On April 7th, 2026, there was a remarkable shift within the digital world. Anthropic released a warning flag disguised as a language model. The tech world expected a better assistant however, we received Claude Mythos Preview instead. Anthropic’s own technical blog states Mythos was able to discover vulnerabilities but it doesn’t autonomously weaponize them. To play it safe, Anthropic has kept it behind a defensive alliance of theirs that is also known as “Project Glasswing”
While previous large language models rely on pattern recognition to generate answers and make fixes, Mythos analyzes the deep logic system of unsafe, vulnerable code to then identify failures within the structure. Analysts estimate that these zero-day chains currently cost around $2000 in computing.
Press enter or click to view image in full size
The most chilling angle of this Mythos announcement comes with its abilities for identifying ancient repositories in order to find vulnerabilities that have haunted humans for a long time. For example, Mythos identified a 27-year-old critical flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg within hours of initialization. These bugs survived decades of expert audits and automated fuzzing, proving that our infrastructure has been ‘un-scanned’ rather than ‘secure’.
# Representation only — simplified CVSS v3.1 base score calculation
# This mirrors the severity class of vulnerabilities Mythos identified:
# network-accessible, no privileges required, high impact across C, I, A
impact = 1 - ((1 - 0.56) * (1 - 0.56) * (1 - 0.56)) # High confidentiality, integrity, availability impact
exploitability = 8.22 * 0.85 * 0.77 * 0.85 * 0.85 # Network vector, low complexity, no privileges, no user interaction
base_score = round(min(impact * 6.42 + exploitability, 10) * 10) / 10
print(f"CVSS v3.1 Base Score: {base_score}") # Output: 9.8 — Critical
We have relied on the limitations of human assistance to keep our systems standing, Mythos doesn't have such limitations. Anthropic knew their creation was very powerful and could cause a lot of problems. So they put Mythos inside Project Glasswing, which is a group that includes the US Treasury, the UK AI Security Institute and big companies like Apple and Microsoft. Anthropic is providing massive compute credits to open-source maintainers to run the largest patching spree within the history of humans. Only certain people are allowed to use Mythos and is thus strictly vetted. It is currently a tool that is kept in a place and only utilized to help defense, the Blue Team before someone else gets a hold of something similar, to Mythos. The arrival of Mythos shows us a sad truth: attacks can now be automated. This means we are living in a time where the developers and builders have to stay one step ahead of threat actors who have potential to compromise. Developers have to be right all the time even when they are looking at millions and millions of lines of code. On the other hand the threat actors only need to find one little mistake in some old code from the 1990s to cause big problems for a whole network.
In contrast to the whole article, Mythos is better understood as a digital immune system rather than a mere weapon. I strongly believe it should shift our perspective from fear to fortification. We should not be scared of Mythos. It is actually a thing because it moves really fast. The cybersecurity professionals use Mythos to find and fix problems before the attackers can even find them. (At least for now) Relying solely on Artificial Intelligence, for defense is not a good idea. This is because it creates one spot that does not have human instinct and ethical supervision. These systems that work on their own are very fast. However they can be fooled by examples that are designed to confuse the Artificial Intelligence system. We still need humans to make sure Artificial Intelligence systems are working correctly.
