Anthropic’s Mythos model has prompted banks, tech firms and governments to rush to contain software risks after the company said the system is capable of finding thousands of previously unknown vulnerabilities.
Cybersecurity experts and artificial intelligence researchers told CNBC that the classes of flaws highlighted by Mythos can be discovered using existing models from Anthropic, OpenAI and others, often by coordinating multiple models and tools.
Researchers said they reproduced many of Mythos’s results by splitting code into smaller tasks and orchestrating public models. “What we are seeing across the industry now is that people are able to reproduce the vulnerabilities found with Mythos through clever orchestration of public models to get very, very similar results,” Ben Harris, CEO of cybersecurity firm watchTowr Labs. Klaudia Kloc, CEO of Vidoc, added: “The models that we have right now are powerful enough to detect zero days in a large scale, and this is scary enough.”
Related reading
- Anthropic opens Bluetooth API to let makers connect hardware devices to Claude
- Anthropic signs deal to run Claude on SpaceX's Colossus data centre, with Musk's blessing
- Washington tightens its grip on AI as Google, Microsoft and xAI agree to government safety checks
Anthropic did not dispute that earlier models could find vulnerabilities, noting a February blog post where Claude Opus 4.6 detected more than 500 “high severity” issues in open-source software. The company Mythos access under Project Glasswing to a handful of firms including Apple, Amazon, JPMorgan Chase and Palo Alto Networks to give those organisations time to patch systems.
Defenders say the pace of patching still lags the speed at which AI can find flaws, leaving an initial advantage to attackers. The Mythos rollout also prompted discussions about oversight; the Trump administration is considering new government review of future models, and OpenAI released a limited-access GPT-5.5-Cyber for vetted cybersecurity teams.
The recap
- Mythos reportedly found thousands of previously unknown software vulnerabilities
- Claude Opus 4.6 flagged more than 500 high severity vulnerabilities
- Limited Project Glasswing rollout to select companies; federal oversight considered
