Mythos Preview can weaponize N-day vulnerabilities in hours

Mythos Preview can develop working exploits from newly disclosed software vulnerabilities in hours, cutting down a process that has historically taken days or weeks, according to Anthropic.

Anthropic’s recent cybersecurity research has largely focused on zero-days, vulnerabilities unknown to software vendors. The new study examines N-days, vulnerabilities that have already been disclosed and patched but remain present on unpatched systems.

“In some ways, N-days are the more dangerous of the two, because the patch itself provides a roadmap to the bug,” Anthropic researchers wrote.

Once vendors release security updates, attackers can compare patched and unpatched versions of software to identify what changed and reverse-engineer the underlying vulnerability, a technique known as patch diffing.

“It’s not surprising that today’s language models can produce N-day exploits. Given enough time and a good enough harness, this has likely been possible for a while,” the researchers noted.

“But with models like Mythos Preview, what has changed is the volume of findings and the speed with which they can be produced. A lone operator can now turn a month’s worth of patches into working exploits in a single afternoon—for a few thousand dollars and with no specialized expertise,” they added.

The study included two evaluations to measure how well AI models could turn recently patched vulnerabilities into working exploits. The first focused on Firefox, where researchers analyzed 18 security patches affecting SpiderMonkey, Firefox’s JavaScript engine. Firefox was chosen because it represents a relatively favorable environment for defenders, Anthropic said.

Mythos Preview autonomously developed eight working code-execution exploits from the 18 Firefox patches. The model produced its first exploit within an hour of the patch becoming available. The researchers noted that the Firefox release containing the fix was still 18 days away, highlighting the gap between exploit development and patch deployment.

The second evaluation examined 21 Windows kernel vulnerabilities disclosed between January and February 2026. Unlike Firefox, the Windows tests involved closed-source software, requiring the model to work from patched binaries, decompiler output and public vulnerability information. Researchers described this as a substantially harder task because source code was unavailable.

In testing against 21 Windows kernel vulnerabilities, Mythos Preview developed proof-of-concept (PoC) exploits for 18 vulnerabilities, triggering a Blue Screen of Death in each case. The model later generated eight exploit chains that elevated a low-privileged user to SYSTEM-level access. It produced its first proof-of-concept in 31 minutes and generated all 18 within six hours.

Anthropic estimates that Mythos generated its eight Windows privilege-escalation exploits for about $15,700 in API credits, or roughly $2,000 per exploit.

Anthropic also found that several publicly available Claude models were capable of developing exploits in testing, although they achieved lower success rates than Mythos Preview.

The findings come as Anthropic plans to make Mythos-class models available to all customers once additional cyber safeguards are in place.

The researchers argued that exploit-development timelines have shortened to the point where the term “N-day” may no longer accurately reflect the threat. “N-day has become dangerously misleading. N-hour is closer to the reality we now operate in,” the researchers concluded.