If you’ve been anywhere near a security Slack in the last week, you’ve seen the headlines. Anthropic dropped Claude Mythos on April 7th and the internet did what the internet does — breathless coverage, doomsday takes, and a 30-page community briefing co-signed by what looks like the entire US cybersecurity establishment telling CISOs to restructure their security programs starting Monday morning.
We’ve been watching this space closely. Here’s our honest read.
What Actually Happened
Mythos is real, and the capability jump is legit. Anthropic’s red team report shows Mythos generating 181 working Firefox exploits autonomously, in conditions where their previous best model (Opus 4.6) produced two. It found a 27-year-old bug in OpenBSD’s TCP stack. A 16-year-old codec flaw in FFmpeg that survived millions of fuzzing runs. It built a full root-access exploit against FreeBSD’s NFS implementation by chaining six sequential RPC requests with a ROP chain.
That’s not a press release. Those are verified findings.
But here’s where we pump the brakes a little: a null pointer dereference in a niche BSD TCP stack is impressive research. It is not an active incident. The gap between “AI found this” and “attacker used this against your network” is still measured in weeks of weaponization, targeting, and infrastructure work — at least for now.
The Economics Are Messier Than the Headlines Suggest
The coverage keeps citing Anthropic’s cost numbers: under $20K for 1,000 OpenBSD scans, $50–$2,000 per working exploit. Those numbers sound accessible. They’re also subsidized research-preview pricing at a moment when Anthropic has every reason to make Mythos look both scary and affordable.
We’ve been here before. During Log4Shell in December 2021, we watched threat actors deploy Kinsing backdoors at scale within days of the CVE disclosure while the Log4j maintainers (unpaid volunteers) were working around the clock on patches. The exploitation machinery scaled because attackers have no patching obligation. AI doesn’t change that dynamic. It accelerates it.
Finding bugs has never been the bottleneck. Fixing them is. Mythos finding 500+ high-severity vulnerabilities in open source software (which Claude Opus 4.6 already did in February) adds to a disclosure queue that human maintainers and security teams have to absorb. Compute got cheaper. Maintainer hours didn’t.
Marcus Hutchins has a sharper take than most on this: cost parity between AI and human researchers hasn’t been reached at real market rates, and nobody has solved the economic problem of who funds the response side of this equation. Token prices will normalize. When they do, the economics of AI-assisted offense will look different than they do today.
The PR Machine Is Running Hot
Let’s be honest about something. Project Glasswing — Anthropic’s coordinated early-access program that gave 40+ organizations including AWS, Apple, Microsoft, Google, and CrowdStrike a preview of Mythos before public release — is framed as a defensive measure. It’s also the most effective enterprise go-to-market play in security industry history: give critical infrastructure providers a preview of a capability that could hurt them, under NDA, before competitors get it.
The $100M in model credits and $4M in OSS donations are real. They’re also acquisition spend.
When the briefing document co-signed by the former National Cyber Director, former CISA Director, former NSA Cybersecurity Director, and Google’s CISO lands in your inbox telling you to restructure immediately — those are not disinterested parties. They’re not wrong. But they’re also not neutral.
What Doesn’t Actually Change
Most successful attacks don’t start with a zero-day. They start with a phishing email, a reused password, a misconfigured cloud bucket, or a forgotten exposed service. SolarWinds, ProxyLogon, MOVEit, the Chinese state-sponsored group Anthropic disclosed in November 2025 that used Claude Code to run full attack chains across ~30 global targets — all of these relied on known vulnerabilities, credentials, and supply chain access, not novel zero-days.
The Zero Day Clock data shows time-to-exploit collapsing from 2.3 years in 2018 to under 24 hours today. Real trend. But the same community briefing notes that “the historical collapse in time-to-exploit has not yet produced a proportional increase in the impact of exploitation.” Attackers are already in your networks. Mythos doesn’t change the entry problem.
Here’s Where It Does Change: What Happens After They’re In
This is the part that should actually be reshaping your threat model.
Once Mythos-class capabilities proliferate to open-weight models — which Anthropic estimates at 6–12 months — attackers get a faster path from initial access to privilege escalation and lateral movement. That’s the real shift. Not getting in, but what happens in the hours after.
Think about the FreeBSD NFS exploit Mythos built: a ROP chain, six sequential RPC requests, 200-byte constraint optimization, full root. An attacker with that kind of automation compresses the window between “inside the network” and “domain admin” from days to hours. Your IR playbook was written for human-paced lateral movement. The detection windows, the escalation chains, the approval gates — none of it was designed for an adversary who can pivot and exfiltrate in a single on-call shift.
Honest question: When’s the last time you ran a tabletop for three simultaneous critical incidents in the same week, with one actively exploited? If that scenario isn’t in your playbooks, that’s your first gap — and the Glasswing patch wave is coming whether you’re ready or not.
The Vibe-Coding Problem Is Bigger Than Mythos
One angle is getting less coverage than it deserves.
The Mythos findings are impressive because they target well-maintained codebases — FFmpeg, OpenBSD, the Linux kernel. These have maintainers, security contacts, and response processes. The much scarier target is the opposite: the explosion of AI-generated code living inside your own organization right now.
Two distinct problems here, and it’s worth separating them.
First: net-new vibe-coded internal apps. Coding agents are now easier to use than Excel — the CSA briefing literally says this, and they’re right. Every organization is accumulating a shadow application estate built by people who described what they wanted in English and got working code back. That code carries whatever vulnerabilities the model generated, whatever vulnerable dependencies got pulled in without a second thought, and whatever security assumptions the developer never knew to question. We’ve had standards for what we’d accept from a vendor — pen test attestations, SLAs for patch response. The internal finance automation tool your three engineers shipped last weekend meets exactly none of those standards, and it probably has database access.
Second, and more insidious: AI slop in your existing production codebase. This isn’t a shadow app — it’s a pull request that looks like every other pull request. AI-assisted development is now the default for most engineering teams. AI-assisted code review is following close behind. Both introduce what the industry’s started calling “AI slop” — code that looks fine on surface review but degrades the security invariants that a human reviewer would have caught because they understood the original intent of the code. The curl project’s story here is telling: they shut down their bug bounty because of hallucinated AI vulnerability reports, then watched as the same pipeline started producing verified real findings. The same noise-to-signal transition is happening in PRs.
The compound risk: Mythos-class scanning can find vulnerabilities in your production codebase faster than your team ships code. If that codebase is being actively modified via coding agents, the attack surface isn’t static — it’s expanding at AI speed while your security review still runs at human speed.
The action here is simple and free: mandate LLM-driven security review as a CI/CD gate. Not instead of human review — in addition to it, as the first-pass filter that catches what neither the developer nor the AI that wrote the code was thinking about.
The Intelligence Overload Problem Is Already Here
The Glasswing patch wave — 40+ vendors releasing patches simultaneously off the back of Mythos findings — is going to generate more CVEs, advisories, and emergency patching cycles than your team has ever had to handle at once. Linux kernel bug reports already went from 2 to 10 per week. The CVE/NVD/KEV infrastructure was built for dozens of critical CVEs per month, not AI-generated discovery rates.
We saw a version of this with Log4Shell. That wasn’t difficult because the vulnerability was complex. It was difficult because every team in the industry was doing the same thing at the same time, with incomplete asset inventories and no playbook for a logging library embedded six layers deep in third-party software. Mythos is Log4Shell as a permanent condition.
Your team is about to spend more cognitive cycles separating real threats from noise than ever before. Build your triage process before the volume forces you to. Define what “actionable” means for your environment, automate the classification, and protect the people who do this work — because that expertise takes years to build and can’t be reconstructed on short timescales.
What We’d Actually Do This Week
No new budget needed for any of this:
Point an agent at your code
Claude Code Security, Codex Security, or the open-source raptor framework. Ask it to security review your most exposed repos. The output will be noisy. Calibrate from there. Every AI-generated or vibe-coded internal tool should go through this before it hits production.
Update your risk model
If your board reporting is based on patch window assumptions and exploit complexity estimates from before 2025, those numbers are wrong. Fix this before the next board cycle — it’s a governance correction, not a tooling purchase.
Inventory what you actually have
Start with internet-facing systems. Attackers can now enumerate your exposure faster than you can inventory it — don’t let that be true for long.
Pre-authorize your containment actions
Network segmentation, account suspension, traffic blocking, secrets rotation — identify what your team can do without a human approval chain for defined incident classes. The latency that was acceptable for human-paced threats is not acceptable for AI-accelerated lateral movement.
The Real Takeaway
Mythos is a real capability leap. The threat model that changes is real too — but narrower than the coverage implies, and concentrated where it was always going to hurt most: incident response.
The organizations that navigate this well won’t be the ones that bought the newest AI security platform. They’ll be the ones that already had accurate asset inventories, pre-authorized containment playbooks, and teams that weren’t already running at capacity when the first wave hit.
Mythos gives you a window where the board is paying attention and the business case is easy to make. Use it to fix the operational gaps that existed before any of this was a headline. The PR moment will pass. The operational pressure won’t.
Have thoughts? We’re at profero.io — come find us.
References
- Anthropic — Claude Mythos Preview (April 7, 2026)
- Anthropic — Project Glasswing (April 7, 2026)
- CSA/SANS/OWASP/[un]prompted — “The AI Vulnerability Storm: Building a Mythos-ready Security Program” (April 12, 2026, DRAFT). Contact: cisos@cloudsecurityalliance.org
- Profero — Log4Shell & Massive Kinsing Deployment (December 2021)
- Zero Day Clock
