Daily Intel Brief

Claude Mythos Preview: Anthropic Announces AI That Finds and Exploits Zero-Days Autonomously

Arc Security Research ·

AI Can Now Find Zero-Days in Every Major OS and Browser

WhatAnthropic's new Claude Mythos Preview model can identify and exploit zero-day vulnerabilities in every major operating system and every major web browser. The oldest bug it surfaced was a 27-year-old vulnerability in OpenBSD. Over 99% of the vulnerabilities the model found have not yet been patched upstream.

Sourcered.anthropic.com

Applies toAll internet-connected software — operating systems, browsers, servers, runtimes, embedded firmware

Why it mattersAutonomous zero-day discovery at scale removes the single biggest defensive assumption of the last 30 years — that attacker effort is a rate limit. If an AI can triage a hardened codebase like OpenBSD and surface a 1998 vulnerability, nothing in any production stack is "hidden by obscurity" anymore.

90x Leap in Autonomous Exploit Development in One Model Generation

WhatPrevious-generation Claude Opus 4.6 had a near-zero success rate at autonomous exploit development — just 2 successful exploits out of hundreds of attempts against a Firefox vulnerability corpus. Mythos Preview produced 181 working exploits on the same test set, plus 29 more that achieved register control. In a separate benchmark against the OSS-Fuzz corpus, the model achieved full control-flow hijack on 10 separate fully-patched targets.

Sourcered.anthropic.com

Applies toMemory-unsafe codebases — C and C++ software, browser engines, operating system kernels, media codecs, network daemons

Why it mattersA 90x jump in exploit reliability within a single model generation rewrites the defender timeline. Patch cycles measured in weeks cannot keep up with attacker tooling that generates new working exploits overnight. The window between vulnerability disclosure and active exploitation is collapsing toward zero.

Non-Experts Can Now Find RCE Vulnerabilities Overnight

WhatAnthropic engineers without formal security training asked Mythos Preview to find remote code execution vulnerabilities in target software overnight and woke up to complete working exploits. Researchers have published scaffold configurations that let the model turn a discovered vulnerability into a weaponized exploit with zero human intervention.

Sourcered.anthropic.com

Applies toAny software without continuous formal security review — plugins, themes, libraries, SaaS integrations, internal tools

Why it mattersThe skill barrier for offensive security is collapsing. Anyone with API access and a credit card now becomes a credible attacker against unpatched systems. Historically the distinction between "researcher" and "attacker" was training and time. Both are now commoditized.

Project Glasswing — Anthropic's Defensive-First Deployment

WhatAnthropic announced Project Glasswing, a program releasing Mythos Preview initially and exclusively to a limited group of critical industry partners and open source maintainers. The stated goal is to let defenders secure critical systems before similar capabilities become broadly available. Anthropic explicitly acknowledges that "the transitional period may be tumultuous" and that short-term advantage may belong to attackers, not defenders.

Sourceanthropic.com

Applies toCritical infrastructure operators, nation-state-relevant software maintainers, frontier security teams

Why it mattersA limited-access defensive window before attacker capabilities catch up — and Anthropic is publicly telling you that window will not last. Organizations without API-level offensive testing are on the wrong side of the asymmetry. Arc Security, as an AI-native defense layer, is one of the few ways small businesses can even participate in this response.

What This Means for Small Business Security

WhatIf AI can autonomously find and exploit zero-days in hardened systems like OpenBSD and fully-patched OSS-Fuzz corpus software, the threat against unpatched small business websites is exponentially greater. Automated AI-powered scanning at commodity cost means every website — every WordPress install, every shared-hosting account, every dormant landing page — is now a meaningful target. The gap between enterprise security teams with budget for continuous red-teaming and small business owners with no security resources whatsoever is about to become a chasm.

SourceArc Security Research Analysis

Applies toSmall and medium business websites, WordPress sites, self-hosted infrastructure, anyone without a dedicated security team

Why it mattersAI-powered defense is no longer optional. The only way to keep pace with AI-powered attacks is AI-powered defense — a layer that continuously monitors, triages, patches, and responds at machine speed. Human-speed security is already obsolete against this class of attacker. Arc was built for exactly this inflection point.

Sources reviewed

Anthropic's official Claude Mythos Preview announcement (red.anthropic.com/2026/mythos-preview), Project Glasswing program details (anthropic.com/glasswing). Cross-referenced against Arc Security Research's ongoing tracking of AI offensive-security benchmarks since Opus 4.6.

Gaps identified

Full benchmark results and vulnerability details are not yet public. Specific CVE IDs for the discovered OpenBSD, Firefox, and OSS-Fuzz bugs will be released during Glasswing's responsible-disclosure coordination window. Public defensive tooling that matches Mythos Preview's offensive capabilities has not yet been announced. Third-party reproduction of the 181-exploit Firefox benchmark has not been performed as of publication.

Is your WordPress site exposed to threats like these?

Arc is an AI security agent that watches your site 24/7 and patches vulnerabilities before attackers find them.

Scan your site free →
LinkedIn Twitter / X

← All research