A 27-year-old bug sat inside OpenBSD’s TCP stack whereas auditors reviewed the code, fuzzers ran in opposition to it, and the working system earned its repute as one of the crucial security-hardened platforms on earth. Two packets might crash any server working it. Discovering that bug price a single Anthropic discovery marketing campaign roughly $20,000. The particular mannequin run that surfaced the flaw price beneath $50.
Anthropic’s Claude Mythos Preview discovered it. Autonomously. No human guided the invention after the preliminary immediate.
The aptitude soar will not be incremental
On Firefox 147 exploit writing, Mythos succeeded 181 occasions versus 2 for Claude Opus 4.6. A 90x enchancment in a single technology. SWE-bench Professional: 77.8% versus 53.4%. CyberGym vulnerability copy: 83.1% versus 66.6%. Mythos saturated Anthropic’s Cybench CTF at 100%, forcing the crimson group to shift to real-world zero-day discovery as the one significant analysis left. Then it surfaced 1000’s of zero-day vulnerabilities throughout each main working system and each main browser, many one to twenty years outdated. Anthropic engineers with no formal safety coaching requested Mythos to seek out distant code execution vulnerabilities in a single day and awoke to an entire, working exploit by morning, in line with Anthropic’s crimson group evaluation.
Anthropic assembled Mission Glasswing, a 12-partner defensive coalition together with CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Basis, backed by $100 million in utilization credit and $4 million in open-source grants. Over 40 extra organizations that construct or keep important software program infrastructure additionally obtained entry. The companions have been working Mythos in opposition to their very own infrastructure for weeks. Anthropic dedicated to a public findings report “inside 90 days,” touchdown in early July 2026.
Safety administrators bought the announcement. They didn’t get the playbook.
“I’ve been on this business for 27 years,” Cisco SVP and Chief Safety and Belief Officer Anthony Grieco instructed VentureBeat in an unique interview at RSAC 2026. “I’ve by no means been extra optimistic for what we are able to do to vary safety due to the rate. It’s additionally slightly bit terrifying as a result of we’re shifting so rapidly. It’s additionally terrifying as a result of our adversaries have this functionality as effectively, and so frankly, we should transfer this rapidly.”
Safety administrators noticed this story instructed fifteen other ways this week, together with VentureBeat’s unique interview with Anthropic’s Newton Cheng. As one extensively shared X submit summarizing the Mythos findings famous, the mannequin cracked cryptography libraries, broke right into a manufacturing digital machine monitor, and gave engineers with zero safety coaching working exploits by morning. What that protection left unanswered: The place does the detection ceiling sit within the strategies they already run, and what ought to they alter earlier than July?
Seven vulnerability lessons that present the place each detection methodology hits its ceiling
-
OpenBSD TCP SACK, 27 years outdated. Two crafted packets crash any server. SAST, fuzzers, and auditors missed a logic flaw requiring semantic reasoning about how TCP choices work together beneath adversarial circumstances. Marketing campaign price ~$20,000. Anthropic notes the $50 per-run determine displays hindsight.
-
FFmpeg H.264 codec, 16 years outdated. Fuzzers exercised the weak code path 5 million occasions with out triggering the flaw, in line with Anthropic. Mythos caught it by reasoning about code semantics. Marketing campaign price ~$10,000.
-
FreeBSD NFS distant code execution, CVE-2026-4747, 17 years outdated. Unauthenticated root from the web, per Anthropic’s evaluation and impartial copy. Mythos constructed a 20-gadget ROP chain cut up throughout a number of packets. Absolutely autonomous.
-
Linux kernel native privilege escalation. Mythos chained two to 4 low-severity vulnerabilities into full native privilege escalation by way of race circumstances and KASLR bypasses. CSA’s Wealthy Mogull famous Mythos failed at distant kernel exploitation however succeeded domestically. No automated device chains vulnerabilities right now.
-
Browser zero-days throughout each main browser. Hundreds recognized. Some required human-model collaboration. In a single case, Mythos chained 4 vulnerabilities right into a JIT heap spray, escaping each the renderer and the OS sandboxes. Firefox 147: 181 working exploits versus two for Opus 4.6.
-
Cryptography library vulnerabilities (TLS, AES-GCM, SSH). Implementation flaws enabling certificates forgery or decryption of encrypted communications, per Anthropic’s crimson group weblog and Assist Web Safety. A important Botan library certificates bypass was disclosed the identical day because the Glasswing announcement. Bugs within the code that implements the mathematics. Not assaults on the mathematics itself.
-
Digital machine monitor guest-to-host escape. Visitor-to-host reminiscence corruption in a manufacturing VMM, the expertise protecting cloud workloads from seeing one another’s knowledge. Cloud safety architectures assume workload isolation holds. This discovering breaks that assumption.
Nicholas Carlini, in Anthropic’s launch briefing: “I’ve discovered extra bugs within the final couple of weeks than I discovered in the remainder of my life mixed.”
VentureBeat’s prescriptive matrix
|
Vulnerability Class |
Why Present Strategies Miss It |
What Mythos Does |
Safety Director Motion |
|
OS kernel logic (OpenBSD 27yr, Linux 2-4 chain) |
SAST lacks semantic reasoning. Fuzzers miss logic flaws. Pen testers time-boxed. Bounties scope-exclude kernel. |
Chains 2-4 low-severity findings into native priv-esc. ~$20K marketing campaign. |
Add AI-assisted kernel overview to pen check RFPs. Broaden bounty scope. Request Glasswing findings from OS distributors earlier than July. Re-score clustered findings by chainability. |
|
Media codec (FFmpeg 16yr H.264) |
SAST unflagged. Fuzzers hit path 5M occasions, by no means triggered. |
Causes about semantics past brute-force. ~$10K marketing campaign. |
Stock FFmpeg, libwebp, ImageMagick, libpng. Cease treating fuzz protection as safety proxy. Monitor Glasswing codec CVEs from July. |
|
Community stack RCE (FreeBSD 17yr, CVE-2026-4747) |
DAST restricted at protocol depth. Pen exams skip NFS. |
Full autonomous chain to unauthenticated root. 20-gadget ROP chain. |
Patch CVE-2026-4747 now. Stock NFS/SMB/RPC providers. Add protocol fuzzing to 2026 cycle. |
|
Multi-vuln chaining (2-4 sequenced, native) |
No device chains. Pen testers hours-limited. CVSS scores in isolation. |
Autonomous native chaining by way of race circumstances + KASLR bypass. |
Require AI-assisted chaining in pen check methodology. Construct chainability scoring. Funds AI crimson groups for 2026. |
|
Browser zero-days (1000’s, 181 Firefox exploits) |
Bounties + steady fuzzing missed 1000’s. Some required human-model collaboration. |
90x over Opus 4.6. Chained 4 vulns into JIT heap spray escaping renderer + OS sandbox. |
Shorten patch SLA to 72hr important. Pre-stage pipeline for July cycle. Strain distributors for Glasswing timelines. |
|
Crypto libraries (TLS, AES-GCM, SSH, Botan bypass) |
SAST restricted on crypto logic. Pen testers hardly ever audit crypto depth. Formal verification not commonplace. |
Discovered cert forgery + decryption flaws in battle-tested libraries. |
Audit all crypto library variations now. Monitor Glasswing crypto CVEs from July. Speed up PQC migration. |
|
VMM / hypervisor (guest-to-host reminiscence corruption) |
Cloud safety assumes isolation. Few pen exams goal hypervisor. Bounties hardly ever scope VMM. |
Visitor-to-host escape in manufacturing VMM. |
Stock hypervisor/VMM variations. Request Glasswing findings from cloud suppliers. Reassess multi-tenant isolation assumptions. |
Attackers are quicker. Defenders are patching yearly.
The CrowdStrike 2026 International Risk Report paperwork a 29-minute common eCrime breakout time, 65% quicker than 2024, with an 89% year-over-year surge in AI-augmented assaults. CrowdStrike CTO Elia Zaitsev put the operational actuality plainly in an unique interview with VentureBeat. “Adversaries leveraging agentic AI can carry out these assaults at such a terrific pace {that a} conventional human means of have a look at alert, triage, examine for 15 to twenty minutes, take an motion an hour, a day, per week later, it’s inadequate,” Zaitsev stated. A $20,000 Mythos discovery marketing campaign that runs in hours replaces months of nation-state analysis effort.
CrowdStrike CEO George Kurtz bolstered that timeline strain on LinkedIn the identical day because the Glasswing announcement. “AI is creating the biggest safety demand driver since enterprises moved to the cloud,” Kurtz wrote. The regulatory clock compounds the operational one. The EU AI Act’s subsequent enforcement section takes impact August 2, 2026, imposing automated audit trails, cybersecurity necessities for each high-risk AI system, incident reporting obligations, and penalties as much as 3% of world income. Safety administrators face a two-wave sequence: July’s Glasswing disclosure cycle, then August’s compliance deadline.
Mike Riemer, Area CISO at Ivanti and a 25-year US Air Power veteran who works carefully with federal cybersecurity businesses, instructed VentureBeat what he’s listening to from the federal government. “Risk actors are reverse engineering patches, and the pace at which they’re doing it has been enhanced tremendously by AI,” Riemer stated. “They’re in a position to reverse engineer a patch inside 72 hours. So if I launch a patch and a buyer doesn’t patch inside 72 hours of that launch, they’re open to use.” Riemer was blunt about the place that leaves the business. “They’re up to now in entrance of us as defenders,” he stated.
Grieco confirmed the opposite aspect of that collision at RSAC 2026. “If you happen to speak to an operational group and plenty of of our prospects, they’re solely patching yearly,” Grieco instructed VentureBeat. “And albeit, even in the perfect of circumstances, that isn’t quick sufficient.”
CSA’s Mogull makes the structural case that defenders maintain the long-term benefit: repair a vulnerability as soon as and each deployment advantages. However the transition interval, when attackers reverse-engineer patches in 72 hours and defenders patch yearly, favors offense.
Mythos will not be the one mannequin discovering these bugs. Researchers at AISLE, an AI cybersecurity startup, examined Anthropic’s showcase vulnerabilities on small, open-weights fashions and located that eight out of eight detected the FreeBSD exploit. AISLE says one mannequin had solely 3.6 billion parameters and prices 11 cents per million tokens, and {that a} 5.1-billion-parameter open mannequin recovered the core evaluation chain of the 27-year-old OpenBSD bug. AISLE’s conclusion: “The moat in AI cybersecurity is the system, not the mannequin.” That makes the detection ceiling a structural downside, not a Mythos-specific one. Low-cost fashions discover the identical bugs. The July timeline will get shorter, not longer.
Over 99% of the vulnerabilities Mythos has recognized haven’t but been patched, per Anthropic’s crimson group weblog. The general public Glasswing report lands in early July 2026. It’s going to set off a high-volume patch cycle throughout working methods, browsers, cryptography libraries, and main infrastructure software program. Safety administrators who haven’t expanded their patch pipeline, re-scoped their bug bounty packages, and constructed chainability scoring by then will soak up that wave chilly. July will not be a disclosure occasion. It’s a patch tsunami.
What to inform the board
Each safety director tells the board “we have now scanned all the pieces.” Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, instructed VentureBeat that the assertion doesn’t survive Mythos with out a qualifier.
“What safety leaders truly imply is: we have now exhaustively scanned for what our instruments know how you can see,” Baer stated in an unique interview with VentureBeat. “That’s a really totally different declare.”
Baer proposed reframing residual danger for boards round three tiers: known-knowns (vulnerability lessons your stack reliably detects), known-unknowns (lessons you understand exist however your instruments solely partially cowl, like stateful logic flaws and auth boundary confusion), and unknown-unknowns (vulnerabilities that emerge from composition, how protected parts work together in unsafe methods). “That is the place Mythos is touchdown,” Baer stated.
The board-level assertion Baer recommends: “We’ve got excessive confidence in detecting discrete, recognized vulnerability lessons. Our residual danger is concentrated in cross-function, multi-step, and compositional flaws that evade single-point scanners. We’re actively investing in capabilities that increase that detection ceiling.”
On chainability, Baer was equally direct. “Chainability has to grow to be a first-class scoring dimension,” she stated. “CVSS was constructed to attain atomic vulnerabilities. Mythos is exposing that danger is more and more graph-shaped, not point-in-time.” Baer outlined three shifts safety packages must make: from severity scoring to exploitability pathways, from vulnerability lists to vulnerability graphs that mannequin relationships throughout id, knowledge circulate, and permissions, and from remediation SLAs to path disruption, the place fixing any node that breaks the chain will get precedence over fixing the best particular person CVSS.
“Mythos isn’t simply discovering missed bugs,” Baer stated. “It’s invalidating the idea that vulnerabilities are impartial. Safety packages that don’t adapt, from protection pondering to interplay pondering, will preserve reporting inexperienced dashboards whereas sitting on crimson assault paths.”
VentureBeat will replace this story with extra operational particulars from Glasswing’s founding companions as interviews are accomplished.