Anthropic’s new AI model finds and exploits zero-days across every major OS and browser
Automated vulnerability discovery tools have existed for decades, and the gap between finding a bug and building a working exploit has always slowed attackers. That gap is now substantially narrower. Anthropic’s Claude Mythos Preview, a new general-purpose language model being made available only to a limited group of critical industry partners and open source developers, can autonomously identify zero-day vulnerabilities and then construct working exploits across every major operating system and major web browser.
Anthropic’s security research team published a technical assessment of Mythos Preview’s capabilities on April 7, documenting findings from roughly a month of internal testing. The results mark a significant departure from what prior model generations could do.
From near-zero to working exploits at scale
The performance gap between Mythos Preview and its predecessor, Opus 4.6, is quantified in concrete benchmark terms. When researchers ran both models against the same Firefox 147 JavaScript engine vulnerabilities, Opus 4.6 produced working shell exploits on two occasions out of several hundred attempts. Mythos Preview succeeded 181 times in the same test, with an additional 29 runs achieving register control.
On an internal benchmark running models against roughly 7,000 entry points across open source repositories from the OSS-Fuzz corpus, Sonnet 4.6 and Opus 4.6 each reached tier 5 (defined as complete control flow hijack) exactly once. Mythos Preview achieved tier 5 on ten separate, fully patched targets.
“We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them,” Anthropic researchers noted.
Zero-days across the software ecosystem
The research team used a straightforward agentic scaffold: launch an isolated container running a target codebase, invoke the model with a prompt asking it to find a security vulnerability, and allow it to work autonomously. The model reads source code, forms hypotheses, runs the software, uses debuggers as needed, and produces a bug report with a proof-of-concept.
Using this method, the team has identified thousands of what they assess as high- and critical-severity vulnerabilities. Of 198 findings manually reviewed by professional security contractors, 89 percent received the same severity rating from the contractors as the model had assigned. In 98 percent of cases, assessments were within one severity level.
Three specific findings illustrate the scope. Mythos Preview identified a 27-year-old denial-of-service vulnerability in OpenBSD’s TCP SACK implementation, an integer overflow condition that allows a remote attacker to crash any OpenBSD host responding over TCP. The model found it across roughly 1,000 scaffold runs at a total cost under $20,000. A 16-year-old vulnerability in FFmpeg’s H.264 codec was also discovered, introduced in a 2003 commit and exposed by a 2010 refactor, overlooked since by every fuzzer and human reviewer who had examined the code. In FreeBSD, Mythos Preview autonomously identified and fully exploited a 17-year-old remote code execution flaw (CVE-2026-4747) in the NFS server, granting unauthenticated root access, without any human involvement after the initial prompt.
Beyond memory corruption bugs, the model has identified authentication bypasses in web applications, weaknesses in widely used cryptography libraries covering TLS, AES-GCM, and SSH, and a guest-to-host memory corruption vulnerability in a production virtual machine monitor. Mythos Preview also exploited vulnerabilities in every major web browser, chaining multiple flaws to produce JIT heap spray exploits that bypass renderer and OS sandboxes.
N-days become exploits faster
The team demonstrated Mythos Preview’s N-day exploitation capability using a set of 100 Linux kernel CVEs from 2024 and 2025. The model filtered them to 40 potentially exploitable candidates and successfully built privilege escalation exploits for more than half. Two detailed walkthroughs published in the assessment describe exploit chains involving KASLR bypasses, cross-cache heap reclamation, and credential structure overwrites to achieve root. One of these exploit chains, starting from a CVE identifier and a git commit hash, completed in under a day at a cost under $2,000.
Historically, converting a known vulnerability into a working exploit has taken skilled researchers days to weeks. That timeline has compressed substantially.
What defenders can do now
Anthropic is not releasing Mythos Preview to the general public. The company launched Project Glasswing alongside the model, an effort to direct Mythos Preview’s capabilities toward securing critical software by working with a selected group of partners and open source developers before models with comparable capabilities become broadly available.
The team outlines several near-term defensive recommendations. Organizations that have not yet integrated language models into their vulnerability management workflows should start with currently available frontier models, which the team says are still capable of finding high- and critical-severity bugs across OSS-Fuzz targets, web applications, cryptography libraries, and the Linux kernel.
Defenders should also shorten patch cycles, enable auto-updates where possible, treat CVE-tagged dependency updates as urgent, and revisit vulnerability disclosure policies to account for the volume and speed at which model-assisted discovery is now possible. The team also recommends investing in automated incident response pipelines, since more vulnerability disclosures will produce more exploitation attempts in the window before patches are applied.
Download: 2026 SANS Identity Threats & Defenses Survey