A 27-year-old bug sat inside OpenBSD’s TCP stack whereas auditors reviewed the code, fuzzers ran in opposition to it, and the working system earned its repute as certainly one of the most security-hardened platforms on earth. Two packets may crash any server operating it. Discovering that bug value a single Anthropic discovery marketing campaign roughly $20,000. The precise mannequin run that surfaced the flaw value underneath $50.
Anthropic’s Claude Mythos Preview discovered it. Autonomously. No human guided the discovery after the preliminary immediate.
The aptitude soar is not incremental
On Firefox 147 exploit writing, Mythos succeeded 181 instances versus 2 for Claude Opus 4.6. A 90x enchancment in a single era. SWE-bench Professional: 77.8% versus 53.4%. CyberGym vulnerability replica: 83.1% versus 66.6%. Mythos saturated Anthropic’s Cybench CTF at 100%, forcing the purple staff to shift to real-world zero-day discovery as the solely significant analysis left. Then it surfaced 1000’s of zero-day vulnerabilities throughout each main working system and each main browser, many one to 20 years previous. Anthropic engineers with no formal safety coaching requested Mythos to discover distant code execution vulnerabilities in a single day and wakened to an entire, working exploit by morning, in accordance to Anthropic’s red team assessment.
Anthropic assembled Project Glasswing, a 12-partner defensive coalition together with CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Foundation, backed by $100 million in utilization credit and $4 million in open-source grants. Over 40 extra organizations that construct or preserve essential software program infrastructure additionally obtained entry. The companions have been operating Mythos in opposition to their very own infrastructure for weeks. Anthropic dedicated to a public findings report “inside 90 days,” touchdown in early July 2026.
Safety administrators bought the announcement. They didn’t get the playbook.
“I’ve been on this business for 27 years,” Cisco SVP and Chief Safety and Belief Officer Anthony Grieco instructed VentureBeat in an unique interview at RSAC 2026. “I’ve by no means been extra optimistic for what we are able to do to change safety due to the velocity. It’s additionally just a little bit terrifying as a result of we’re transferring so rapidly. It’s additionally terrifying as a result of our adversaries have this functionality as nicely, and so frankly, we should transfer this rapidly.”
Safety administrators noticed this story instructed fifteen alternative ways this week, including VentureBeat’s exclusive interview with Anthropic’s Newton Cheng. As one extensively shared X put up summarizing the Mythos findings famous, the mannequin cracked cryptography libraries, broke right into a manufacturing digital machine monitor, and gave engineers with zero safety coaching working exploits by morning. What that protection left unanswered: The place does the detection ceiling sit in the strategies they already run, and what ought to they alter before July?
Seven vulnerability courses that present the place each detection technique hits its ceiling
-
OpenBSD TCP SACK, 27 years previous. Two crafted packets crash any server. SAST, fuzzers, and auditors missed a logic flaw requiring semantic reasoning about how TCP choices work together underneath adversarial circumstances. Marketing campaign value ~$20,000. Anthropic notes the $50 per-run determine displays hindsight.
-
FFmpeg H.264 codec, 16 years previous. Fuzzers exercised the weak code path 5 million instances with out triggering the flaw, in accordance to Anthropic. Mythos caught it by reasoning about code semantics. Marketing campaign value ~$10,000.
-
FreeBSD NFS distant code execution, CVE-2026-4747, 17 years previous. Unauthenticated root from the web, per Anthropic’s evaluation and unbiased replica. Mythos constructed a 20-gadget ROP chain cut up throughout a number of packets. Absolutely autonomous.
-
Linux kernel native privilege escalation. Mythos chained two to 4 low-severity vulnerabilities into full native privilege escalation through race circumstances and KASLR bypasses. CSA’s Rich Mogull noted Mythos failed at distant kernel exploitation however succeeded domestically. No automated software chains vulnerabilities at this time.
-
Browser zero-days throughout each main browser. 1000’s recognized. Some required human-model collaboration. In a single case, Mythos chained 4 vulnerabilities right into a JIT heap spray, escaping each the renderer and the OS sandboxes. Firefox 147: 181 working exploits versus two for Opus 4.6.
-
Cryptography library vulnerabilities (TLS, AES-GCM, SSH). Implementation flaws enabling certificates forgery or decryption of encrypted communications, per Anthropic’s red team blog and Help Net Security. A essential Botan library certificates bypass was disclosed the identical day as the Glasswing announcement. Bugs in the code that implements the math. Not assaults on the math itself.
-
Virtual machine monitor guest-to-host escape. Visitor-to-host reminiscence corruption in a manufacturing VMM, the expertise conserving cloud workloads from seeing one another’s information. Cloud safety architectures assume workload isolation holds. This discovering breaks that assumption.
Nicholas Carlini, in Anthropic’s launch briefing: “I’ve discovered extra bugs in the final couple of weeks than I discovered in the remainder of my life mixed.”
VentureBeat’s prescriptive matrix
|
Vulnerability Class |
Why Present Strategies Miss It |
What Mythos Does |
Safety Director Motion |
|
OS kernel logic (OpenBSD 27yr, Linux 2-4 chain) |
SAST lacks semantic reasoning. Fuzzers miss logic flaws. Pen testers time-boxed. Bounties scope-exclude kernel. |
Chains 2-4 low-severity findings into native priv-esc. ~$20K marketing campaign. |
Add AI-assisted kernel assessment to pen check RFPs. Develop bounty scope. Request Glasswing findings from OS distributors before July. Re-score clustered findings by chainability. |
|
Media codec (FFmpeg 16yr H.264) |
SAST unflagged. Fuzzers hit path 5M instances, by no means triggered. |
Causes about semantics past brute-force. ~$10K marketing campaign. |
Stock FFmpeg, libwebp, ImageMagick, libpng. Cease treating fuzz protection as safety proxy. Monitor Glasswing codec CVEs from July. |
|
Community stack RCE (FreeBSD 17yr, CVE-2026-4747) |
DAST restricted at protocol depth. Pen exams skip NFS. |
Full autonomous chain to unauthenticated root. 20-gadget ROP chain. |
Patch CVE-2026-4747 now. Stock NFS/SMB/RPC companies. Add protocol fuzzing to 2026 cycle. |
|
Multi-vuln chaining (2-4 sequenced, native) |
No software chains. Pen testers hours-limited. CVSS scores in isolation. |
Autonomous native chaining through race circumstances + KASLR bypass. |
Require AI-assisted chaining in pen check methodology. Construct chainability scoring. Funds AI purple groups for 2026. |
|
Browser zero-days (1000’s, 181 Firefox exploits) |
Bounties + steady fuzzing missed 1000’s. Some required human-model collaboration. |
90x over Opus 4.6. Chained 4 vulns into JIT heap spray escaping renderer + OS sandbox. |
Shorten patch SLA to 72hr essential. Pre-stage pipeline for July cycle. Strain distributors for Glasswing timelines. |
|
Crypto libraries (TLS, AES-GCM, SSH, Botan bypass) |
SAST restricted on crypto logic. Pen testers hardly ever audit crypto depth. Formal verification not normal. |
Discovered cert forgery + decryption flaws in battle-tested libraries. |
Audit all crypto library variations now. Monitor Glasswing crypto CVEs from July. Speed up PQC migration. |
|
VMM / hypervisor (guest-to-host reminiscence corruption) |
Cloud safety assumes isolation. Few pen exams goal hypervisor. Bounties hardly ever scope VMM. |
Visitor-to-host escape in manufacturing VMM. |
Stock hypervisor/VMM variations. Request Glasswing findings from cloud suppliers. Reassess multi-tenant isolation assumptions. |
Attackers are quicker. Defenders are patching yearly.
The CrowdStrike 2026 Global Threat Report paperwork a 29-minute common eCrime breakout time, 65% quicker than 2024, with an 89% year-over-year surge in AI-augmented assaults. CrowdStrike CTO Elia Zaitsev put the operational actuality plainly in an unique interview with VentureBeat. “Adversaries leveraging agentic AI can carry out these assaults at such an amazing velocity {that a} conventional human technique of take a look at alert, triage, examine for 15 to 20 minutes, take an motion an hour, a day, every week later, it’s inadequate,” Zaitsev stated. A $20,000 Mythos discovery marketing campaign that runs in hours replaces months of nation-state analysis effort.
CrowdStrike CEO George Kurtz strengthened that timeline stress on LinkedIn the identical day as the Glasswing announcement. “AI is creating the largest safety demand driver since enterprises moved to the cloud,” Kurtz wrote. The regulatory clock compounds the operational one. The EU AI Act’s subsequent enforcement section takes impact August 2, 2026, imposing automated audit trails, cybersecurity necessities for each high-risk AI system, incident reporting obligations, and penalties up to 3% of worldwide income. Safety administrators face a two-wave sequence: July’s Glasswing disclosure cycle, then August’s compliance deadline.
Mike Riemer, Area CISO at Ivanti and a 25-year US Air Power veteran who works intently with federal cybersecurity businesses, instructed VentureBeat what he is listening to from the authorities. “Risk actors are reverse engineering patches, and the velocity at which they’re doing it has been enhanced enormously by AI,” Riemer stated. “They’re ready to reverse engineer a patch inside 72 hours. So if I launch a patch and a buyer doesn’t patch inside 72 hours of that launch, they’re open to exploit.” Riemer was blunt about the place that leaves the business. “They are up to now in entrance of us as defenders,” he stated.
Grieco confirmed the different facet of that collision at RSAC 2026. “In the event you discuss to an operational staff and plenty of of our prospects, they’re solely patching yearly,” Grieco instructed VentureBeat. “And admittedly, even in the better of circumstances, that is not quick sufficient.”
CSA’s Mogull makes the structural case that defenders maintain the long-term benefit: repair a vulnerability as soon as and each deployment advantages. However the transition interval, when attackers reverse-engineer patches in 72 hours and defenders patch yearly, favors offense.
Mythos is not the solely mannequin discovering these bugs. Researchers at AISLE, an AI cybersecurity startup, tested Anthropic’s showcase vulnerabilities on small, open-weights fashions and located that eight out of eight detected the FreeBSD exploit. AISLE says one mannequin had solely 3.6 billion parameters and prices 11 cents per million tokens, and {that a} 5.1-billion-parameter open mannequin recovered the core evaluation chain of the 27-year-old OpenBSD bug. AISLE’s conclusion: “The moat in AI cybersecurity is the system, not the mannequin.” That makes the detection ceiling a structural downside, not a Mythos-specific one. Low cost fashions discover the identical bugs. The July timeline will get shorter, not longer.
Over 99% of the vulnerabilities Mythos has recognized have not but been patched, per Anthropic’s purple staff weblog. The general public Glasswing report lands in early July 2026. It’s going to set off a high-volume patch cycle throughout working methods, browsers, cryptography libraries, and main infrastructure software program. Safety administrators who’ve not expanded their patch pipeline, re-scoped their bug bounty packages, and constructed chainability scoring by then will take up that wave chilly. July is not a disclosure occasion. It is a patch tsunami.
What to inform the board
Each safety director tells the board “we now have scanned every thing.” Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, instructed VentureBeat that the assertion does not survive Mythos and not using a qualifier.
“What safety leaders really imply is: we now have exhaustively scanned for what our instruments understand how to see,” Baer stated in an unique interview with VentureBeat. “That’s a really totally different declare.”
Baer proposed reframing residual threat for boards round three tiers: known-knowns (vulnerability courses your stack reliably detects), known-unknowns (courses you understand exist however your instruments solely partially cowl, like stateful logic flaws and auth boundary confusion), and unknown-unknowns (vulnerabilities that emerge from composition, how protected parts work together in unsafe methods). “This is the place Mythos is touchdown,” Baer stated.
The board-level assertion Baer recommends: “Now we have excessive confidence in detecting discrete, recognized vulnerability courses. Our residual threat is concentrated in cross-function, multi-step, and compositional flaws that evade single-point scanners. We are actively investing in capabilities that increase that detection ceiling.”
On chainability, Baer was equally direct. “Chainability has to grow to be a first-class scoring dimension,” she stated. “CVSS was constructed to rating atomic vulnerabilities. Mythos is exposing that threat is more and more graph-shaped, not point-in-time.” Baer outlined three shifts safety packages want to make: from severity scoring to exploitability pathways, from vulnerability lists to vulnerability graphs that mannequin relationships throughout identification, information circulation, and permissions, and from remediation SLAs to path disruption, the place fixing any node that breaks the chain will get precedence over fixing the highest particular person CVSS.
“Mythos isn’t simply discovering missed bugs,” Baer stated. “It’s invalidating the assumption that vulnerabilities are unbiased. Safety packages that don’t adapt, from protection pondering to interplay pondering, will preserve reporting inexperienced dashboards whereas sitting on purple assault paths.”
VentureBeat will replace this story with extra operational details from Glasswing’s founding companions as interviews are accomplished.
Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.
