Fordel StudiosAnthropic's Claude Mythos discovers thousands of zero-day vulnerabilities
What Happened
Anthropic released Claude Mythos Preview on April 8, 2026, a cybersecurity-specialized model that identified thousands of previously unknown zero-day vulnerabilities. Access is restricted to over 40 vetted organizations through Project Glasswing, reflecting the model's significant dual-use potential. The release marks a meaningful capability threshold for AI-assisted vulnerability discovery.
Our Take
Thousands. Not dozens. Not hundreds. Thousands of zero-days, and Anthropic's locked this thing behind a velvet rope with 40 companies. That's the right call — and it's also terrifying that they had to make it.
Here's the thing: we've spent years arguing about whether AI can actually reason about code. Mythos just answered that. It found vulnerabilities at a scale no human team could — and it didn't need a CVE database to start from.
The Project Glasswing wrapper is doing a lot of work here. Anthropic knows what they built. You don't restrict a model this hard unless you've watched it do something that keeps you up at night. (I'd genuinely like to know what the internal red-teaming looked like.)
For us building on the web? Honestly, this shifts the threat model. Assume attackers will have access to something similar within 18 months. Your auth flows, your API boundaries, your dependency choices — all of it needs to survive a model that thinks like this.
The good news: defenders get it first. For now.
What To Do
Run your most critical service through a dedicated AI security audit this quarter — tools like Semgrep with AI rules or Socket.dev's supply chain scanner are available today, before Mythos-level capability reaches commodity pricing.
Cited By
React