Anthropic Plans Public Release of ‘Mythos’ Bug-Hunting AI—Once It Can Stop Hackers from Using It
Table of Contents
The Double-Edged Sword of Automated Bug Hunting
Anthropic has signaled its intention to eventually release a public version of its ‘Mythos’ class models—AI systems capable of identifying deep-seated security vulnerabilities in software code with unprecedented precision. However, the company is keeping the most potent versions under lock and key for now, admitting that the current state of AI safety is not yet equipped to prevent the tools from being weaponized by bad actors.
The model is currently the centerpiece of ‘Project Glasswing,’ a restricted access program. Because Mythos can pinpoint flaws that would allow cybercriminals to execute sophisticated exploits at scale, Anthropic has limited its availability to a small circle of vetted entities and government partners. The logic is straightforward: if the general public—and by extension, state-sponsored hacking groups—had unfettered access to Mythos, the window for developers to patch vulnerabilities would shrink to almost nothing.
A Deluge of Disclosures
The scale of what Mythos can find is already putting a strain on the global security community. In a recent update, Anthropic revealed it used the model to scan over 1,000 open-source projects that form the backbone of the modern internet. The results were staggering: Mythos identified roughly 23,019 flaws in total, with 6,202 categorized as high- or critical-severity vulnerabilities.
While the discovery of these bugs is a win for defensive security, it has created a logistical nightmare for the maintainers of these projects. Many open-source developers are volunteers or underfunded teams who are now facing a ‘deluge’ of AI-generated bug reports. According to Anthropic, some maintainers have explicitly asked the company to slow down its disclosure rate because they simply do not have the manpower to design and deploy patches fast enough.
The impact is not just theoretical. One critical flaw uncovered by Mythos affected the wolfSSL cryptography library, a piece of software used by billions of devices. The AI constructed an exploit that could allow an attacker to forge certificates, effectively enabling them to impersonate banks or email providers. While wolfSSL has since been patched, the incident underscores the volatility of releasing such a tool into the wild.
The Safety Gap
Despite the long-term goal of a general release, Anthropic’s leadership is candid about the risks. In its latest progress report, the company admitted that no organization has yet developed safeguards robust enough to prevent these models from being misused to cause ‘severe harm.’
For now, the strategy is one of gradual expansion. Anthropic intends to broaden Project Glasswing to include more ‘critical partners,’ specifically focusing on the U.S. government and its allies. This approach allows the company to harden the models in a controlled environment while providing a defensive edge to national security agencies.
The Industrialization of Vulnerabilities
The emergence of Mythos marks a shift in the cybersecurity landscape. It is no longer just about whether an AI can find a bug, but how quickly it can do so across millions of lines of code. The sheer volume of high-severity bugs found—with a 90.6 percent validity rate for those reported by Anthropic—suggests that the era of manual security auditing may be reaching its limit.
As a remedy for the overwhelmed human developers, Anthropic is pushing for a circular solution: using AI to fix the bugs that AI found. By integrating these capabilities into its Claude model, the company hopes to help developers automate the patching process, potentially keeping pace with the accelerating speed of AI-driven discovery.
For those tracking the technical fallout of these discoveries, the company noted that full analyses of specific exploits, including the wolfSSL breach, will be released in the coming weeks, with further details expected under CVE-2026-5194.
