Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.
Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.
Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.
What Anthropic's Project Glasswing actually means
I've been following Anthropic's cybersecurity-adjacent work since they started partnering with DARPA in 2024. The April 2026 Mythos + Glasswing announcement is the most substantial AI security program any frontier lab has put together. Worth understanding in detail even if you don't have access yet.
The announcement included Claude Mythos Preview with specific cyber capabilities, Project Glasswing as the formal program wrapper, $100M committed in usage credits, $4M to open-source security tooling, and 40+ partners including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, and Palo Alto Networks.
This post is what Mythos can actually do based on what Anthropic has disclosed. What Glasswing changes about how AI security tooling gets into the hands of actual defenders. And what it means for pentest firms like us trying to get access.
What Anthropic announced
What Mythos does
Automated vulnerability research across 1,000 open-source repositories (7,000 entry points). Previous models reached tier 1 on 150-175 cases. Mythos achieved 595 crashes across tiers 1-2, plus 10 full control flow hijacks on patched targets (tier 5, meaning complete arbitrary code execution).
CVE-2026-4747
A 17-year-old remote code execution in FreeBSD NFS. Found fully autonomously. Unauthenticated root access from anywhere on the internet. In a codebase audited by world-class researchers for nearly two decades.
"Autonomous" means: given a clear objective, source code access, and compute. It didn't decide to look at FreeBSD on its own. It systematically generated inputs, observed outputs, and refined based on feedback.
This is fuzzing, not thinking
What Mythos does is functionally equivalent to what human security researchers do when fuzzing, at humanly impossible speed and scale. The same mechanism that lets ChatGPT complete a sentence lets Mythos identify vulnerable code paths. Pattern recognition on code instead of text.
What this means
Genuinely valuable for defensive security. Will accelerate patching. But if Anthropic can build this, nation-states can too. The race is whether defenders patch faster than attackers exploit.
Mythos isn't sentient, conscious, or capable of understanding code. It's automated fuzzing taken to a scale no prior model reached. A real advancement that requires human direction and oversight.
Sources
- Anthropic, "Project Glasswing" (April 2026)
- Anthropic Red Team Evaluation (April 2026)
- Fortune, "Claude Mythos and Project Glasswing" (April 2026)
- CVE-2026-4747, FreeBSD NFS RCE
Want us to check your Anthropic setup?
Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.