Claude Mythos: Anthropic’s AI Can Now Find and Exploit Zero-Day Vulnerabilities

Anthropic published a technical preview of Claude Mythos on April 7, 2026, and the findings are striking enough to warrant attention beyond the usual AI news cycle.

What Mythos Can Do

Mythos Preview is a general-purpose language model that performs exceptionally well on computer security tasks. During internal testing, Anthropic found it capable of identifying and exploiting zero-day vulnerabilities in every major operating system and every major web browser — autonomously, when directed by a user.

The exploits it produces are not simple. In one documented case, Mythos wrote a browser exploit that chained four vulnerabilities together, including a JIT heap spray that escaped both renderer and OS sandboxes. In another, it produced a remote code execution exploit on FreeBSD’s NFS server — a 20-gadget ROP chain split across multiple packets — granting unauthenticated root access.

The leap from the previous generation is measurable. Opus 4.6, Anthropic’s prior flagship, turned discovered Firefox JavaScript engine vulnerabilities into working shell exploits roughly twice out of several hundred attempts. Mythos Preview succeeded 181 times on the same benchmark.

Anthropic also notes that engineers with no formal security training were able to use Mythos to find remote code execution vulnerabilities overnight — and wake up to a working exploit. The barrier to sophisticated offensive security work has dropped substantially.

Project Glasswing

In response to these capabilities, Anthropic launched Project Glasswing — an effort to use Mythos to help secure critical software before attackers can leverage similar capabilities. Over 99% of the vulnerabilities found during testing remain unpatched and undisclosed, per coordinated vulnerability disclosure practices. The 1% that can be discussed already paints a clear picture of what Anthropic is calling a watershed moment for cybersecurity.

The Dual-Use Problem

This is the clearest example yet of the dual-use tension in frontier AI development. The same capability that makes Mythos valuable for defensive security — autonomous vulnerability discovery and exploit construction — makes it dangerous in the wrong hands. Anthropic is betting that deploying it defensively, at scale, is the right response to a capability that will exist regardless.

The full technical writeup is worth reading for anyone working in security or thinking seriously about where AI capability development is headed: red.anthropic.com/2026/mythos-preview/

AI-Generated Podcast Discussion

I generated an AI podcast episode discussing this article — two AI-voiced hosts working through the implications of the Mythos announcement. Listen to the AI-generated episode here.