Claude Mythos – Facing the coming bug-calypse

The next iteration of Anthropic’s Large Language Model (LLM) called Claude Mythos was announced on the 7th of April 2026 (after an accidental leak on March 26th). Unlike previous frontier LLMs being released publicly, Anthropic decided to provide invite-only access for select companies because of its extraordinary ability to find and write exploits for software vulnerabilities.

Since then, many, many pages of virtual ink have been spilt exploring what Claude Mythos will mean for the software industry, cybersecurity defenders, businesses and society at large. It’s been in mainstream media, to the point where questions arise at garden parties from non-tech people.

In this article we’ll explain what Claude Mythos is, the cybersecurity implications of it (and competing models), what it actually means for enterprise defenders, steps you should take to manage the wave, how agentic AI and harnesses heavily influence effectiveness and why higher velocity of vulnerabilities is going to characterize the upcoming era, sometimes called the bug-calypse.

What is Claude Mythos? 

Claude Mythos is Anthropic’ s restricted frontier model for advanced cybersecurity analysis.

Each of the frontier AI labs gives names and version numbers to their models, and Mythos is the next software-coding-focused model from Anthropic.

If Nicholas Carlini, a cybersecurity researcher on the team at Anthropic is to be believed, they didn’t set out to create a model that was specifically good at finding and exploiting software vulnerabilities, they just wanted to create a model that was exceptional at coding overall. Bug finding was a byproduct of this focus.

The AI Security Institute in the UK tested it on a cyber range, where Mythos ranked highest, followed by Claude Opus 4.6 in second place, then by OpenAI’s GPT 5.4 and GPT 5.3 Codex.

Then there’s ExploitGym which provides a testing environment for AI agents to find and write exploits for 898 (known) vulnerabilities across user space programs, Google’s v8 JavaScript engine and the Linux kernel.

Note that both Claude Mythos preview and OpenAI’s GPT-5.5 perform much better than previous generations of models.

Anthropic had similar results in their early testing and thus decided to delay the public release of Claude Mythos to allow big tech organizations to use it to find and fix their vulnerabilities first.

What is Project Glasswing? 

Named after the famous butterfly that hides in “plain sight”, Anthropic’ s Project Glasswing invited 50+ organizations to use Mythos in private preview to find and fix vulnerabilities before attackers use it to develop exploits that haven’t been patched yet. Invitees include AWS, Apple, Cisco, Google, The Linux Foundation, Microsoft, Nvidia and Palo Alto. They also provided up to $ 100 million in usage credits for participants.

A fair question is whether this is just a clever marketing strategy or a genuine attempt to act responsibly with a new, powerful capability, and the answer probably lies somewhere in the middle. Clearly early testing shows a step change in capability, but it certainly doesn’t hurt your marketing effort when non-tech people hear about your product in mainstream media.

At the time of writing (June 2026), it looks like public access to Mythos will not be offered soon, but the scope of included organizations has expanded, with another 150 added across 15 countries, covering critical infrastructure, power, water, healthcare, communications and hardware.

Why AI Vulnerability Scanning Depends on Models and Agentic Harnesses

Much has been made of the “one-shot” ability of Mythos – “here’s a code base, find me some vulnerabilities”. However, that’s not how an organization builds a scanning engine to find vulnerabilities, verify them, write exploits and then verify those and finally (ideally) write patches to fix the vulnerabilities.

Instead, a scanning harness is required, consisting of multiple AI agents that perform discrete steps in the overall chain of work to be done. Indeed, Niels Provos, a well-known security researcher set out to prove that a good harness, utilizing existing public AI models could be just as good at finding vulnerabilities.

The main finding here is that LLMs and agents have an innate drive to get to “done” but by breaking down the work into smaller steps, they can complete each of those steps independently.

This also means you can have different models and AI tools assist different agents to ensure that the best tools for the job are used in each of the steps.

This also builds on previous work, in particular, DARPA’s AI Cybersecurity Challenge (AixCC) which ran from August 2023 to August 2025 in which seven teams competed in the finals to create a completely automated system to find vulnerabilities, then create a Proof of Vulnerability (PoV) for each of them, and then write a patch for the bug, test it and then apply it.

Several members of the winning team, Atlanta, are now working for Microsoft, creating their scanning harness service, codename MDASH.

What is codename MDASH? 

The multi-model agentic scanning harness uses over 100 AI agents using various models (including presumably Mythos, as Microsoft is a Glasswing participant) to find vulnerabilities. The recent Patch Tuesday from Microsoft included 16 patches to fix vulnerabilities in the Windows networking and authentication stack that were found using MDASH.

They tested it on five years’ worth of reported vulnerabilities in the logging function in Windows where it found 96% of bugs that had been reported, and 100% of all reported bugs in the TCP networking stack.

They also tested it on the public CyberGym benchmark and MDASH took the top spot.

It’s clear that a harness of different agents working in tandem beats single prompts, and that finding vulnerabilities is only the first step.

Validating that the bug is real, isn’t a duplicate of something already known, and can be exploited, is critical. Also, modern bugs, particularly in iOS and Android require chaining together multiple vulnerabilities, something that a single prompt can’t accomplish easily.

Most importantly, new models can be swapped in as they become available, meaning the harness is the engine, and different models (that are good at different phases) are tested and plugged in over time.

Results from Project Glasswing to date

Palo Alto normally publishes 10-15 patches a month, this month they published 24. Cloudflare scanned 50 internal code repositories, finding strong improvements in exploit chain construction, and proof generation and, most importantly, better signal-to-noise ratio where what Mythos found is higher quality.

They also underlined the importance of a good harness that breaks down each individual task, with agents working in parallel. They found 2000 bugs, including 400 rated high or critical.

Mozilla found 271 vulnerabilities in version 150 of the Firefox browser (over 10 times more than they found in version 148 with an earlier Anthropic model).

Anthropic themselves used Mythos to scan more than 1000 open-source projects where it found 23,019 potential vulnerabilities with 6,202 of those rated high or critical. They manually verified 1752 of those and found that over 90% were valid, and over 62% confirmed as high or critical.

The annual industry stalwart, Verizon’s Data Breach Investigations Report 2026 (covering October 2024 to November 2025) has one very interesting finding, exploitation of vulnerabilities is now the most common initial access vector (31%), whereas credential abuse, the previous leader is now down to 13%.

There’s a myth to bust here about LLMs and their guardrails. If you ask any of them today to give you the recipe for building a bomb, creating a biological weapon, or building an exploit for a software vulnerability, they’ll refuse. But these are “soft” blocks, and after some coaxing, they can be tricked into performing the task.

There’s no way today to create an LLM that can only find vulnerabilities and write exploits for defenders, but not for attackers.

It’s also worth noting that OpenAI has a similar project, called Daybreak so expect more cybersecurity focused AI scanning tools to become available in the future.

The rise of AI vulnerability scanning as a service

The early promising results of MDASH and Cloudflare’s scanning harnesses will result in the rise of managed services for enterprises to run their own code against. OpenHack is an open-source option from Hadriansecurity where you supply your models of choice.

On the open-source side IBM and Red Hat are collaborating on Project Lightwell to use 20,000 engineers, augmented by AI to help enterprises secure open-source software that over 90% of them rely on.

Not to be left out, Google has announced their AI Threat Defense that’ll validate risks, generate fixes and support remediation workflows.

On the other hand, you should be aware of the rise in “Anonymous LLMs as a Service” where criminals can rent model access from providers that manage access to stolen credentials, to run their AI workloads against.

A practical guide for defenders in the post-Mythos world

Step 1

Just like it says on the cover of The Hitchhiker’s guide to the galaxy – “Don’t Panic”. Yes, there will be more vulnerabilities found in software using LLMs and scanning harnesses, but defenders will adapt, and also, the tools are available to us too – scan and fix bugs in your software before attackers do.

And we’ve been here before, when decompilers first became available there were those that thought that reverse engineers were made redundant. Then fuzzers, and static analysis tools, at each step of the arms race between attackers and defenders we adapted and improved.

Step 2

The fundamentals haven’t changed. Protecting your organization against cybercriminals still relies on getting cybersecurity hygiene fundamentals right. Most breaches aren’t caused by zero-days in software, they’re caused by flaws in humans.

Wily attackers calling up your helpdesk with all the right personal information, resetting credentials for an admin account and then ransoming all your servers (this happened to Jaguar Land-Rover) or tricking an end user into clicking a link in a phishing email have nothing to do with software vulnerabilities.

Step 3

Patching software that runs your business more expediently will be a requirement. The time between a vulnerability being discovered and a working exploit being available has been decreasing over the last eight years, as tracked by the Zero Day Clock project. Most of that decrease came before AI was used to find vulnerabilities, but the velocity will increase as Claude Mythos and its cousins become ubiquitous.

Step 4

Adopt Continuous Threat Exposure Management (CTEM). The advice to patch faster is something that organizations have been trying to do (unsuccessfully) for over a decade. CTEM takes over where traditional vulnerability management (VM) leaves off.

A VM solution will give you a huge list of known vulnerable software in your entire enterprise, plus a priority of low, medium, high and critical (generally based on the CVSS score) leading most overworked IT / Security teams to only deal with the critical and high patching (and taking 30 days+ to do so).

CTEM on the other hand scopes the security risks across your entire digital estate, discovers and prioritizes found vulnerabilities, not based on a generic CVSS score but taking into account your context and environment.

A server with a vulnerability in a database is a low priority if it’s air-gapped from the internet and it’s critical if there’s a path to reach it from the internet. And those medium risk vulnerabilities are now going to be legitimate targets for AI to develop exploits for, something that human attackers rarely invest time in.

Here it’s also time for some myth busting – patching doesn’t always make you more secure. The recommendation to apply patches for everything as soon as they’re available is biased by the concerted effort of large teams (and now AI scanning harnesses) accepting vulnerabilities found by security researchers through a bug bounty program, triaging, prioritizing, creating security specific patches, and then rolling them out on a monthly cadence.

That’s true for major web browsers, operating systems (mobile and desktop), major cloud infrastructure and some security vendor’s code. For all other software and SaaS services that your organization relies on, patching statistically generally introduces more new vulnerabilities than it fixes.

Obviously, if there’s a known vulnerability being exploited in the wild, and a patch is available to fix it, you must patch as soon as possible, but don’t assume that patching equals more secure, see here for further details.

Step 5

If your organization creates and maintains code, either for internal or customer-facing applications, you’ll need to start scanning it regularly using a good harness with strong models behind it. In new projects it really helps to do it regularly from the start, limiting the amount of re-work required later in the process but you need to allocate sufficient resources to manage the flood of issues AI is likely to find.

Step 6

Your organization’s software stack will almost certainly include open-source packages as building blocks. They’re going to be fair game for attackers to scan as the source code is public, so your developers must be even more aware than they already should be about the risks of supply chain attacks.

Your code might be great, and you scan it regularly to catch any recently introduced vulnerabilities, but if a dependency package has an unpatched bug, your application might still be open to attack.

Make sure to contribute to organizations providing support to open-source projects, they’ll need access to AI scanning services to cope with the wave of bugs coming their way.

One part of managing the challenges ahead is understanding how LLMs, AI agents and MCP servers are best governed internally, the not-for-profit Center for Internet Security (CIS) provide three great guides.

Step 7

Build a realistic cybersecurity resiliency culture across your organization. It’s no longer enough to spend a minimal amount on cybersecurity, see it as just a cost center (rather than an enabler for the organization to grow safely), and deal with the fallout when breaches happen.

Hardening your environment will be paramount, whether that’s making sure that your corporate sensitive data stays secure in SharePoint and OneDrive, malicious emails stay out of your user’s inboxes, or making sure your users are well trained to not fall for any threats that slip through.

---

Reduce Your Microsoft 365 Exposure Before AI-Speed Attacks Find It

Claude Mythos is a clear signal that the vulnerability lifecycle is accelerating. Attackers and defenders are moving faster, and the organizations that wait for a breach to clean up their Microsoft 365 permissions will always be one step behind.

With 365 Permission Manager by Hornetsecurity, security teams and Microsoft 365 admins can take back control of who has access to what across Teams, SharePoint, and OneDrive. Use it to identify risky sharing, enforce compliance policies, receive alerts for critical permission changes, remediate violations, and generate the reports needed to prove control.

Ready to reduce data exposure and strengthen Microsoft 365 governance? Book a demo or request a free trial of 365 Permission Manager by Hornetsecurity.

---

Conclusion 

Generative AI continues to have an impact on cybersecurity. Claude Mythos is putting a focus on the lack of code quality in most software that enterprises rely on, and your organization should take the steps outlined to manage the upcoming wave of bugs.