Claude Mythos Preview demonstrates unprecedented capability to autonomously discover and exploit zero-day vulnerabilities across operating systems, web browsers, and critical software—finding subtle bugs ranging from 27 years old to previously undetected in heavily audited codebases like FFmpeg and memory-safe VMMs.
These exploit capabilities emerged unexpectedly as byproducts of general improvements in code reasoning and autonomy rather than explicit training, enabling non-expert users to develop working exploits overnight and achieving dramatic improvements over prior models (181 working exploits vs. 2 for Opus 4.6 on Firefox vulnerabilities).
Mythos Preview identified thousands of high- and critical-severity vulnerabilities through a responsible disclosure process using agentic scaffolds that autonomously hypothesize, test, and validate bugs; human validators confirmed 89% of severity assessments matched expert review exactly.
The model successfully reverse-engineered complex exploits including JIT heap sprays escaping sandboxes, KASLR bypasses, ROP chain construction, and guest-to-host memory corruption in virtual machines, demonstrating qualitative advances beyond fuzzing and human-led security review.
Anthropic launched Project Glasswing to distribute Mythos Preview to critical industry partners and open-source developers first, aiming to shift the defensive advantage toward security practitioners before broader availability creates a transitional period where attackers might gain asymmetric advantage.