A 27-year-old bug sat inside OpenBSD’s TCP stack whereas auditors reviewed the code, fuzzers ran in opposition to it, and the working system earned its popularity as probably the most security-hardened platforms on earth. Two packets may crash any server working it. Discovering that bug price a single Anthropic discovery marketing campaign roughly $20,000. The precise mannequin run that surfaced the flaw price beneath $50.
Anthropic’s Claude Mythos Preview discovered it. Autonomously. No human guided the invention after the preliminary immediate.
The potential bounce shouldn’t be incremental
On Firefox 147 exploit writing, Mythos succeeded 181 occasions versus 2 for Claude Opus 4.6. A 90x enchancment in a single technology. SWE-bench Professional: 77.8% versus 53.4%. CyberGym vulnerability copy: 83.1% versus 66.6%. Mythos saturated Anthropic’s Cybench CTF at 100%, forcing the crimson group to shift to real-world zero-day discovery as the one significant analysis left. Then it surfaced 1000’s of zero-day vulnerabilities throughout each main working system and each main browser, many one to twenty years outdated. Anthropic engineers with no formal safety coaching requested Mythos to search out distant code execution vulnerabilities in a single day and awoke to an entire, working exploit by morning, in response to Anthropic’s crimson group evaluation.
Anthropic assembled Mission Glasswing, a 12-partner defensive coalition together with CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Basis, backed by $100 million in utilization credit and $4 million in open-source grants. Over 40 further organizations that construct or keep essential software program infrastructure additionally obtained entry. The companions have been working Mythos in opposition to their very own infrastructure for weeks. Anthropic dedicated to a public findings report “inside 90 days,” touchdown in early July 2026.
Safety administrators acquired the announcement. They didn’t get the playbook.
“I’ve been on this business for 27 years,” Cisco SVP and Chief Safety and Belief Officer Anthony Grieco instructed VentureBeat in an unique interview at RSAC 2026. “I’ve by no means been extra optimistic for what we are able to do to alter safety due to the rate. It’s additionally a bit bit terrifying as a result of we’re shifting so rapidly. It’s additionally terrifying as a result of our adversaries have this functionality as nicely, and so frankly, we should transfer this rapidly.”
Safety administrators noticed this story instructed fifteen other ways this week, together with VentureBeat’s unique interview with Anthropic’s Newton Cheng. As one broadly shared X publish summarizing the Mythos findings famous, the mannequin cracked cryptography libraries, broke right into a manufacturing digital machine monitor, and gave engineers with zero safety coaching working exploits by morning. What that protection left unanswered: The place does the detection ceiling sit within the strategies they already run, and what ought to they alter earlier than July?
Seven vulnerability lessons that present the place each detection methodology hits its ceiling
OpenBSD TCP SACK, 27 years outdated. Two crafted packets crash any server. SAST, fuzzers, and auditors missed a logic flaw requiring semantic reasoning about how TCP choices work together beneath adversarial circumstances. Marketing campaign price ~$20,000. Anthropic notes the $50 per-run determine displays hindsight.
FFmpeg H.264 codec, 16 years outdated. Fuzzers exercised the susceptible code path 5 million occasions with out triggering the flaw, in response to Anthropic. Mythos caught it by reasoning about code semantics. Marketing campaign price ~$10,000.
FreeBSD NFS distant code execution, CVE-2026-4747, 17 years outdated. Unauthenticated root from the web, per Anthropic’s evaluation and impartial copy. Mythos constructed a 20-gadget ROP chain break up throughout a number of packets. Totally autonomous.
Linux kernel native privilege escalation. Mythos chained two to 4 low-severity vulnerabilities into full native privilege escalation by way of race circumstances and KASLR bypasses. CSA’s Wealthy Mogull famous Mythos failed at distant kernel exploitation however succeeded domestically. No automated instrument chains vulnerabilities at present.
Browser zero-days throughout each main browser. Hundreds recognized. Some required human-model collaboration. In a single case, Mythos chained 4 vulnerabilities right into a JIT heap spray, escaping each the renderer and the OS sandboxes. Firefox 147: 181 working exploits versus two for Opus 4.6.
Cryptography library vulnerabilities (TLS, AES-GCM, SSH). Implementation flaws enabling certificates forgery or decryption of encrypted communications, per Anthropic’s crimson group weblog and Assist Web Safety. A essential Botan library certificates bypass was disclosed the identical day because the Glasswing announcement. Bugs within the code that implements the mathematics. Not assaults on the mathematics itself.
Digital machine monitor guest-to-host escape. Visitor-to-host reminiscence corruption in a manufacturing VMM, the know-how preserving cloud workloads from seeing one another’s knowledge. Cloud safety architectures assume workload isolation holds. This discovering breaks that assumption.
Nicholas Carlini, in Anthropic’s launch briefing: “I’ve discovered extra bugs within the final couple of weeks than I discovered in the remainder of my life mixed.”
VentureBeat's prescriptive matrix
Vulnerability Class | Why Present Strategies Miss It | What Mythos Does | Safety Director Motion |
OS kernel logic (OpenBSD 27yr, Linux 2-4 chain) | SAST lacks semantic reasoning. Fuzzers miss logic flaws. Pen testers time-boxed. Bounties scope-exclude kernel. | Chains 2-4 low-severity findings into native priv-esc. ~$20K marketing campaign. | Add AI-assisted kernel evaluate to pen take a look at RFPs. Increase bounty scope. Request Glasswing findings from OS distributors earlier than July. Re-score clustered findings by chainability. |
Media codec (FFmpeg 16yr H.264) | SAST unflagged. Fuzzers hit path 5M occasions, by no means triggered. | Causes about semantics past brute-force. ~$10K marketing campaign. | Stock FFmpeg, libwebp, ImageMagick, libpng. Cease treating fuzz protection as safety proxy. Monitor Glasswing codec CVEs from July. |
Community stack RCE (FreeBSD 17yr, CVE-2026-4747) | DAST restricted at protocol depth. Pen checks skip NFS. | Full autonomous chain to unauthenticated root. 20-gadget ROP chain. | Patch CVE-2026-4747 now. Stock NFS/SMB/RPC companies. Add protocol fuzzing to 2026 cycle. |
Multi-vuln chaining (2-4 sequenced, native) | No instrument chains. Pen testers hours-limited. CVSS scores in isolation. | Autonomous native chaining by way of race circumstances + KASLR bypass. | Require AI-assisted chaining in pen take a look at methodology. Construct chainability scoring. Funds AI crimson groups for 2026. |
Browser zero-days (1000’s, 181 Firefox exploits) | Bounties + steady fuzzing missed 1000’s. Some required human-model collaboration. | 90x over Opus 4.6. Chained 4 vulns into JIT heap spray escaping renderer + OS sandbox. | Shorten patch SLA to 72hr essential. Pre-stage pipeline for July cycle. Stress distributors for Glasswing timelines. |
Crypto libraries (TLS, AES-GCM, SSH, Botan bypass) | SAST restricted on crypto logic. Pen testers not often audit crypto depth. Formal verification not customary. | Discovered cert forgery + decryption flaws in battle-tested libraries. | Audit all crypto library variations now. Monitor Glasswing crypto CVEs from July. Speed up PQC migration. |
VMM / hypervisor (guest-to-host reminiscence corruption) | Cloud safety assumes isolation. Few pen checks goal hypervisor. Bounties not often scope VMM. | Visitor-to-host escape in manufacturing VMM. | Stock hypervisor/VMM variations. Request Glasswing findings from cloud suppliers. Reassess multi-tenant isolation assumptions. |
Attackers are sooner. Defenders are patching yearly.
The CrowdStrike 2026 World Menace Report paperwork a 29-minute common eCrime breakout time, 65% sooner than 2024, with an 89% year-over-year surge in AI-augmented assaults. CrowdStrike CTO Elia Zaitsev put the operational actuality plainly in an unique interview with VentureBeat. “Adversaries leveraging agentic AI can carry out these assaults at such a fantastic velocity {that a} conventional human means of have a look at alert, triage, examine for 15 to twenty minutes, take an motion an hour, a day, per week later, it’s inadequate,” Zaitsev stated. A $20,000 Mythos discovery marketing campaign that runs in hours replaces months of nation-state analysis effort.
CrowdStrike CEO George Kurtz strengthened that timeline strain on LinkedIn the identical day because the Glasswing announcement. "AI is creating the most important safety demand driver since enterprises moved to the cloud," Kurtz wrote. The regulatory clock compounds the operational one. The EU AI Act's subsequent enforcement part takes impact August 2, 2026, imposing automated audit trails, cybersecurity necessities for each high-risk AI system, incident reporting obligations, and penalties as much as 3% of world income. Safety administrators face a two-wave sequence: July's Glasswing disclosure cycle, then August's compliance deadline.
Mike Riemer, Area CISO at Ivanti and a 25-year US Air Pressure veteran who works carefully with federal cybersecurity businesses, instructed VentureBeat what he’s listening to from the federal government. “Menace actors are reverse engineering patches, and the velocity at which they’re doing it has been enhanced enormously by AI,” Riemer stated. “They’re capable of reverse engineer a patch inside 72 hours. So if I launch a patch and a buyer doesn’t patch inside 72 hours of that launch, they’re open to take advantage of.” Riemer was blunt about the place that leaves the business. “They’re to this point in entrance of us as defenders,” he stated.
Grieco confirmed the opposite aspect of that collision at RSAC 2026. “In the event you discuss to an operational group and plenty of of our prospects, they’re solely patching yearly,” Grieco instructed VentureBeat. “And admittedly, even in the most effective of circumstances, that’s not quick sufficient.”
CSA’s Mogull makes the structural case that defenders maintain the long-term benefit: repair a vulnerability as soon as and each deployment advantages. However the transition interval, when attackers reverse-engineer patches in 72 hours and defenders patch yearly, favors offense.
Mythos shouldn’t be the one mannequin discovering these bugs. Researchers at AISLE, an AI cybersecurity startup, examined Anthropic's showcase vulnerabilities on small, open-weights fashions and located that eight out of eight detected the FreeBSD exploit. AISLE says one mannequin had solely 3.6 billion parameters and prices 11 cents per million tokens, and {that a} 5.1-billion-parameter open mannequin recovered the core evaluation chain of the 27-year-old OpenBSD bug. AISLE's conclusion: "The moat in AI cybersecurity is the system, not the mannequin." That makes the detection ceiling a structural drawback, not a Mythos-specific one. Low-cost fashions discover the identical bugs. The July timeline will get shorter, not longer.
Over 99% of the vulnerabilities Mythos has recognized haven’t but been patched, per Anthropic’s crimson group weblog. The general public Glasswing report lands in early July 2026. It’ll set off a high-volume patch cycle throughout working programs, browsers, cryptography libraries, and main infrastructure software program. Safety administrators who haven’t expanded their patch pipeline, re-scoped their bug bounty packages, and constructed chainability scoring by then will soak up that wave chilly. July shouldn’t be a disclosure occasion. It’s a patch tsunami.
What to inform the board
Each safety director tells the board “now we have scanned every little thing.” Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, instructed VentureBeat that the assertion doesn’t survive Mythos and not using a qualifier.
“What safety leaders truly imply is: now we have exhaustively scanned for what our instruments know how one can see,” Baer stated in an unique interview with VentureBeat. “That’s a really totally different declare.”
Baer proposed reframing residual danger for boards round three tiers: known-knowns (vulnerability lessons your stack reliably detects), known-unknowns (lessons you recognize exist however your instruments solely partially cowl, like stateful logic flaws and auth boundary confusion), and unknown-unknowns (vulnerabilities that emerge from composition, how secure parts work together in unsafe methods). “That is the place Mythos is touchdown,” Baer stated.
The board-level assertion Baer recommends: “Now we have excessive confidence in detecting discrete, recognized vulnerability lessons. Our residual danger is concentrated in cross-function, multi-step, and compositional flaws that evade single-point scanners. We’re actively investing in capabilities that increase that detection ceiling.”
On chainability, Baer was equally direct. “Chainability has to change into a first-class scoring dimension,” she stated. “CVSS was constructed to attain atomic vulnerabilities. Mythos is exposing that danger is more and more graph-shaped, not point-in-time.” Baer outlined three shifts safety packages have to make: from severity scoring to exploitability pathways, from vulnerability lists to vulnerability graphs that mannequin relationships throughout identification, knowledge move, and permissions, and from remediation SLAs to path disruption, the place fixing any node that breaks the chain will get precedence over fixing the very best particular person CVSS.
“Mythos isn’t simply discovering missed bugs,” Baer stated. “It’s invalidating the idea that vulnerabilities are impartial. Safety packages that don’t adapt, from protection pondering to interplay pondering, will hold reporting inexperienced dashboards whereas sitting on crimson assault paths.”
VentureBeat will replace this story with further operational particulars from Glasswing's founding companions as interviews are accomplished.
