ON 7 April, Anthropic announced that its latest large language model, Claude Mythos, could identify and exploit software vulnerabilities at machine speed, raising alarms about an AI red teamer accessible to potential threat actors. According to Anthropic, the Claude Mythos model can find and exploit zero-day bugs in every major operating system and every major Web browser, and the company even cited a 27-year-old OpenBSD flaw as proof.
To study and mitigate the risk, a consortium dubbed Project Glasswing brings together cloud providers, finance firms and security players—including AWS, Google, Microsoft, Anthropic, Apple, Cisco, CrowdStrike and JP Morgan Chase—to test Mythos before public release. The discussion surrounding Mythos touches on government–industry coordination, the pace of information sharing with agencies like CISA, and whether regulatory approaches can keep up with rapid, machine-speed vulnerability discovery.
Critics question the tool’s potency and warn that patching and defensive practices must adapt to a landscape where threat actors might access capabilities that lower the bar for exploitation.