23 hours ago
20
Claude AI developer Anthropic made headlines this week for its development and internal release of a new model known as Mythos. This mythically-named AI model allegedly has incredible capabilities, including finding bugs and vulnerabilities in various apps, operating systems, browsers, and legacy software. Enough that Anthropic was concerned about its general release and will instead keep it internal and focus on working with major tech companies and governments to prevent this tool from falling into the wrong hands, where it could cause untold mayhem.
That's the pitch in Anthropic's blog and verbose 250-page report on the model — which includes over 20 pages of Anthropic staff waxing lyrically about their novel impressions of the new model and its "fondness for particular philosophers."
Article continues below
Exploit hunting
The big "Project Glasswing" blog post and report on Mythos from Anthropic claimed its new model had found "thousands of high-severity vulnerabilities," which is indeed big news. Those bugs were said to be across every major operating system and web browser, and in some cases have been there for decades.
But it's not clear how realistic these vulnerabilities are, how many of them aren't actually exploitable, or even how problematic they are.
In the case of the FFMPeg vulnerability that has existed for 16 years, Anthropic's own analysis of the release suggested "This bug ultimately is not a critical severity vulnerability," and "would be challenging to turn this vulnerability into a functioning exploit."
Mythos reportedly found several potential exploits in the Linux kernel, but was unable to exploit any of them because of Linux's defense-in-depth security systems. A number of the exploits had also been recently patched, too, making it rather confusing why they were included in the total.
In its OSS-Fuzz-style testing of over 7,000 open source software stacks, Mythos found crashable exploits in around 600 examples and 10 severe vulnerabilities. That's a lot more than its previous Claude models, but not exactly thousands of devastating exploits.
Under the subheading, "and several thousand more," Anthropic also states that it can't actually confirm that all of the thousands of bugs Mythos claims to have found are actually critical security vulnerabilities. It's just extrapolated that number from having found in around 90% of the "198 manually reviewed vulnerability reports, [Anthropic's] expert contractors agreed with Claude’s severity assessment exactly."
It also can't discuss all the bugs in detail for security reasons. While that does make some measure of sense, it also makes it hard to accurately gauge the relative importance of its findings.
You're not worth it
As much as Anthropic claims it's keeping Mythos behind arbitrarily closed doors over what it claims are security fears, this isn't exactly out of character for the company. Its Claude tool was famously the first large language model AI to be given security clearance for use by the U.S. government and American military, and that only changed after it drew a line in the sand on being used for mass surveillance or fully autonomous targeting.
Anthropic might have a consumer-facing product in its coding tools, but it is very keen on selling its services to big companies and government entities. If it can sell Mythos to large firms or any number of governments around the world, why would it need to sell it to consumers?
Hot air, or real worries?
As much as Anthropic might sell itself as the security and safety-conscious AI developer, it has also repeatedly leveraged that public image as part of its sales pitch. Over the past couple of years, Anthropic has published several alarming papers, reports, and studies, many of them claiming that AI is dangerous and needs strict control and monitoring.
It claimed to have foiled the first AI hacking attempts in the latter months of last year, and it was Anthropic CEO Dario Amodei who said in May that year that AI could replace up to 20% of white-collar workers. He doubled down on that claim in 2026, saying that AI taking over jobs would overwhelm our ability to adapt.
Nvidia CEO Jensen Huang called out this fear-mongering in mid-2025, claiming Anthropic wanted to position itself as the only company that could responsibly develop AI.
This isn't even anything new in AI marketing. OpenAI was doing it in 2019, before ChatGPT was even a twinkle in Sam Altman's eye, and Dario Amodei hadn't yet left OpenAI.
Speaking of OpenAI, days after Anthropic's Mythos reveal, it was also working on an advanced cybersecurity AI model. It too will limit the rollout of this powerful and concerning tool, Axios reports. As models develop, they reach a similar level of capability, so it's no surprise that OpenAI could have a Mythos-level or adjacent model waiting in the wings.
Sentience and security
AI isn't conscious. It's more like a Chinese room from the John Searle thought experiment, but even then, it has no understanding. It doesn't truly remember anything in a biological sense; it can just recall contexts and weight its responses differently based on previous inputs. So, sentience and consciousness claims may yet be unfounded.
AI models may well be good at discovering vulnerabilities, and if Anthropic and other software developers can find and patch bugs using AI, that's good news, not scary news.
As Red Hat's analysis of this release shows, many of the bugs are functionality flaws and aren't a security concern. But even if hackers can leverage AI tools in the future to find exploits and then exploit them, that's only a concern if the security industry doesn't respond. Which it will.
So, sure, AI is impacting security. It already was. And it will continue to do so. While Mythos might be capable in ways that previous models were not, this appears to be part-marketing, part-truth. For the rest of us, this is just another AI model. For Anthropic, it's an opportunity to gain mindshare and potentially lucrative contracts.
English (US) ·