Anthropic's Mythos Finds Thousands of Zero-Day Vulnerabilities

The Next Web reports that Anthropic's Claude Mythos Preview uncovered thousands of previously undetected zero-day vulnerabilities across major operating systems and web browsers, including a single run that identified 271 issues in Firefox and long-standing bugs such as a 27-year-old OpenBSD bug and a 17-year-old remote code execution flaw in FreeBSD. The Next Web reports the company ran controlled testing in which the model "surpassed all but the most skilled humans at finding and exploiting software vulnerabilities." The Next Web also reports Anthropic warned of a six-to-twelve month window before adversaries could replicate similar capabilities and that the company is operating a controlled rollout called Project Glasswing with approximately 40 technology companies and institutions. The Next Web reports that the Federal Reserve chair and the US Treasury secretary convened bank CEOs to discuss the cyber risk raised by the findings. Anthropic CEO Dario Amodei is quoted by The Next Web describing the period as a "moment of danger" and warning of "some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that's done from ransomware on schools, hospitals, not to mention banks."

Industry observers have long warned that increasing model capability can lower the marginal cost of tasks such as vulnerability discovery. Models that automate discovery effectively collapse the asymmetry where attackers need only find one exploitable flaw while defenders must secure many. For practitioners, this implies a shift toward scalable automated testing, continuous scanning, and integrating model-assisted auditing into secure development lifecycles. These are generic industry patterns and not claims about Anthropic's internal roadmap.

The convergence of high-capability code-understanding models and widespread legacy codebases raises broad systemic risk for infrastructure and critical services. Central bank and Treasury engagement, as reported by The Next Web, signals regulatory and sectoral stakeholders are treating model-enabled exploitation as a financial stability and systemic cyber risk issue. For security teams and platform engineers, the immediate relevance is measurable: the discovery of long-undetected vulnerabilities across widely used projects demonstrates surface area that traditional manual audit programs have missed.

observers should track vendor disclosure and patching cadence, whether other organizations replicate similar model-assisted discovery, the scope of Project Glasswing disclosures, and any guidance from financial regulators or cross-industry incident-response efforts. Also monitor whether open-source and commercial tooling integrates model-assisted scanning into CI/CD and how bug-bounty programs adapt to model-generated findings.