Claude Mythos

Autonomous bug-hunting just jumped two orders of magnitude. Google's Big Sleep and the startup XBOW had each found tens of real flaws on their own; in roughly its first month, about fifty vetted partners ran Anthropic's Claude Mythos against live production and critical-infrastructure code and reported more than 10,000 high- or critical-severity vulnerabilities between them. Cloudflare alone surfaced around 2,000, Mozilla 271 in Firefox, and one wolfSSL flaw let an attacker forge certificates.

"Even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem."

The 10,000 figure is self-reported by the partners and has not been audited as a whole. What carries weight is a smaller, checked slice: of 1,752 findings handed to six security firms for review, 1,587 held up — a 90.6% true-positive rate, though those firms were inside the program rather than adversaries trying to knock the number down.

The more telling detail is what Anthropic admits the volume does to the rest of the chain. Finding bugs has become so cheap that the constraint is now fixing and disclosing them — the same model that surfaces flaws faster than anyone can patch them is, by Anthropic's own account, deliberately not released to the public, because no one has built safeguards strong enough to stop an attacker from pointing it the other way. The skill that mattered in security was finding the hole; now it is closing it before someone else walks through.