Claude Mythos and the shifting vulnerability landscape

Disclaimer: This report is based on information available up to 3 June 2026. Events or reporting after that date are not reflected here and may affect the assessment.

Anthropic's Claude Mythos presents a meaningful advance in AI-assisted vulnerability discovery, however for most enterprise environments, the immediate risk is more limited than some headlines suggest. Independent research published in the last few weeks shows that parts of Mythos-style vulnerability discovery can already be reproduced with publicly available frontier models.[1][2] Mythos should therefore be treated as an early view of a capability that is likely to become more widely available within twelve to eighteen months.[3]

The main concern is that the time between vulnerability disclosure and active exploitation is shrinking. At the same time, the volume of serious findings is likely to increase. What your organisation should immediately prepare for is not necessarily faster attackers, but an overall CVE volume increase, against a patch prioritization process that is likely already strained. The organisations best placed to handle this well will be the ones that already know which systems matter most, how exposed those systems are, and what the cost of compromise to the business could be.

This articles summarises what Mythos changes, the limits of the current threat, and the actions customers should prioritise now.

What we recommend that you do this month

Before disclosure volume increases, we recommend organisations complete three practical actions:

1. Review patch prioritisation for internet-facing and business-critical systems. The goal is to identify your top five genuinely urgent vulnerabilities and confirm that your response process can handle a compressed timeline for internet-facing critical systems.
2. Confirm visibility into third-party and open-source components in critical systems.
3. Review if monitoring would still surface meaningful post-exploitation detection if initial access came through an unknown vulnerability. Defendable’s APT Simulation services tests exactly this: not whether an attacker can gain a foothold, but whether they can do anything meaningful once they have one.

Mythos represents a real threat, but sound security basics remain the best foundation. The cost of weak basics will rise as disclosure volume increases. Organisations best placed to absorb the next wave will be those that already know which systems matter most, how those systems are maintained, and how quickly they can make risk-based decisions under pressure.

Why we recommend this

What mythos is changing:

The barrier for attackers is dropping
Before AI-assisted vulnerability research, discovering a novel zero-day in production software required deep expertise in areas such as memory safety, compiler behaviour, protocol quirks, and offensive tooling. That expertise was rare, expensive, and concentrated among nation-state programmes and specialist threat actors.

Mythos lowers the entry requirement. An attacker who can direct an AI model and provide access to a target codebase can conduct systematic vulnerability research that previously required a skilled human specialist. In controlled evaluations where the model was explicitly directed and given access to the test environment, the UK Government's AI Security Institute (AISI) found that Mythos completed a 32-step corporate network attack simulation, estimated to take a human expert 20 hours, in 3 of 10 attempts. It also succeeded on expert-level capture-the-flag challenges 73% of the time, against a baseline of 0% for any model before April 2025.[4]

The CSA's Mythos-ready briefing describes the likely direction clearly: average criminal groups may soon possess offensive AI capabilities that previously required nation-state resources.[5]

The time between disclosure and exploitation is shrinking
Defenders have often relied on the delay between a patch being issued and a working exploit appearing in the wild. That delay was already shrinking before Mythos. For the highest-risk tier, especially critical vulnerabilities in internet-exposed edge devices, VPN gateways, and identity infrastructure, exploitation can begin within hours of disclosure.[6] Organisations that patch on a weekly or monthly cycles face growing risk.

Project Glasswing findings may surface over the coming months
 Anthropic has stated that over 99% of the vulnerabilities Mythos identified remain unpatched upon the first release of findings.[7] As those findings move through coordinated disclosure and vendor patching, security teams should expect increased vulnerability volume across operating systems, browsers, cryptography libraries, and core infrastructure software. This has been reflected in updated reporting from Anthropic, who state that the latest Palo Alto Networks release included over five times as many patches as usual, and that Microsoft has reported that the number of new patches they’ll release will “continue trending larger for some time.” The exact timing, CVE assignment, and public exploitability will vary., but disclosures will now take place on a rolling basis, rather than a single surge [14]. Organisations without a prepared prioritisation process risk being overwhelmed if several high-impact disclosures arrive close together.

What makes Mythos different from earlier AI exploit tools
Three capabilities matter for defenders:

• Scale of discovery:
  Palo Alto Networks, a Project Glasswing partner, assessed that frontier AI models accomplished the equivalent of a full year of penetration testing effort in under three weeks.[8] This results in a massive compression of the discovery timeline that fundamentally changes the pace and scalability of vulnerability research.

• Vulnerability chaining:
  Mythos identifies compound vulnerabilities, where multiple lower severity bugs or flaws could be combined into critical exploit paths led into a single exploit path.[9]

• Full-stack logic analysis:
  Mythos analyses the complete exposure surface of applications, and has been shown to be capable at finding logic-based vulnerabilities that allow attackers to abuse legitimate functionality for malicious purposes. These types of vulnerabilities are often missed by traditional scanning tools.[8]
  
  

What Mythos does not change:

Security fundamentals still matter most
AISI's evaluation was explicit: organisations best positioned against Mythos-class threats have sound security basics, including regular patching, robust access controls, secure configuration, and comprehensive logging. Fundamental guidance from NSM’s grunnprinsipper for IKT-sikkerhet and the UK NCSC's Cyber Essentials framework remains directly applicable.[4] AI-assisted attacks find weak architecture faster; they do not make good architecture irrelevant.

Closed-source enterprise systems are not immediately wide open
One limitation noted by security practitioners is that Mythos, as currently understood, appears to be most effective when it has access to source code[10]. That may narrow its immediate advantage against some enterprise environments, especially where key systems are proprietary and not easily inspectable. It should not be treated as a hard boundary, however. Anthropic has also described Mythos work involving reverse engineering of closed-source binaries and analysis of closed-source browsers and operating systems.[7] Many enterprise platforms also depend heavily on open-source components, documented interfaces, and software that is only partially closed in practice.

A substantial share of enterprise software depends on open-source components and common libraries, so weaknesses in those building blocks can still create broad exposure across commercial products. Log4Shell is a clear precedent: a vulnerability in a widely embedded open-source component quickly can quickly an enterprise-wide security problem across many otherwise proprietary environments [11]. Source-code dependency may narrow some attack paths, but it does not remove Mythos-class risk.

There is no public evidence of threat actors using Mythos directly today
 When Mythos was first released, access to Mythos itself was restricted to around 50 vetted organisations through Project Glasswing.[7] A June update from Anthropic stated that it had expanded the program to include 150 additional organisations across 15 countries [13]. However, there is no public evidence that threat actors currently have direct access to Mythos or can direct it against customer environments. The more immediate concern is that public models and structured workflows can already approximate parts of Mythos-class discovery. 

Vidoc Security Lab published findings in AP showing that Claude Opus 4.6 and GPT-5.4, using an open-source coding agent and a standardised security review workflow, could reproduce Mythos findings in FreeBSD, OpenBSD, and Botan. Partial reproduction was achieved on FFmpeg and wolfSSL. The cost to scan a single file stayed below $30.[1]

The Vidoc results need careful interpretation. The researchers could only test against the small number of Mythos findings that Anthropic has made public, and over 99% of Mythos findings remain under embargo while vendors work on fixes.[7] Finding the same bug is also different from producing a ready-to-use exploit chain. The cases available for testing may have been among the easier Mythos findings, because the hardest cases have not yet been disclosed.

Furthermore, OpenAI’s GPT-5.5 was recently tested by the UK’s AI Security Institute (AISI) and assessed to be as capable as Mythos[12]. This shows that serious vulnerability discovery in production software is no longer confined to one gated model. The vulnerability discovery capability is not unique to Mythos, or GPT5.5. The difference between these gated models and public models lies in how reliably a finding can be turned into a working attack. It’s apparent here, that the gap is closing.

What you should do now

The following actions are prioritised for the next 30 days. They apply even if Mythos-class tools are not yet in active adversarial use, because they address weaknesses that become more serious as vulnerability discovery accelerates.

1.  Review your patch prioritisation process
   If your team triages patches mainly by CVSS severity score, that process needs to change. CVSS measures theoretical severity in isolation.[6] It does not measure exploitability in your specific environment, internet exposure, data sensitivity, or business dependency. A critical CVE in a segmented internal system with no sensitive data is a different risk from a critical CVE in an internet-facing payment platform, but patch queues often treat them too similarly.
   
   Action: Map your 10 highest CVSS-scoring open vulnerabilities against internet exposure, privilege boundary crossings, and business function. This exercise usually shows that two or three require urgent action and several others can be responsibly deferred.

2. Prioritise patch deployment for internet-facing systems
   For systems directly reachable from the internet, the target window between disclosure and patch deployment should be 24-48 hours for critical findings with known exploitation paths. This is shorter than many enterprise change management processes currently allow. Identify which systems, processes, and resources would need to change to reach that window.

3. Review your open-source dependency posture
   The Mythos findings span multiple foundational open-source projects, including OpenBSD, FreeBSD, FFmpeg, Botan, and wolfSSL.[7] Review your software estate for direct or transitive dependencies on these and similar foundational libraries. Create or refresh an inventory of third-party and open-source components for critical systems, and map how those components are updated in practice. This is especially important where open-source code is embedded inside proprietary products and can only be fixed through a vendor upgrade.

   That visibility also helps teams separate real exposure from vulnerabilities that are less relevant because the affected component or code path is not in use.

4. Prepare for a possible patch surge over the coming months
   As Glasswing findings move through disclosure and vendor patching, security teams should prepare for a compressed patch cycle across operating systems, browsers, cryptographic libraries, and infrastructure software.[5] Brief your change management board that an emergency patch cadence may be needed. Teams that prepare their patch pipeline in advance are less likely to face delays, backlog, and poor prioritisation when disclosure volume increases.
   
   

What should you consider in the long-term?

Build asset-to-business-impact mapping into vulnerability management
The strongest long-term response is to know which systems actually matter. Organisations that can answer "if this system is compromised, what is the blast radius and business consequence?" can make better triage decisions when critical CVEs appear.[10] This is the basis of risk-driven vulnerability management. It makes patch prioritisation more rational and less reactive.

Segmentation, ownership, and business context matter because they allow security decisions to be based on operational impact rather than technical severity alone.

Move toward continuous vulnerability assessment
Quarterly penetration testing and periodic scanning were designed for a slower vulnerability cycle. AI-accelerated discovery makes point-in-time assessment age faster.[5] Over time, organisations should move toward more frequent and automated review of internet-facing systems, critical applications, and code changes.

Invest in behavioural detection and resilience
As the skills floor for attackers drops, organisations should plan for some intrusions to succeed over time. Detection should therefore cover post-access behaviour such as privilege escalation, lateral movement, unusual service creation, suspicious remote execution, and access to high-value internal systems. Signatures tied to known exploits will not be enough.[5]

Build team capacity before disclosure volume increases
The CSA's assessment, and our own view based on customer experience, is that the volume of critical disclosures expected from Glasswing may exceed current team capacity for most organisations.[5] Review surge capacity now: who can triage new disclosures, who can approve emergency changes, who can validate exposure, and who has authority to defer lower-risk remediation. Where internal capacity is limited, identify in advance whether temporary support, vendor escalation paths, or managed service capacity will be needed. Burnout in security functions during a sustained high-volume response period is a real operational risk.

What do we monitor more closely for our customers going forward?

As an MDR provider for a large amount of customers, we are accustomed to a constantly changing threat landscape. In light of the outlined developments regarding Mythos and other AI models, we will focus on three key areas to mitigate the risks introduced.

Unusual privilege escalation patterns
Mythos-class exploits frequently chain multiple steps to achieve privilege escalation.[9] We will monitor for non-standard escalation paths, especially those combining multiple techniques.

Post-exploitation lateral movement from non-standard initial access points
If a zero-day is used for initial access, it may not trigger signature-based detections. The first detectable activity is often lateral movement or discovery activity from an unexpected host.[4] We continuously review and update the behavioral baselines across environments to ensure that novel initial access, even without a known signature, does not go undetected once an attacker begins to move.

Dependency on unpatched versions of impacted software
We will monitor for CVEs published against various products and software over the next weeks and months as Glasswing findings are disclosed, and notify affected customers accordingly.[7]

Which developments are we keeping a close eye on?

Defendable is following developments closely, and will monitor the following over the next coming months:

• Vendor patches from Glasswing disclosures
  Glasswing disclosures are rolling continuously and will do so for months. Anthropic's 90-day coordinated disclosure policy means that publicly available information likely only reflects a fraction of Mythos's actual findings to date. The pace of disclosure is likely being limited by the capacity of vendors and open-source maintainers to triage and patch findings.
  

• Glasswing expansion
  Project Glasswing has expanded to approximately 150 new organisations , with new sectors being added to the program, including power, water, healthcare, communications, and hardware. As the coalition grows, the range and type of software being scanned increases. With this, the breadth of potential disclosures affecting enterprise environments will also increase accordingly.

• Comparable capabilities in other frontier models
  Several AI labs are developing models with similar reasoning and code analysis capabilities. The UK AISI have conducted evaluations on OpenAI’s GPT-5.5 model, with testing indicating that it reaches a similar level of performance as Mythos.[12] The CSA estimates Mythos-class capability will reach open-weight models within six to twelve months.[5]

• Adversarial adoption of public AI-assisted vulnerability workflows
  Watch for credible reporting that threat actors are using public models and structured tooling to speed up vulnerability discovery, exploit validation, or patch-diff analysis. That would be a stronger indicator that the threat has moved from a frontier-lab capability to a broader operational risk.[1]

• EU AI Act implementation
  Organisations should note that the EU AI Act's obligations for high-risk AI systems apply from August 2026, with some exceptions. For organisations that deploy AI tools in security operations or vulnerability management contexts, compliance documentation and human oversight requirements may apply. For Norwegian customers, the EU AI Act is expected to be implemented into Norwegian law through the KI-loven, with the government aiming for Norwegian rules to apply from around the same time as the main EU rules in late summer 2026.

• AISI's next evaluation cycle
  AISI has indicated that it will evolve its evaluation environments to include active defenders and defensive tooling.[4] Results from those evaluations should give a more realistic picture of Mythos-class capability against well-defended systems.

References:

[1] Vidoc Security Lab, We Reproduced Anthropic's Mythos Findings With Public Models, April 2026. We Reproduced Anthropic's Mythos Findings With Public Models

[2] Defendable, Threat advisory ADV-857, Defendable Portal

[3] Wiz, Claude Mythos, April 2026. Claude Mythos: AI Finds, Exploits Vulnerabilities Faster | Wiz Blog

[4] UK AI Security Institute (AISI), Our Evaluation of Claude Mythos Preview's Cyber Capabilities, April 2026. Our evaluation of Claude Mythos Preview’s cyber capabilities | AISI Work

[5] Cloud Security Alliance, The "AI Vulnerability Storm": Building a "Mythos-ready" Security Program, April 2026. Lab Space

[6] Cloud Security Alliance, The Collapsing Exploit Window: AI-Speed Vulnerability Weaponization, April 2026. The Collapsing Exploit Window: AI-Speed Vulnerability Weaponization

[7] Anthropic Frontier Red Team, Assessing Claude Mythos Preview's Cybersecurity Capabilities, April 2026. Claude Mythos Preview \ red.anthropic.com

[8] Palo Alto Networks, Defender’s Guide to the Frontier AI Impact on Cybersecurity, 17 April 2026. Defender’s Guide to the Frontier AI Impact on Cybersecurity

[9] Anthropic, Project Glasswing: Securing Critical Software for the AI Era, April 2026. Project Glasswing: Securing critical software for the AI era

[10] Wil Rockall, The Mythos Zero-Days and the Patch Velocity Problem, LinkedIn, April 2026. Mythos, Zero-Days, and the Patch Velocity Problem

[11] UK NCSC, December 2021. Log4j vulnerability: what everyone needs to know

[12] AI Security Institute, Our evaluation of OpenAI's GPT-5.5 cyber capabilities, 30 April 2026. Our evaluation of OpenAI's GPT-5.5 cyber capabilities

[13] Anthropic, Expanding Project Glasswing, June 2026. Expanding Project Glasswing

[14] Anthropic, Project Glasswing: An Initial Update, May 2026. Project Glasswing: An initial update