On April 7, 2026, Anthropic announced that its latest and most capable general-purpose large language model, Claude Mythos Preview, had demonstrated remarkable — and unintended — capabilities. The AI system was able to find and exploit software vulnerabilities at an unprecedented rate, igniting widespread concern among the public, governments, and the IT sector about AI's potential to undermine cybersecurity. Some viewed the model as a global cybersecurity threat.
Citing the high risks of public release and a moral responsibility to disclose these vulnerabilities, Anthropic decided not to immediately offer Mythos to the public. Instead, it granted exclusive access to tech giants for testing the model's capabilities, a process Anthropic dubbed Project Glasswing.
While Mythos' capabilities are undoubtedly impressive, experts suggest the AI system does not represent a radical departure in cybersecurity. Rather, Mythos serves as a mirror, reflecting the inherent fragility of modern systems and established human behaviors.
During a controlled evaluation, engineers with minimal security experience were able to prompt Mythos to scan thousands of software codebases for vulnerabilities. The model exhibited striking capabilities in conducting multi-step, autonomous attacks that typically take human experts weeks or even months to orchestrate. Mythos not only discovered 271 vulnerabilities in Mozilla's Firefox but also developed exploits to take advantage of 181 of them.
Anthropic's red team, which simulates attacker roles to test defenses, along with the United Kingdom's AI Security Institute, reported that Mythos found thousands of zero-day vulnerabilities (previously unreported flaws) in major operating systems, web browsers, and other applications. These software flaws remain unpatched and can be immediately weaponized. Officials from the National Security Agency reportedly expressed strong impressions regarding the tool's speed and efficiency in identifying software vulnerabilities.
Among the widely reported findings were Mythos' ability to identify a dormant 27-year-old security flaw in OpenBSD, a security-focused operating system, and a 16-year-old bug in FFmpeg, a video/audio processing tool. Some of these flaws allow unauthenticated users to gain control of machines hosting these applications.
Even more remarkably, the relatively inexperienced engineers conducting Mythos' evaluations utilized the AI to complete entire attack chains overnight—from vulnerability discovery to exploitation—a process that can typically take human experts weeks. The model's capacity to chain multiple steps autonomously was particularly notable.