What is Mythos
Mythos is Anthropic’s latest AI model, and it is stirring up a tornado of concern in cybersecurity circles. Even before its release, Mythos discovered thousands of new sensitive vulnerabilities in commercial and open-source software, including all major operating systems and web browsers. One was in existence for over 27 years without the industry noticing.
Based on what it found, Anthropic felt it was so potentially dangerous that it throttled the initial release to a very limited number of close partners. This initial scan was conducted in-house by Anthropic, in a very short time, evaluating a limited number of systems, and not a result of having the global community of developers and vulnerability researchers use the tool.
Nobody has been willing to estimate what that would look like, but it will likely be orders of magnitude more than is currently being discovered.
One of the partners, Mozilla, used Mythos to evaluate its popular Firefox browser. Anthropic’s current model, Opus 4.6, identified 22 security-sensitive bugs in the previous version that were patched. Mythos identified an additional 271 bugs.
At that rate, if we extrapolate the number of vulnerabilities discovered in 2025, about 50 thousand, we would expect to see over 600 thousand vulnerabilities discovered in the 12 months following the widespread accessibility of Mythos.
The industry does not currently understand the downstream impacts of that scale.
And the problem does not end with vulnerabilities.
3 Things Mythos Excels at
Mythos excels at 3 things.
1. Vulnerability discovery — it does it faster, deeper, and across the stacks
2. Exploit creation — the automatic creation of hacks that previously required human guidance and a lot of time
3. Vulnerability chaining — stitching together lesser vulnerabilities in ways humans can’t easily comprehend.
Combined, these three capabilities pose a significant risk as hackers use modern AI tools to orchestrate attacks to move quickly and outmaneuver security defenders. Now they have tremendous power and speed.
Who is concerned?
Everyone. Software developers, cybersecurity, every industry — including critical infrastructures like healthcare, telecommunications, transportation, and power. Recently, the heads of top Wall Street finance firms met to discuss how Mythos may put global banking at risk. The White House also called in Anthropic to discuss the risks to government agencies, departments, and national critical infrastructures.
And let me be clear, Anthropic is not a security company. They are a brilliant AI company. So, what are the cybersecurity companies that had early access saying? They are also very concerned.
Why is it a problem?
The speed of vulnerability discovery will shrink to a small fraction of what it is now. The number of vulnerabilities discovered will rise sharply. Exploits will be created very soon after discovery for all of them, not just a select few, and more zero-day attacks will happen. This will tie up security operations, crisis response, digital forensics, and incident response. This doesn’t just put pressure on developers; it crushes their patching process and system for security assurance.
Take for example Microsoft’s Patch Tuesday, which occurs on the 2nd Tuesday of every month. This cadence reflects a balance between the time it takes to validate a vulnerability, prepare and test a patch, and deploy it to customers; versus the time it takes for attackers to build an exploit for the vulnerability and use it against victims. There is a window of time, about a month, that Microsoft has to manage the risk.
But if AI models, like Mythos, can find a vulnerability, create an exploit, and attack victims in hours or days, this entire operating model becomes too slow and ineffective.