A 27-year-old bug in OpenBSD. A web browser exploit capable of leaking data across domains. Multiple weaknesses in cryptography libraries. Anthropic's Claude Mythos Preview model identified these and thousands more high- and critical-severity vulnerabilities in major software, despite not having been explicitly trained for security research.
Anthropic's Frontier Red Team announced the findings in April, reporting that Mythos Preview had identified vulnerabilities in every major operating system and every major web browser. The model's approach, following data flows across abstraction layers to reason about code semantics, is closer to how a security researcher works than to the pattern-matching of conventional static analysis tools.
The discovery prompted Anthropic to launch Project Glasswing, a programme to help organisations detect and address AI-assisted cyberattacks. Its launch partners include Amazon Web Services, Apple, Google, Microsoft, and Nvidia, which will use Mythos Preview to scan and secure software.
Among the specific vulnerabilities uncovered: a bug in OpenBSD present since 1998 that would allow a remote attacker to crash any machine running the OS; a browser exploit that could let a criminal with their own domain read data from another, including banking data; and weaknesses in cryptography libraries that could allow encrypted communications to be decrypted or certificates forged.
Nayan Goel, principal application-security engineer at financial services company Upgrade, said: "These tools produce probabilistic outputs. They're not the final verdict. They cannot act as a substitute for your secure design reviews or penetration testing reviews. You still need somebody who understands the business logic behind your code and reviews that. And anytime AI gives us a finding, it goes through a verification process. There's always a human in the loop so we create these trust boundaries."
Goel also cited dynamic threat modelling and red teaming as essential complements: evaluating likely threats as systems evolve and assessing safety risks, rather than treating AI vulnerability scanning as a standalone capability. Shifting security earlier in the software development process, when code is being written, compounds the benefit.
