As we wrote in the Project Glasswing announcement, we do not plan to make Mythos Preview generally available. But there is still a lot that defenders without access to this model can do today.
Use generally-available frontier models to strengthen defenses now. Current frontier models, like Claude Opus 4.6 (and those of other companies), remain extremely competent at finding vulnerabilities, even if they are much less effective at creating exploits. With Opus 4.6, we found high- and critical-severity vulnerabilities almost everywhere we looked: in OSS-Fuzz, in webapps, in crypto libraries, and even in the Linux kernel. Mythos Preview finds more, higher-severity bugs, but companies and software projects that have not yet adopted language-model driven bugfinding tools could likely find many hundreds of vulnerabilities simply by running current frontier models.
[...]
Shorten patch cycles. The N-day exploits we walked through above were written fully autonomously, starting from just a CVE identifier and a git commit hash. The entire process from turning these public identifiers into functional exploits—which has historically taken a skilled researcher days to weeks per bug—now happens much faster, cheaper, and without intervention.
This means that software users and administrators will need to drive down the time-to-deploy for security updates, including by tightening the patching enforcement window, enabling auto-update wherever possible, and treating dependency bumps that carry CVE fixes as urgent, rather than routine maintenance.
[...]
Ultimately, it’s about to become very difficult for the security community. After navigating the transition to the Internet in the early 2000s, we have spent the last twenty years in a relatively stable security equilibrium. New attacks have emerged with new and more sophisticated techniques, but fundamentally, the attacks we see today are of the same shape as the attacks of 2006.
But language models that can automatically identify and then exploit security vulnerabilities at large scale could upend this tenuous equilibrium. The vulnerabilities that Mythos Preview finds and then exploits are the kind of findings that were previously only achievable by expert professionals.
[...]
We see no reason to think that Mythos Preview is where language models’ cybersecurity capabilities will plateau. The trajectory is clear. Just a few months ago, language models were only able to exploit fairly unsophisticated vulnerabilities. Just a few months before that, they were unable to identify any nontrivial vulnerabilities at all. Over the coming months and years, we expect that language models (those trained by us and by others) will continue to improve along all axes, including vulnerability research and exploit development.
In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened—in large part by code written by these models. But the transitional period will be fraught. We therefore need to begin taking action now.
From the article:
[...]
[...]
[...]