hardened operating systems on the planet and should be trusted to distribute it responsibly.
The company is simultaneously fighting the Pentagon in court after the Defense Department labeled it a supply-chain risk, negotiating access to 3.5 gigawatts of Google TPU capacity, and disclosing that its annualized revenue has tripled to $30 billion. Project Glasswing lands in the middle of all of it. A cybersecurity initiative, a business development play, and an IPO narrative rolled into one announcement.
That doesn't make the underlying capability less real. It means you should read the coalition partner list with both eyes open.
Why the "head start" is a sprint, not a marathon
Logan Graham, head of Anthropic's frontier red team, was direct with Axios: models with capabilities similar to Mythos Preview will be available from other labs within six to 18 months. "We basically need to start, right now, preparing for a world where there is zero lag between discovery and exploitation," he told the Wall Street Journal.
That timeline is the core problem. Project Glasswing gives 12 launch partners and 40 additional organizations access to Mythos Preview for defensive scanning. Anthropic is putting $100 million in credits on the table. Publication of findings within 90 days. Partners swap notes. All very tidy. Then you look at what's already happening.
Chinese AI labs are closing the gap. Open-weight models from companies like Zhipu AI and DeepSeek already rival proprietary systems on coding benchmarks, and they cost a fraction of the price. Last November, a Chinese state-sponsored group used Anthropic's own Claude models to automate 80 to 90 percent of a cyber-espionage campaign across roughly 30 targets. And earlier this year, the Hexstrike-AI tool built for defenders was flipped by criminals within hours of release, collapsing zero-day exploit timelines from weeks to minutes. The cybersecurity industry has looked anxious for months. Mythos confirms the fear was justified.
The pattern is consistent. Defensive tools become offensive weapons faster than anyone anticipates. The question is whether 90 days of coordinated patching can outrun 6 to 18 months of capability proliferation. The math does not inspire confidence.
The AI security landscape is shifting fast
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
Friction never stopped an attacker with infinite patience
The technical details in Anthropic's Frontier Red Team blog post tell a specific story about what Mythos Preview means for the security paradigm.
Consider the FreeBSD NFS vulnerability, a 17-year-old remote code execution bug that Mythos found and exploited completely autonomously. The exploit itself was a standard stack buffer overflow into a return-oriented programming attack. Nothing novel. What made FreeBSD "safe" for 17 years was friction: the attacker needed to know a kernel host ID and boot time, needed to split a 20-gadget ROP chain across six sequential RPC requests, and needed the various defense mitigations to align in a specific way. A human researcher would have needed days to weeks to thread that needle. Mythos did it in hours for under $1,000 at API pricing.
Or consider the Linux kernel privilege escalation exploits. The model identified a one-bit write vulnerability in netfilter's ipset, then constructed an exploit that manipulated the kernel's SLUB memory allocator, sprayed page-table entries adjacent to slab pages, used the bug itself as an oracle to detect which memory layout had succeeded, and ultimately flipped a single permission bit on a page-table entry mapping /usr/bin/passwd, all to rewrite a setuid binary with a 168-byte ELF stub that grants root.
That exploit chain is not a brute-force attack. It requires understanding memory layout, page allocator behavior, PTE bit fields, and the interaction between MAP_SHARED mappings and the kernel page cache. The kind of understanding that maybe a few hundred people on earth possess. Mythos Preview reproduced it from a Syzkaller bug report, with zero human intervention, for under $1,000.
This is what "security through friction" looked like from the inside: not a wall, but a speed bump. And the speed bump only worked because attackers were human.
Who actually benefits from the coalition
Pull up the Project Glasswing partner list. Amazon right next to Apple. Google across from Microsoft. Cisco, Broadcom, Nvidia on the hardware bench. CrowdStrike and Palo Alto Networks providing the security expertise while JPMorganChase covers finance. The Linux Foundation rounds it out. Every one of them ships products that contain the bugs Mythos keeps finding. They get early access to a model that can scan their codebases for vulnerabilities they didn't know existed.
But the structure tells you something about Anthropic's real position. The company is committing $100 million in credits now, then charging $25 per million input tokens and $125 per million output tokens after the preview period. It has positioned itself as the sole provider of a capability that will soon define the cybersecurity industry's baseline. Every partner that builds Mythos Preview into its defensive workflow becomes a recurring revenue customer.
Jim Zemlin, CEO of the Linux Foundation, made the asymmetry explicit: "Security expertise has been a luxury reserved for organizations with large security teams. Open-source maintainers have historically been left to figure out security on their own." Anthropic's $4 million in donations to open-source security organizations is a rounding error against the $100 million in credits flowing to Fortune 500 partners. The maintainers who actually write the code running most of the world's infrastructure get about four cents for every dollar the coalition receives.
CrowdStrike's CTO Elia Zaitsev framed the stakes correctly: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI." But he was also describing a world in which CrowdStrike's own business model, selling endpoint detection and threat intelligence, becomes more valuable by the day. The threat is real. So is the commercial opportunity.
Fuzzers weren't this fast, and they still changed everything
The cybersecurity industry has been here before, in spirit if not in scale. When software fuzzers emerged, the same dual-use fears surfaced. Attackers would find bugs faster. The equilibrium would shift. It took years, but fuzzers ultimately benefited defenders more than attackers because defenders had better access to the tools and more motivation to deploy them systematically.
Anthropic's own Red Team blog draws this parallel explicitly. "We believe the same will hold true here too, eventually," the researchers write. Pay attention to that last word. It's doing a lot of work.
The difference this time is speed. Fuzzers required custom harnesses and domain expertise. They took years to mature. Mythos Preview finds vulnerabilities with a one-paragraph prompt and an internet-isolated container. Anthropic employees with zero security training pointed Mythos at a codebase before going to bed. By morning, a working RCE exploit sat in their terminal. Nobody told the model how to do it.
If you're responsible for critical infrastructure, the math is simple. Attackers will run these tools whether defenders adopt them or not. Sitting this one out is not a strategy. The question is whether you can patch faster than adversaries can exploit, in a world where both sides use the same class of tools and the attacker's cost has dropped from weeks of expert labor to $50 and a prompt.
Anthropic built the weapon and wants to sell the shield. Project Glasswing gives defenders a genuine head start. But Logan Graham himself said the quiet part out loud: "If these previously were mostly secure because it took a lot of human effort to attack them, does that paradigm of security even work anymore?"
The answer, as of Tuesday, is no. What replaces it depends on what happens in the next six months.
Frequently Asked Questions
What is Project Glasswing?
A cybersecurity initiative launched by Anthropic that gives 12 major tech companies and 40+ additional organizations access to Claude Mythos Preview for defensive vulnerability scanning. Partners include Amazon, Apple, Google, Microsoft, CrowdStrike, and others. Anthropic is committing $100 million in usage credits.
Why won't Anthropic release Mythos Preview publicly?
The model can autonomously find and exploit zero-day vulnerabilities across every major operating system and browser. Anthropic says the cybersecurity risk of broad access is too high until adequate safeguards exist. After the preview, pricing will be $25/$125 per million input/output tokens for approved participants.
What vulnerabilities has Mythos Preview found?
Thousands of zero-day vulnerabilities, including a 27-year-old bug in OpenBSD's TCP stack, a 16-year-old flaw in FFmpeg missed by 5 million automated tests, and a 17-year-old remote code execution vulnerability in FreeBSD. The model also chained multiple Linux kernel bugs into full privilege escalation exploits.
How does Mythos Preview compare to current AI models?
On CyberGym, Mythos scored 83.1% versus Opus 4.6's 66.6%. On SWE-bench Verified: 93.9% versus 80.8%. On a Firefox exploit benchmark, Opus succeeded twice in hundreds of attempts while Mythos produced 181 working exploits.
When will similar AI cybersecurity capabilities become widely available?
Anthropic's Logan Graham estimates 6 to 18 months before other labs release models with comparable capabilities. Chinese AI companies are closing the gap with open-weight models. A Chinese state-sponsored group already used Claude to automate 80-90% of a cyber-espionage campaign last year.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Marcus Schuler
Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: [email protected]
