Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws
2 min readAnthropic has unveiled a new frontier AI model called Claude Mythos, and it has already done something no security team has managed at this scale: autonomously identify thousands of previously unknown software vulnerabilities across every major operating system and web browser. The announcement, made on April 7, came alongside Project Glasswing, a gated initiative to put Mythos to work defending the world’s most critical software.
A Model Built for the Security Era
Claude Mythos sits above Claude Opus 4.6 in Anthropic’s model lineup. While it performs strongly across general tasks, its headline capability is cybersecurity. Mythos combines advanced agentic reasoning with deep coding ability, allowing it to not just find flaws but understand their exploitability and context, much like a senior penetration tester would.
Anthropic describes the model as a “step change” above its current public offering. For now, it remains gated and is not available to the general public.
What Mythos Found
In the weeks before the public announcement, Anthropic turned Mythos loose on some of the world’s most widely deployed software. The results were striking. The model surfaced thousands of zero-day vulnerabilities across major operating systems and browsers, including a 17-year-old remote code execution flaw in FreeBSD (CVE-2026-4747) that allowed an attacker to gain root access on any machine running NFS. That vulnerability had gone undetected for nearly two decades.
The ability to find a bug this old and this severe points to something beyond pattern matching. Mythos appears to reason through code the way a skilled human researcher would, connecting subtle logic errors across large, complex codebases.
Project Glasswing: Who Gets Access
Access to Claude Mythos is being distributed through Project Glasswing, a partnership program that currently spans roughly 40 organizations. Named partners include Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks. Anthropic is distributing over $100 million in usage credits to give these partners real capacity to run large-scale security audits.
The goal is not just to fix today’s vulnerabilities but to help the industry develop the processes and tooling it will need to stay ahead of AI-assisted attackers going forward.
Why This Matters
The cybersecurity implications of models like Mythos cut both ways. A system capable of finding thousands of zero-days in weeks is also, in theory, capable of helping bad actors exploit them. Anthropic’s decision to keep Mythos off the open market and deploy it first through vetted defensive partnerships reflects a deliberate strategy to get ahead of that risk.
The broader signal here is that AI is moving from a research curiosity to an active participant in critical infrastructure security. As TechCrunch noted, this represents Anthropic’s clearest pivot yet toward specialized, high-stakes deployments rather than general consumer use. What Mythos finds and fixes now could quietly make the software billions of people rely on significantly safer.