Anthropic's yet-unreleased Claude Mythos Preview model has autonomously uncovered thousands of critical zero-day vulnerabilities across all major operating systems and web browsers, the company announced on April 9, 2026. Among them are a 27-year-old integer overflow bug in OpenBSD's TCP SACK handling and a 16-year-old error in FFmpeg's H.264 decoder, both previously missed by millions of automated tests and multiple manual audits.
Benchmark Scores Far Surpass Predecessor
On the Cybergym benchmark, Claude Mythos achieved 83.1% accuracy, compared to 66.6% for Claude Opus 4.6. On SWE-bench Verified, Mythos scored 93.9% vs. 80.8%; on SWE-bench Pro, it reached 77.8% vs. 53.4% — a 24-point gap. On Humanity's Last Exam (without tools), Mythos garnered 56.8%, while Opus managed 40.0%.
Mythos required no specialized cybersecurity training. It reads code in isolated containers, forms hypotheses about memory safety flaws, compiles and runs software, uses debuggers like Address Sanitizer, ranks files by exploit probability, and generates confirmed bug reports with working proof-of-concept exploits. In tests against Firefox 147's JavaScript engine, Mythos produced 181 full shell exploits and 29 register control cases, while Claude Opus 4.6 output only two shell exploits.
Project Glasswing: A Defensive AI Coalition
In response to Mythos' capabilities, Anthropic launched Project Glasswing to steer the model toward defensive use. Founding partners include Amazon Web Services, Apple, Broadcom, Cisco, Crowdstrike, Google, JPMorganChase, Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, with access expanding to over 40 more organizations. Anthropic has allocated up to $100 million in Mythos usage credits for defenders.
Currently, fewer than 1% of discovered vulnerabilities have been fully patched. Anthropic is coordinating responsible disclosure, publishing SHA-3 cryptographic commitments for unfixed issues, and adhering to a 90+45-day timeline before full publication. Already disclosed is the 17-year-old FreeBSD NFS remote code execution vulnerability (CVE-2026-4747), allowing unauthenticated root access.
Open Source Donations and Political PAC
Anthropic also pledged $4 million for open-source security: $2.5 million to Alpha-Omega via the Linux Foundation's OpenSSF, and $1.5 million to the Apache Software Foundation. On April 3, the company registered its first employee-funded political action committee, AnthroPAC, with the Federal Election Commission, anticipating a midterm election focused on AI regulation.
The company acknowledged that AI tools like Mythos lower the barrier for vulnerability discovery and exploitation, warning of short-term risks from nation-states (China, Iran, North Korea, Russia) and criminal groups if similar capabilities proliferate unchecked. Future Claude Opus releases will include safeguards to detect and block dangerous cybersecurity outputs, and a dedicated cyber-vetting program for verified security professionals is planned. A public report on partner findings and patched vulnerabilities is expected within 90 days.

