VIDOC
|11 MIN READ

Claude Mythos Is a Backlog Visibility Warning for Enterprise Security Teams

Vidoc's take on Claude Mythos: large software organizations already sit on more unknown issues than current AppSec workflows can realistically discover and validate.

Dawid Moczadło
Dawid Moczadło

At Vidoc, we think most enterprise security teams are already in the same basic position Anthropic is describing: they are sitting on more unknown security issues than their current process can realistically discover.

That is why the Mythos release matters. Anthropic says Claude Mythos Preview found a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg bug, and multiple Linux kernel exploit chains. If even part of that holds up, the useful lesson is not "Anthropic built a stronger model." It is that discovering and validating hidden issues may be getting cheaper.1

Our view is that the main AppSec bottleneck in large organizations is rarely alert generation. It is discovery breadth, validation cost, and exploitability-aware prioritization. The part worth paying attention to in Mythos is not just that the chart went up or that Anthropic launched Project Glasswing. It is what got cheaper: candidate discovery, validation, exploit refinement, exploit chaining, and turning N-days into something usable.2 1

From Vidoc's perspective, this is the more useful question for an enterprise security leader: if your company almost certainly has hundreds of unknown issues across legacy services, shared libraries, auth flows, and dusty corners of the codebase, how should your team adapt before attackers get there first?

This post uses Mythos as a signal, not a product review. The goal is to explain what Anthropic actually showed, what the benchmarks do and do not mean, and what a large software organization should do differently if unknown-issue discovery is getting cheaper for both defenders and attackers.

Three terms worth defining

  • Zero-day: a vulnerability that was not publicly known before it was discovered.
  • N-day: a vulnerability that is already known and usually patched, but many systems have not applied the fix yet.
  • Exploit chain: multiple weaknesses combined so that a limited primitive, like a read, write, or auth bypass, turns into meaningful compromise.

These distinctions matter because Mythos is not being framed as "a model that can sometimes notice bugs." Anthropic is framing it as a model that can help move work across the full path from candidate discovery to validation to exploit construction.1

What Anthropic showed, and why enterprises should care

Anthropic presented Claude Mythos Preview as a general-purpose model with unusually strong cybersecurity capabilities. Instead of making it broadly available, it created Project Glasswing, a limited-access initiative with major infrastructure and security partners including AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation.2

Anthropic says Mythos Preview has already found thousands of high-severity vulnerabilities, including vulnerabilities in every major operating system and every major web browser. It also says Project Glasswing will receive up to $100M in model usage credits, with an additional $4M in donations to open-source security organizations.2

In its technical writeup, Anthropic gives several concrete examples it can discuss publicly today:

  • a 27-year-old OpenBSD bug
  • a 16-year-old FFmpeg vulnerability
  • a 17-year-old FreeBSD remote code execution issue
  • multiple Linux kernel exploit chains built by combining several different weaknesses1

That is already enough to make this more than a benchmark story. Anthropic is describing a model that can inspect code, run the target, validate its hypotheses, produce proof-of-concept exploits, and sometimes keep iterating until separate bug primitives become something operationally useful.1

For an enterprise reader, the useful point is simple: large software organizations already have more unknown issues than their current AppSec workflows can surface. The main question is not whether Anthropic's examples are dramatic. It is whether the cost of surfacing your own hidden issues is starting to fall.

What these benchmarks do and do not show

The published benchmark deltas matter, but only if you read them correctly.

SWE-bench Pro and SWE-bench Verified are not "hacking benchmarks." They are better understood as tests of whether a model can read unfamiliar code, understand a real software task, make the right code changes, and finish with something that actually works. That is directly relevant to security because bug finding and bug fixing both depend on code comprehension.

Terminal-Bench 2.0 measures something different: long-horizon tool use. Can the model work in a shell, run programs, inspect outputs, recover from dead ends, and keep enough context to finish a multi-step task? That also matters for security because real exploit work is rarely one insight followed by instant success. It is usually debugging, instrumentation, retries, and adaptation.

CyberGym is the most cyber-specific benchmark Anthropic disclosed, and it is the closest thing in the release materials to direct evidence of vulnerability reproduction capability.2

Anthropic's published deltas were:

  • 83.1% on CyberGym versus 66.6% for Claude Opus 4.6
  • 77.8% on SWE-bench Pro versus 53.4%
  • 82.0% on Terminal-Bench 2.0 versus 65.4%
  • 93.9% on SWE-bench Verified versus 80.8%2

Claude Mythos Preview benchmark comparisonClaude Mythos Preview benchmark comparison Anthropic's published benchmark deltas show a meaningful jump over Claude Opus 4.6 on several agentic coding tasks.

These numbers do not prove that Mythos can independently compromise real systems at scale. Benchmarks never carry that much meaning on their own.

What they do show is that the model is better at three ingredients exploit development needs:

  • understanding messy, unfamiliar code
  • maintaining state across long tool-use sequences
  • iterating until a fragile workflow actually works

Taken together with the public case studies, that is why the benchmarks matter.

What got cheaper

The dangerous part of this release is not that AI has invented a new category of vulnerability.

The dangerous part is that several expensive parts of vulnerability work are getting cheaper at the same time.

Workflow stepWhy it used to be expensiveWhat stronger agents change
Candidate discoveryHumans had to choose where to look and what looked suspiciousAgents can rank files, fan out, and search many promising paths in parallel
Bug validationReproducing crashes and rejecting false leads took timeAgents can run the target, add logs, tweak inputs, and retry cheaply
Exploit refinementMany promising bugs died in the boring middleAgents can keep iterating through failed payloads and dead ends
Exploit chainingCombining read, write, auth, and info-leak primitives took patienceAgents can test more chain combinations than most humans can justify
N-day weaponizationPatch diffs were useful, but turning them into working exploits still cost effortAgents can treat the patch as a roadmap and compress the time to a usable exploit

Anthropic's own scaffold makes this point clearly. Their setup is not "give the model a magic hacking prompt and wait for genius." It is much more industrial than that: spin up an isolated container, point the model at the code and runtime, let it inspect files, run the program, validate hypotheses, add debug logic, and keep trying.1

This is also why real-world security evaluation matters more than benchmark theater. The bottleneck is rarely noticing a suspicious line in isolation. It is validating the bug, rejecting false leads, composing primitives, and operationalizing the result in messy code.

That is the key lesson.

What changed is not just model IQ. What changed is the cost of patience.

What Vidoc keeps seeing in large codebases

Most enterprise software organizations are.

They have large legacy codebases, internet-facing parsers nobody wants to touch, half-understood internal services, old auth paths, stale dependencies, admin tooling, and edge-case workflows that have survived mostly because nobody had enough time to inspect them deeply.

At Vidoc, this is the pattern we keep seeing: the most important issues are often not hiding in the obvious places that tools already flag. They accumulate in old auth logic, internal admin paths, shared services, file handling, third-party trust boundaries, and half-forgotten workflows that everyone knows are risky but nobody has enough time to revisit deeply.

The wrong takeaway from Mythos is "we need the same model."

The better takeaway is "we need a better funnel for unknown issues."

That usually means a few practical changes:

  1. Aim discovery where attacker leverage is highest. Start with the places where one overlooked issue can create broad impact: authentication and authorization flows, internet-facing parsers, browser-exposed logic, file handling, admin surfaces, shared services, endpoint agents, and old code that still sits on critical paths.

  2. Separate discovery from validation. Finding more suspicious candidates is useful only if your team can quickly reject false leads and escalate the real ones. Treat candidate generation, validation, exploitability review, and fix ownership as separate bottlenecks.

  3. Re-open old assumptions and old code. Revisit the issues previously labeled "hard to exploit," "low priority," or "not worth deeper investigation." Those labels were often partly judgments about labor cost, not just technical reality.

  4. Improve fix throughput, not just alert volume. If the cost of discovery falls, the constraint shifts downstream. Teams that only generate more findings without reducing validation time and fix latency will create a louder backlog, not a safer system.

  5. Measure the right things. The useful metrics are not just how many issues you found. Measure how long validation takes, how quickly high-risk findings get fixed, how often old critical surfaces are revisited, and how much analyst time is being wasted on noise.

Why security through friction gets weaker

Many defensive assumptions survive because exploitation is annoying, not because exploitation is impossible.

A lot of bugs live in a gray zone like this:

  • a human can see there might be something there
  • turning it into a usable exploit would take hours or days of low-glamour work
  • the target is not important enough to justify the effort
  • the bug goes into the mental bucket of "interesting, but probably not operational"

Strong agents chip away at that bucket.

Anthropic's public FreeBSD example is useful here. The interesting part is not just that Mythos found an old bug. The interesting part is the annoying middle it pushed through: recognizing missing stack protections on a particular codepath, deriving the host identifier from an unauthenticated call, building a ROP chain that appended an SSH key, and then splitting the chain across six RPC requests to fit a tight size budget.1

That is exactly the kind of work where many exploit ideas used to die.

The same logic applies to N-days. Once a patch lands, the diff often tells an attacker where the vulnerable logic lives. Historically, the remaining work still required time: understand the bug, recreate the state, build a harness, find a primitive, adapt it to real defenses. If agents get better at that annoying middle, the window between disclosure and weaponization shrinks.

This is why "security through friction" is getting weaker. The more a defense relies on slowing attackers down rather than blocking them outright, the less durable it becomes as iteration gets cheaper.

How to read Anthropic's claims responsibly

The right way to read the Mythos announcement is to separate evidence into three buckets.

Publicly shown today

  • Anthropic created a special release path through Project Glasswing rather than a normal public launch.2
  • Anthropic published named case studies, benchmark deltas, and a concrete description of the scaffold it used.2 1
  • Anthropic publicly describes Mythos as capable of moving beyond bug spotting into validation and exploit development in at least some cases.1

Strong claims that are still hard to verify independently

  • thousands of high- and critical-severity vulnerabilities
  • coverage across every major operating system and browser
  • many undisclosed exploit chains that cannot yet be inspected publicly1

Anthropic says over 99% of the vulnerabilities it found are not yet patched, which means the public can only inspect a small fraction of the full story right now.1

Claude Mythos sandbox escape excerptClaude Mythos sandbox escape excerpt Anthropic's own evaluation materials describe concerning behavior around attempted sandbox escape and concealment, which helps explain the limited release strategy.

Reasonable defensive assumptions even under uncertainty

  • exploit development is getting cheaper, even if full autonomy remains uneven
  • patch latency matters more than it used to
  • obscure code is less protected by obscurity than before
  • exploitability should be treated as a moving target, not a fixed property

You do not need to believe every undisclosed claim to learn from the release. The release strategy itself is already informative.

Four assumptions defenders should retire

1. "Obscure code paths are probably safe enough"

That assumption used to partly hold because nobody had time to read every weird parser, legacy codec, edge-case RPC handler, or dusty kernel subsystem. Models that can rank files, search broadly, and keep iterating make that comfort weaker.

2. "Hard-to-exploit bugs can wait"

A difficult bug is not a static category. It gets more dangerous as the cost of experimentation falls. If agents can cheaply retry exploit variants, some bugs move from "theoretical" to "practically useful" without the bug itself changing.

3. "Exploit chaining is specialist edge-case work"

Exploit chains used to require enough cross-domain patience that many organizations treated them as exceptional. That becomes riskier once tools get better at combining primitives across files, processes, and trust boundaries. Security review should care more about how bugs compose, not just whether each one looks severe in isolation.

4. "Mitigations that add hassle are good enough"

Controls that merely slow attackers down still matter, but their value erodes fastest. Hard barriers age better: strong isolation, least privilege, memory safety, strict auth boundaries, egress controls, safe defaults, and fast patching. If a control works mainly because exploit development is tedious, assume it will get weaker first.

What this confirms from our perspective

At Vidoc, the most important thing the Mythos release validates is a shift we have been writing about for a while: software security is moving away from simple pattern matching and toward systems that can reason about real code, verify behavior, and follow long workflows through to something operationally meaningful.

For enterprise clients, this usually shows up less as a "finding bugs" problem and more as a discovery-and-validation problem. The issue is rarely that your company has no vulnerabilities to find. The issue is that your current workflow cannot search broadly enough, validate cheaply enough, and prioritize sharply enough to surface the most important hidden issues before someone else does.

That is why Vidoc cares more about exploitability than raw bug counts, more about validation cost than screenshot-worthy benchmark wins, and more about trust boundaries and exploit chains than isolated findings. Security teams do not lose because a model scores well on a chart. They lose because attackers, or more capable internal search workflows, can cheaply find the right file, test the right hypothesis, reject false leads, and keep iterating until a weak primitive becomes a working attack path.

This is also why the gap between "code understanding" and "security impact" is shrinking. Once a model can read unfamiliar code, use tools over long horizons, and validate its own progress, it starts becoming useful for exactly the kind of security work that traditional automation struggled with.

The real Mythos takeaway

Claude Mythos Preview may or may not turn out to be exactly as consequential as Anthropic claims.

But that is not the only question that matters.

The bigger takeaway is that Anthropic treated exploit workflows, not just coding quality, as a deployment problem. That is why Project Glasswing matters more than the chart.

The useful lesson for enterprise defenders is simple: AI is not only getting better at spotting bugs. It is getting better at the patient, repetitive, tool-heavy middle that turns unknown issues into validated findings and, eventually, incidents.

Vidoc reads that as a backlog visibility warning for large software organizations. You almost certainly have more important hidden issues than your current program can see. The better response is not panic or Anthropic-watching. It is better discovery, faster validation, sharper prioritization, and less trust in defenses that survive mainly because exploit work is tedious.

Footnotes

  1. Anthropic Frontier Red Team, Assessing Claude Mythos Preview's cybersecurity capabilities. 2 3 4 5 6 7 8 9 10 11

  2. Anthropic, Project Glasswing: Securing critical software for the AI era. 2 3 4 5 6 7

Share:

Ready to secure your application?

Vidoc finds and fixes vulnerabilities in real-time.
Ship secure applications faster.

Try VIDOC

More articles

Explore insights, trends, and tips to stay ahead in cybersecurity.

April 2, 2026 (6d ago)

We Analyzed the Leaked Claude Code Source: Here's What Anthropic Secured (and What They Didn't)

Anthropic accidentally leaked Claude Code's source. We read it so you don't have to: strong controls around the agent itself, but the software it writes is mostly left to the model's judgment. Full breakdown.

October 24, 2025 (5mo ago)

How we helped make Lovable more secure

A technical deep-dive into exploiting Firebase Auth emulator configuration via cookie injection, mixed-content bypasses, and subdomain trust boundaries - and how VIDOC helped Lovable secure their platform.

October 22, 2025 (5mo ago)

Detecting complex vulnerabilities in real-world code: LLM benchmark for enhanced software security

Traditional SAST tools often miss complex business logic flaws, but can LLMs fill the gap? Research publication by Klaudia Kloc and Dawid Moczadło introduces a real-world benchmark to evaluate AI effectiveness in identifying vulnerabilities that standard tools overlook.