Anthropic built a model that finds zero-day vulnerabilities. Over 99% of them are still unpatched.
Claude Mythos Preview, released by Anthropic on April 7, was announced as a step change in AI cybersecurity capability. The company called it a watershed moment for defenders. The company also acknowledged, in the same technical report, that it had found vulnerabilities in every major operating system and every major web browser — and that over 99% of those bugs had not yet been patched.
One week later, OpenAI announced GPT-5.4-Cyber, its own cybersecurity-focused model, expanding its Trusted Access for Cyber program to thousands of vetted defenders. The competitive timing made for good headlines. The technical details underneath are more consequential.
The numbers from Anthropic's own testing are stark. On a benchmark using real, unpatched Firefox vulnerabilities, Mythos developed working exploits 181 times out of roughly 200 attempts. Its predecessor, Claude Opus 4.6, managed two successes out of several hundred attempts on the same test. Mythos also achieved ten cases of full control flow hijack on fully patched targets — a category of exploit that requires chaining multiple vulnerabilities together and sits near the top of the severity scale in security research. Its predecessors managed one such case each.
The UK AI Security Institute ran an independent evaluation. On expert-level cybersecurity challenges that no AI model could complete before April 2025, Mythos succeeded 73% of the time. On a 32-step simulated corporate network attack, Mythos completed the full chain in 3 out of 10 attempts and averaged 22 of 32 steps. The next-best model, Opus 4.6, averaged 16 steps.
Both companies have framed their releases as defensive tools. OpenAI says it has fixed over 3,000 critical and high-severity vulnerabilities through its existing Codex Security agent. Anthropic has released Mythos through Project Glasswing, a controlled program with partners including Google, Microsoft, Amazon, and NVIDIA, under which the model is made available to vetted organizations for defensive research before broader release.
The head start has limits. The vulnerabilities Mythos found exist in production software running on real systems right now. Anthropic's coordinated vulnerability disclosure process covers the ones it can disclose. The company has acknowledged that the majority — over 99% — remain unpatched while that pipeline runs its course. Google's Project Zero, which publishes some of the industry's most rigorous vulnerability research, typically allows 90 days between disclosure and public release. During that window, anyone with access to the same model capabilities — whether through the controlled program, a competing lab, or a future leak — has the same information the defenders do.
Anthropic explicitly states in its technical report that it had to move beyond synthetic benchmarks because its model was scoring near-perfect on them. The implication — which the company frames positively — is that the model got too capable for the tests designed to measure it. That is a different kind of milestone than a leaderboard position.
What happens next depends on how fast the disclosure pipeline runs relative to capability proliferation. The controlled release programs from both companies are deliberate attempts to manage that risk. Whether they scale fast enough is not a question either company has answered.
