Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Concerns about AI’s ability to amplify cybersecurity threats have been growing for years. Anthropic’s latest model could be a turning point after the company said the model can identify and exploit zero-day vulnerabilities in every major operating system and web browser.
One prominent use case for large language models is in code analysis and writing. This has long raised concerns that the technology could help automate much of the work of hackers, potentially lowering the barrier to cyberattacks.
Leading models show steady progress in various cybersecurity-related tests, and there is evidence that attackers are using this technology. But so far, the impact appears to have been modest, suggesting that practical barriers to widespread use of the technology remain.
According to Anthropic, that’s about to change. The company says its latest model, the Mythos, has such powerful hacking capabilities that the company won’t make it publicly available. Instead, it’s releasing Mythos to a select group of big tech companies and open-source developers through an initiative called Project Glasswing. Those involved can use the model to identify vulnerabilities in their code and fix them before hackers gain access to similar capabilities.
“The vulnerabilities that Mythos Preview finds and then exploits are findings that were previously only available to specialist experts,” the company’s researchers wrote. blog post. “We believe that the possibilities that future language models will bring will ultimately require a much broader, fundamental rethinking of computer security as a field.”
Fortune first reported the Mythos news last month after a leak from Anthropic revealed details about the new model. While the AI excels at cybersecurity tasks, it’s designed as a general-purpose model, and the company claims its hacking capabilities are simply the result of vastly improved coding and reasoning skills.
In testing, Anthropic researchers found that the model was able to find zero-day vulnerabilities—those that had not been previously discovered—in every major operating system and web browser. Many of them were decades old, which shows how difficult it was to spot them.
But the model is not only good at finding weak points. The company’s Red Team — security researchers who simulate hacking attacks to identify security weaknesses — showed that the model could combine multiple vulnerabilities to create sophisticated attacks capable of bypassing defenses.
Its capabilities are a step change from the previous best models. Given the difficulty of attacking Firefox’s JavaScript engine, Anthropic’s previous most powerful model, Opus 4.6, succeeded only twice, compared to 181 times for Mythos. Most alarmingly, the team found that engineers with no security experience could use it to develop successful attacks overnight.
The key to the new capabilities is the model’s ability to work autonomously for a long time. To find the bugs, the researchers used the Anthropic Claude Code coding agent to call the model and give it a simple prompt to find vulnerabilities in a specific codebase. The model then read the code, hypothesized potential bugs, and ran tests to verify them without human intervention.
The Anthropic team says Mythos is fundamentally reshaping the cybersecurity landscape, as exploits that would have taken experts weeks to develop can now be created in hours. In particular, they note that so-called “defense-in-depth” measures, which make it time-consuming and expensive to attack a system, may prove ineffective against models like Mythos.
“Language models quickly go through these tedious stages when running at scale,” they write. “Mitigation measures, whose security value comes primarily from friction rather than hard barriers, can become much weaker against adversaries using the model.”
Anthropic Frontier Red Team Leader Logan Graham, told Axios that they expect other companies to produce models with similar capabilities in the next six to 18 months. This was reported by sources familiar with the incident Axios that OpenAI is already finalizing a model with similar capabilities to the Mythos, which will have the same limited release.
In a blog post, the company’s researchers note that new security technology has historically benefited defenders more than attackers. If frontier labs are careful about releasing models, they think the same might be true here, but the transition is likely to be disruptive.
“We need to prepare now for a world where these capabilities are widely available in 6, 12, 24 months,” Graham said. told Wired. “A lot of things would be different in security. Many of the assumptions on which we’ve built modern security paradigms could be broken.”
It remains to be seen whether AI developers can maintain these capabilities long enough for the rest of the world to understand this new reality. But in any case, cybersecurity is likely to be even higher on the list of priorities in most boardrooms.
