Anthropic reins in Claude Mythos after mass discovery of hidden security flaws
Anthropic has sharply restricted access to its experimental AI system, Claude Mythos Preview, after early trials showed the model could identify an unprecedented number of severe security vulnerabilities across widely used software. What started as a cutting-edge research deployment quickly turned into a coordinated global security effort as the model surfaced thousands of critical flaws in operating systems, browsers, cryptographic protocols, and web applications.
Positioned as a general-purpose AI, Claude Mythos proved unexpectedly adept at security analysis. During internal testing, the system repeatedly uncovered high-impact vulnerabilities spanning major operating systems and key internet infrastructure. The scale and depth of the findings forced Anthropic to slow down the rollout and move into what it describes as a “defense-first” posture.
Anthropic warned that, given the speed of AI progress, similar capabilities are likely to spread far beyond carefully controlled environments in the near future. The company stressed that the looming risk is not whether such tools will be used offensively, but how quickly powerful code-analysis models might be adopted by actors who are unconcerned with safety, oversight, or responsible disclosure.
The company cited industry data pointing to a 72% year‑over‑year increase in AI-assisted cyberattacks, with 87% of organizations worldwide reporting exposure to AI-enabled incidents in 2025. Against that backdrop, Claude Mythos’ performance underscores a stark reality: offensive and defensive capabilities are scaling at the same time, but not necessarily under the same constraints.
Internal investigations revealed that many of the vulnerabilities flagged by Mythos Preview had evaded detection for years, in some cases decades. Security teams and open‑source maintainers were confronted with the uncomfortable fact that core infrastructure, long regarded as mature and hardened, still contained previously unknown attack paths.
Among the most striking discoveries was a 27‑year‑old bug in OpenBSD, a project often held up as a gold standard for security-focused operating system design. The flaw has since been patched, but its longevity illustrates how even highly scrutinized codebases can harbor deep‑seated issues. Mythos also surfaced a 16‑year‑old vulnerability in FFmpeg, widely used for audio and video processing, along with a 17‑year‑old remote code execution bug in FreeBSD. Several weaknesses were also identified within the Linux kernel, one of the foundational layers of modern computing.
The findings were not limited to operating systems and low-level libraries. Claude Mythos highlighted structural problems in widely deployed cryptographic standards, including implementations of TLS, AES-GCM, and SSH. Even subtle weaknesses in these building blocks can have far‑reaching implications, since they underpin secure communication, authentication, and data protection across the internet.
On the application layer, the model detected large numbers of common but dangerous web vulnerabilities: cross‑site scripting, SQL injection, and cross‑site request forgery among them. These flaws are frequently exploited in phishing campaigns, credential theft, and data breaches. While human security researchers have been finding such bugs for years, the concern is that AI systems can now identify them at industrial scale, dramatically compressing the time needed to locate exploitable code.
Anthropic stated that roughly 99% of the vulnerabilities discovered by Claude Mythos have not yet been patched, and argued that publicly revealing technical details would be “irresponsible” at this stage. Until software vendors and maintainers have a chance to fix the issues, premature disclosure could hand attackers a roadmap to critical systems around the world.
The capacity to detect zero‑day vulnerabilities at this speed and scale has the potential to reshape the entire field of software security. Historically, high‑impact bug discovery demanded niche expertise, specialized tooling, and long investigative cycles. AI models like Mythos can rapidly scan huge codebases, correlate obscure patterns, and surface subtle errors that might elude even seasoned professionals. That could enable defenders to move from reactive patching to proactive hardening-if they can manage the risks associated with such powerful tools.
Anthropic is candid about the transitional danger. The company has emphasized that defending global digital infrastructure will be a multi‑year effort. In its view, the long‑term trajectory is optimistic: as AI-driven tools become integral to software development, more code will be written, reviewed, and tested with automated security in mind, eventually producing far more resilient systems. Yet the path to that future is “fraught,” marked by a period in which offensive and defensive uses of AI are both accelerating and unevenly distributed.
For now, Anthropic has significantly limited access to Claude Mythos Preview. Rather than opening the system to broad commercial or public use, the company is partnering selectively with infrastructure providers, open‑source maintainers, and enterprise security teams to quietly address the backlog of vulnerabilities. The near‑term priority is to fix what the model has already uncovered, while minimizing the chance that the same capabilities are turned against unpatched systems.
The Mythos episode also throws a spotlight on the dual‑use nature of advanced AI. Tools that can rapidly identify security flaws are invaluable to defenders, but indistinguishable in capability from tools that would be ideal for attackers. This tension is forcing AI labs, regulators, and security professionals to confront questions that have long been theoretical: who should be allowed to use these systems, under what conditions, and with what oversight?
Some experts argue that restricted access, while necessary, cannot be a permanent solution. As more organizations train large models with code-understanding abilities, similar vulnerability‑hunting capabilities are likely to emerge elsewhere. That suggests an urgent need for new coordination mechanisms between AI developers, software vendors, and security teams-particularly around responsible disclosure, patch timelines, and global incident response.
Organizations watching this unfold can draw several practical lessons. First, they should assume that the baseline for attacker capabilities is rising. Even if they never use tools like Claude Mythos themselves, they need to prepare for adversaries who do-by tightening patch management, adopting secure‑by‑default configurations, and investing in continuous code review and application security testing.
Second, companies may increasingly need policies for how they engage with AI systems in security workflows. That includes deciding what code can be shared with external models, how outputs are validated, and who is accountable for acting on AI‑generated findings. The risk is not just missed vulnerabilities, but also overreliance on tools whose behavior and coverage are not fully understood.
Third, the Mythos case illustrates that legacy code can harbor critical defects long after it is considered “stable.” Software that sits at the foundation of infrastructure-kernels, cryptographic libraries, core network services-should be treated as a living security concern, not a solved one. AI‑assisted analysis may become a standard part of long‑term maintenance for such systems.
For policymakers, Claude Mythos offers a glimpse of the regulatory challenges ahead. Traditional cybersecurity frameworks were built around human expertise and manual tooling. As AI models begin to influence vulnerability discovery, patch prioritization, and even automated code repair, regulators may need to rethink expectations for disclosure, liability, and minimum security practices in both the public and private sectors.
At a broader level, the episode reinforces a central paradox of AI in security: the same technology that could ultimately make global infrastructure far more robust also magnifies short‑term risk by revealing just how much is currently broken. Anthropic’s decision to slow down and limit deployment illustrates the kind of trade‑offs that advanced AI developers now face routinely-balancing innovation with the obligation to prevent foreseeable harm.
Claude Mythos is still officially described as a preview system, and Anthropic has not given a timeline for wider availability. Any future rollout is likely to be shaped by what happens in this early, constrained phase: how quickly critical bugs can be fixed, whether similar capabilities surface elsewhere, and whether the industry can establish norms to ensure that the defensive potential of such systems outweighs their offensive appeal.
In the meantime, the message to the software world is clear: the security debt accumulated over decades of development is far larger than many assumed, and AI is about to make that visible. How quickly vendors, maintainers, and enterprises respond may determine whether this new generation of AI tools becomes a stabilizing force for cybersecurity-or accelerates a new wave of systemic risk.