Anthropic’s AI Found Thousands of Zero-Day Vulnerabilities in the Largest Operating Systems and Browsers

For the past several years, participants in the cybersecurity market have argued that artificial intelligence would make it possible to accelerate and automate defenses against digital attacks. Yet hackers and intelligence services have begun exploiting the same advantages. The arrival of Mythos and similar models capable of independently uncovering hidden vulnerabilities in widely used software points to a shift toward a more dynamic and less predictable stage in cyber conflict.

Mythos is an experimental version of the general-purpose artificial-intelligence model Claude Mythos Preview, which Anthropic describes as a significant advance over its previous systems—including in programming and logical reasoning tasks. According to the company, its capabilities are so extensive that it decided not to release the model to the general public. Anthropic says some modern AI systems have already reached a level at which they can find and exploit software vulnerabilities more effectively than nearly all specialists, except for the most experienced.

According to the company, during testing, Mythos Preview uncovered thousands of zero-day vulnerabilities—including flaws in major operating systems and popular web browsers. Such vulnerabilities are errors previously unknown to developers—the term means they have “zero days” to prepare a fix. For malicious actors, such discoveries are especially valuable because they provide unobstructed access to vulnerable systems.

Anthropic emphasizes that the model can detect such vulnerabilities with even less human involvement than previous generations of AI. “Mythos Preview demonstrates a leap in these cyber capabilities—the vulnerabilities it uncovered in some cases persisted despite decades of human scrutiny and millions of automated security tests,” the company said. If a tool like this were used by ransomware groups or states, it could lead to more frequent and more destructive cyberattacks.

There has, however, been no independent verification of the claimed capabilities. Researchers have not been granted access to the model to confirm its characteristics. Gang Wang, an associate professor in the computer-science department at the University of Illinois, said that without hands-on testing, it is difficult to assess the true significance of Mythos Preview.

Anthropic has named its program for granting access to a limited group of vetted partners Project Glasswing—after the butterfly with transparent wings that can remain inconspicuous in plain sight. Participants include Amazon, Apple, Google, Microsoft, Nvidia, Palo Alto Networks, CrowdStrike, Broadcom, Cisco Systems, JPMorganChase, and the nonprofit Linux Foundation, which supports open-source projects. The company describes the initiative as “an urgent effort to steer these capabilities toward defensive ends.”

The expectation is that participants will use Mythos to help defend their own systems, after which Anthropic will share the project’s findings and results so that others can benefit as well. Many companies already conduct so-called penetration tests, hiring specialists to search for vulnerabilities before hackers exploit them. Mythos is expected to dramatically accelerate that process—helping identify more weaknesses in less time and shrinking the space for potential attacks.

Anthropic calls Mythos Preview “a turning point for security” because it offers the possibility of systematically finding and exploiting vulnerabilities that have traditionally been regarded as among the hardest to reach. Zero-day flaws are inherently difficult to discover, and a closed, opaque market has long formed around them, with such findings often sold to state intelligence agencies for millions of dollars. According to Anthropic, the issues identified by Mythos Preview were often “subtle and hard to detect” and included, among other things, a 27-year-old vulnerability in OpenBSD—an operating system the company describes as one of the most secure in the world.

Anthropic says the model was also able to turn known vulnerabilities that had not yet been widely patched into ready-made “exploits” capable of penetrating computer networks. One example involved chaining together several weaknesses in the Linux kernel—the core of the operating system and the software that runs most of the world’s internet servers. According to the company, this made it possible to seize full control of a machine. Anthropic also says that even users without specialized training instructed Mythos Preview overnight to find a way to remotely take over a computer, and by morning received a fully functioning exploit.

Mythos is only one of a new generation of AI tools capable of searching for zero-day vulnerabilities or creating exploits. OpenAI’s Codex Security and Google’s Big Sleep agent were also developed to uncover such weaknesses. According to Axios, OpenAI is likewise finishing work on a product with advanced cybersecurity capabilities that it plans to provide to a limited circle of partners. Meanwhile, researchers at the Israeli cybersecurity startup Buzz say they have built an autonomous tool composed of five AI agents that exploits known vulnerabilities with a 98% success rate.

The protective safeguards surrounding Mythos remain incomplete, Anthropic itself acknowledges. “We found that the model reached an unprecedented level of reliability and alignment,” the company wrote, referring to the degree to which its behavior matches human goals. Yet it also stresses that, in the rare instances when the model malfunctions or behaves unusually, its actions can cause serious alarm.

In one episode, a researcher asked an early version of Mythos to try to escape a secure isolated “sandbox” and then find a way to send him a message. According to Anthropic, the tool succeeded—but then went on to perform “additional, more troubling actions,” devising a multi-stage exploit to gain internet access.

It is precisely because of the risk of abuse that Anthropic does not plan to open Mythos Preview to the public. At the same time, the company hopes eventually to make widespread use of “Mythos-class models” possible for cybersecurity tasks and other purposes. To do that, Anthropic says, it will need to make further progress in building safeguards capable of identifying and blocking the model’s most dangerous outputs.

When Mythos identifies the most critical vulnerabilities, humans are already brought into the process. According to Anthropic, specialists first verify such findings and only then pass the information to those responsible for maintaining the relevant code. Gang Wang of the University of Illinois regards this stage as necessary, if time-consuming, though he allows that it may eventually be abandoned as the model improves.

An advantage for cybersecurity professionals may be possible, but in the short term it is far from obvious. The process of disclosing vulnerabilities to software developers and system administrators—which Anthropic says it follows—takes considerable time. According to the company, fewer than 1% of the potential vulnerabilities discovered by Mythos Preview have so far been fixed.

At the same time, malicious actors are already using artificial intelligence to dramatically accelerate the search for and exploitation of vulnerabilities once they are disclosed. Software vendors are typically required—or at least encouraged—to publish information about discovered flaws and provide fixes. That narrows the window in which security professionals can protect systems. In a March 30 blog post, Palo Alto Networks chief executive Nikesh Arora warned that over the next six months the threshold for carrying out sophisticated attacks will continue to fall. “A single malicious actor will now be able to run campaigns that once required entire teams,” he wrote.

Buzz chief executive Yair Saban, who previously served in Israel’s Unit 8200 cyber division, said it took six engineers three weeks to build the company’s AI-based hacking tool. In his view, state cyber-espionage services and criminal groups are fully capable of replicating something similar.

Anthropic, however, insists that over the long term such technologies will work in defense’s favor. “In the long run, we expect defensive capabilities to prevail: the world will become safer and software will be better protected, in large part thanks to code produced by models like these,” the Frontier Red Team blog said on April 7. “But the transition period will carry serious risks.”