We Reproduced Anthropic's Mythos Findings With Public Models

Anthropic framed Mythos and Project Glasswing as proof that frontier AI vulnerability research now needs gated access. We tested the public, patched c...

Dawid Moczadło&Klaudia Kloc+4

We Reproduced Anthropic's Mythos Findings With Public Models

Anthropic framed Mythos and Project Glasswing as proof that frontier AI vulnerability research now needs gated access. We tested the public, patched c...

NEW|12 min read|

Dawid Moczadło&Klaudia Kloc+4

Date ↓

Read Time

Filter

Date ↓

Read Time

MAY 22, 2026 | 7 MIN READ

Why Mythos Doesn't Change Much (And What Actually Did)

AI vulnerability discovery is now possible with public models, not only proprietary systems like Claude Mythos. We explain what actually changed for AppSec teams, why raw AI security results are not enough, and how validation, prioritization, and developer trust now matter more than model access.

Jakub Sienkiewicz

APR 14, 2026 | 12 MIN READ

We Reproduced Anthropic's Mythos Findings With Public Models

Anthropic framed Mythos and Project Glasswing as proof that frontier AI vulnerability research now needs gated access. We tested the public, patched cases with GPT-5.4 and Claude Opus 4.6 and found that the key building blocks are already accessible outside Glasswing, while reliable operationalization remains the real moat.

Dawid Moczadło&Klaudia Kloc+4

APR 9, 2026 | 6 MIN READ

Reality Check on the Mythos Hype: AI Vulnerability Discovery Is Already Business as Usual

AI-assisted vulnerability discovery is already operational reality, not a futuristic breakthrough. The real shift is that exploit development and validation are becoming cheap enough to scale for both defenders and nation-state attackers.

Klaudia Kloc

APR 7, 2026 | 11 MIN READ

Claude Mythos Is a Backlog Visibility Warning for Enterprise Security Teams

Vidoc's take on Claude Mythos: large software organizations already sit on more unknown issues than current AppSec workflows can realistically discover and validate.

Dawid Moczadło

APR 2, 2026 | 7 MIN READ

We Analyzed the Leaked Claude Code Source: Here's What Anthropic Secured (and What They Didn't)

Anthropic accidentally leaked Claude Code's source. We read it so you don't have to: strong controls around the agent itself, but the software it writes is mostly left to the model's judgment. Full breakdown.

Dawid Moczadło

OCT 24, 2025 | 10 MIN READ

How we helped make Lovable more secure

A technical deep-dive into exploiting Firebase Auth emulator configuration via cookie injection, mixed-content bypasses, and subdomain trust boundaries - and how VIDOC helped Lovable secure their platform.

Dawid Moczadło&Klaudia Kloc

OCT 22, 2025 | 7 MIN READ

Detecting complex vulnerabilities in real-world code: LLM benchmark for enhanced software security

Traditional SAST tools often miss complex business logic flaws, but can LLMs fill the gap? Research publication by Klaudia Kloc and Dawid Moczadło introduces a real-world benchmark to evaluate AI effectiveness in identifying vulnerabilities that standard tools overlook.

Dawid Moczadło&Klaudia Kloc

AUG 18, 2025 | 8 MIN READ

Vibe Coding Security: 9 Real Vulnerabilities in AI-Generated Code (SQLi, XSS, Broken Auth & More)

AI-generated code ships fast but introduces predictable security holes: plain-text password storage, missing auth on new endpoints, SQLi from unsanitized inputs, and hallucinated packages (slopsquatting). Here's what to check and how to fix each one.

Dawid Moczadło

JUL 29, 2025 | 8 MIN READ

LLMs Can Now Find Zero-Day Vulnerabilities. Here's Why That's Both Impressive and Alarming.

Large language models can now reliably spot real-world zero-day vulnerabilities through brute-force iteration. We explain how it works, what it means for red teams, and why defenders should be paying close attention.

Dawid Moczadło

MAR 27, 2025 | 6 MIN READ

Fake Engineer - Advanced Deepfake Fraud and How to Detect It

The candidate applied for an open backend position at our company Vidoc Security Lab. He had a decent CV and LinkedIn profile but used a deepfake during the coding interview, pretending to be a different person. This incident could be linked to a North Korean hacker group that has used this trick with many other companies.

Klaudia Kloc

JUN 11, 2024 | 7 MIN READ

Securing Python REST APIs: Auth, Rate Limiting, Input Validation & Common Exploit Patterns

Part 2 of our Python API security guide: implementing JWT auth correctly, rate limiting to prevent abuse, input validation against injection attacks, and the most common vulnerabilities in Django and FastAPI endpoints.

Oriana Olivetti

MAY 29, 2024 | 5 MIN READ

Software Composition Analysis (SCA) Guide: Catching Vulnerable Dependencies Before Attackers Do

Third-party packages are the most exploited attack vector in modern web apps. This guide covers how SCA tools work, what dependency scanning misses in AI-accelerated development, and how to integrate it into your CI/CD pipeline.

Oriana Olivetti

MAY 15, 2024 | 5 MIN READ

JavaScript Prototype Pollution: Detection, Exploitation Techniques & Real CVE Examples

A practical guide to prototype pollution: how pollution sources reach gadgets, how to test with ?__proto__[key]=value and constructor.prototype, and how real-world CVEs have been exploited in the wild.

Oriana Olivetti

APR 30, 2024 | 3 MIN READ

Pentesting Cross-Origin Resource Sharing (CORS) Vulnerabilities

Beginners guide to this common security misconfiguration. Here you'll find the steps to quickly spot and exploit CORS vulnerabilities out in the wild. Shall we start?

Oriana Olivetti

APR 9, 2024 | 4 MIN READ

State of Security Automation

SAST tools overlook more than 85% of CVEs in real-world scenarios. Outdated security automation can't keep pace with rapid code development. There is the hidden cost of security automation - validating false positives.

Dawid Moczadło

APR 2, 2024 | 4 MIN READ

Secrets Management for Developers: Detecting Leaks in AI-Generated Code Before They Reach Production

AI tools like Copilot and Cursor frequently hardcode secrets and commit .env files by accident. This guide covers secrets detection, vault setup, CI/CD scanning, and how to audit AI-generated code for credential leaks.

Oriana Olivetti

MAR 26, 2024 | 6 MIN READ

API Security Best Practices: 12 Checks Developers Actually Skip (and Attackers Love)

Most API security guides cover the obvious. This one focuses on the checks that get skipped under deadline pressure: broken object-level auth, mass assignment, unauthenticated endpoints added during refactors, and more. With code examples.

Oriana Olivetti

MAR 14, 2024 | 3 MIN READ

SAST vs. DAST: Choosing the Right Security Testing for Your Project

Distinguishing between SAST & DAST is crucial for any robust security strategy. Adopting a unified approach, by leveraging both scans, ensures that your software remains secure during its lifecycle, effectively mitigating potential risks and vulnerabilities in today's fast-paced digital environment.

Oriana Olivetti

FEB 29, 2024 | 4 MIN READ

AI Penetration Testing vs. Automated Penetration Testing: Key Differences, Tools & When to Use Each (2025)

AI pentesting and automated pentesting solve different problems. We compare both approaches — capabilities, tooling, costs, and when to use each — so you can make the right call for your security program.

Oriana Olivetti

FEB 20, 2024 | 3 MIN READ

Why you never get Reflected XSS to execute: Balancing Payloads

Beginners guide to Reflected XSS. Everyone talks about the different XSS cheatsheets, and then you are supposed to try them one by one to see if any of the payloads get executed on your target. We don't like that. It's time-consuming and a mindless task.

Oriana Olivetti

JAN 10, 2024 | 6 MIN READ

AWS S3 Bucket Takeover - how to find it and maximize impact?

The impact of an AWS S3 Bucket Takeover can range from none, account takeover, and even up to RCE. In this article, we'll tell you how to find it and maximize its impact

Grzegorz Niedziela

OCT 30, 2023 | 5 MIN READ

Next.js 14 Security: Server Actions Auth Bypass, Data Leaks & What Taint API Won't Protect Against

Next.js 14 Server Actions look like magic but expose auth bypass and data leak vectors that traditional scanners miss entirely. We break down the risks and why the experimental Taint API isn't enough on its own.

Dawid Moczadło

OCT 24, 2023 | 3 MIN READ

Escalating debug mode in Django to RCE, SSRF, SQLi

Security implications of DEBUG=true in Django. Learnings from an ethical hacker's perspective

Dawid Moczadło

SEP 27, 2023 | 2 MIN READ

Vidoc Secures Funding from bValue!

Vidoc Security Lab has secured an investment from bValue, a leading player in the world of venture capital and technology innovation

Klaudia Kloc

MAY 9, 2023 | 5 MIN READ

Ultimate 401 and 403 bypass methods

As a security researcher, I absolutely love the rush of discovering a suspicious endpoint during reconnaissance (which is super easy with VIDOC tool ;). It's exciting to think that you might have stumbled upon something important. However, that excitement can quickly turn into frustration when you're met with a 401 or 403 HTTP response code. Trust me, I've been there. But, over time, I've learned that there are ways to work around these error codes. I want to share some practical tips and techniques that I learned doing research, along with links to modules you can run in Vidoc Research to try to bypass 401 and 403.

Klaudia Kloc

FEB 6, 2023 | 7 MIN READ

How we made $120k bug bounty in a year with good automation

2022 was very busy for several reasons, today we want to present to you what we did and learned doing large-scale bug bounty hunting

Klaudia Kloc

NOV 3, 2022 | 3 MIN READ

Why good Recon is hard, and how we make it easy

What sucks the most about doing recon? It all started with that one tweet ;) Inspired by Greg's post we decided to write a summary of common problems with Recon and why Vidoc Research - our tool for security researchers - solves them all.

Klaudia Kloc

MAY 16, 2022 | 3 MIN READ

Hacking Swagger-UI - from XSS to account takeovers

We have reported more than 60 instances of this bug across a wide range of bug bounty programs including companies like Paypal, Atlassian, Microsoft, GitLab, Yahoo, ...

Dawid Moczadło