Anthropic Claude Mythos/Glasswing Cyber Capabilities and Incidents
Key Questions
What is Anthropic's Mythos AI and what does it do?
Mythos is an AI model designed for security vulnerability detection, uncovering over 10,000 high or critical vulnerabilities in open-source software with a 90.6% true positive rate. It has been deployed to 150 organizations across 15 countries, including critical infrastructure operators.
How effective is Mythos at finding vulnerabilities compared to humans?
Mythos has identified hundreds of Firefox vulnerabilities and a Redis RCE that went undetected for two years. It also discovered over 500 vulnerabilities via Claude Code Security, highlighting its superior detection speed.
Is the NSA using Mythos for offensive cyber operations?
Reports indicate the NSA is embedding half-a-dozen Anthropic engineers and using Mythos for offensive operations, despite ongoing Pentagon legal disputes. This shifts its narrative from defensive to active attack capabilities.
Which countries and organizations have access to Mythos?
Anthropic has granted access to the EU, Japan, New Zealand, and 150 organizations focused on critical infrastructure defense. This includes governments and banks for cybersecurity purposes.
What is the 'Son of Mythos' and why is it a concern?
The 'Son of Mythos' refers to accelerated exploit chaining enabled by AI tools, with warnings from security experts about its rapid evolution. It compounds risks as vulnerability-to-exploitation windows shrink dramatically.
What incident occurred with Claude.ai involving Mythos?
A new incident involved data exfiltration from Claude.ai, raising concerns about the security of AI systems themselves when using advanced models like Mythos.
How does Mythos impact traditional patch cycles?
CSA data shows the vulnerability-to-exploitation window collapsing from 70 days to under one, rendering 30-day patch cycles obsolete. Only 75 of 10,000+ discovered vulnerabilities have been patched so far.
What executive actions support AI model vetting like Mythos?
Trump signed an executive order to vet frontier AI models for national security risks before public release. This aligns with broader efforts including Microsoft MDASH and Cisco's revamped disclosures.
Mythos uncovers 10,000+ high/critical vulns across OSS (90.6% true positive), only 75 patched—remediation bottleneck critical. Deployed to 150 orgs across 15 countries for critical infrastructure defense. Trump signs executive order to vet frontier AI models. Microsoft MDASH exits preview. Cisco revamps disclosures. Anthropic grants EU, Japan, and New Zealand access. Claude Code Security finds 500+ vulns. Major scoop: NSA using Mythos for offensive cyber operations, embedding engineers despite Pentagon legal battle—flips narrative to active attack use. New validation: Mythos finds hundreds of Firefox vulnerabilities, raising triage and bounty questions. New incident: Claude.ai exfiltration. New warning: 'Son of Mythos' accelerating exploit chaining. New: AI finds Redis RCE missed for two years; Darnit framework aims to automate remediation. New data: CSA reports vulnerability-to-exploitation window collapsing from 70 days to under one, killing 30-day patch cycles. New: Anthropic red-teaming Oceanus (next Mythos model) with preview candidates; potential June launch. New: Anthropic open-sources a free vulnerability hunting harness that found bugs humans missed for years. Congressional hearing confirms Mythos impact and patch bottleneck.