Skip to main content
Fordel Studios logoFordel Studios
Start a Conversation
Back to Pulse
shippedFirst of its KindSlow BurnArc: Anthropic Safety Focus (ch. 45)
HumAI+1 source

Anthropic's Claude Mythos discovers thousands of zero-day vulnerabilities

Read the full articleAnthropic Claude Mythos Discovers Thousands of Zero-Days on HumAI

What Happened

Anthropic released Claude Mythos Preview on April 8, 2026, a cybersecurity-specialized model that identified thousands of previously unknown zero-day vulnerabilities. Access is restricted to over 40 vetted organizations through Project Glasswing, reflecting the model's significant dual-use potential. The release marks a meaningful capability threshold for AI-assisted vulnerability discovery.

Our Take

Thousands. Not dozens. Not hundreds. Thousands of zero-days, and Anthropic's locked this thing behind a velvet rope with 40 companies. That's the right call — and it's also terrifying that they had to make it.

Here's the thing: we've spent years arguing about whether AI can actually reason about code. Mythos just answered that. It found vulnerabilities at a scale no human team could — and it didn't need a CVE database to start from.

The Project Glasswing wrapper is doing a lot of work here. Anthropic knows what they built. You don't restrict a model this hard unless you've watched it do something that keeps you up at night. (I'd genuinely like to know what the internal red-teaming looked like.)

For us building on the web? Honestly, this shifts the threat model. Assume attackers will have access to something similar within 18 months. Your auth flows, your API boundaries, your dependency choices — all of it needs to survive a model that thinks like this.

The good news: defenders get it first. For now.

What To Do

Run your most critical service through a dedicated AI security audit this quarter — tools like Semgrep with AI rules or Socket.dev's supply chain scanner are available today, before Mythos-level capability reaches commodity pricing.

Builder's Brief

Who

product security and red teams at software companies

What changes

the baseline expectation for automated vulnerability discovery shifts; teams without AI-assisted vuln scanning are structurally behind

When

months

Watch for

whether CVE assignment rates spike in categories matching Mythos's reported discovery domains

What Skeptics Say

Restricted access to 40 vetted partners makes independent verification impossible; a model capable of finding thousands of zero-days at scale will accelerate offensive exploitation pipelines faster than the coordinated-disclosure ecosystem can absorb, regardless of Anthropic's intent.

2 comments

L
Lena Brückmann

THOUSANDS. not a handful. not a dozen. thousands of zero-days. i need to sit down

S
Seun Adeyemi

gonna wait for the CVE list before celebrating. 'discovered' and 'exploitable in the wild' are very different things

Cited By

React

Newsletter

Get the weekly AI digest

The stories that matter, with a builder's perspective. Every Thursday.

Loading comments...