Anthropic says its Claude Mythos model discovered thousands of severe vulnerabilities across more than 1,000 open source software (OSS) projects.
According to the AI giant, Mythos Preview has identified more than 23,000 potential vulnerabilities. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated ‘high’ or ‘critical’ severity.
The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200.
Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories.
“The number of patches is still relatively low for three reasons. First, we’re still early in the 90-day window that’s set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon,” the AI company explained.
“Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we’re reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem,” it added.
In response to the surge in AI-powered vulnerability discovery, Anthropic recently unveiled Claude Security, a codebase scanner designed to help developers find security issues in their applications.
Mythos testing results from Project Glasswing participants
The vulnerabilities described in Anthropic’s new report are limited to OSS projects, with much of the scanning conducted by the AI company itself.
Roughly 50 organizations have access to Mythos Preview through Project Glasswing — Anthropic is concerned that wider access could lead to the model being abused — and several of them have disclosed good results after testing it.
Mozilla reported finding 271 Firefox vulnerabilities, and Mythos has helped Palo Alto Networks find dozens of flaws.
Anthropic also cited tests conducted by the autonomous offensive security firm XBOW, which found Mythos to be potent for vulnerability discovery. The UK government has also seen good results.
Google has also been given access, but it’s unclear whether the recent surge in Chrome vulnerability detections is due to Mythos, the company’s own AI tools, or both.
Others were not impressed with the results. Mythos found only one low-severity vulnerability in Curl, with experts debating whether that is a failure of the AI model or a testament to the open source data transfer tool’s maturity.
Anthropic says it has yet to develop strong enough safeguards to prevent misuse of Mythos, but the company is working to add more organizations to Project Glasswing and hopes to make this class of models generally available in the near future.
Related: The Mythos Moment: Enterprises Must Fight Agents with Agents
Related: Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’
Related: Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos
Related: OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal
