As we wrote in the Project Glasswing announcement, we do not plan to make Mythos Preview generally available. But there is still a lot that defenders without access to this model can do today.
Use generally-available frontier models to strengthen defenses now. Current frontier models, like Claude Opus 4.6 (and those of other companies), remain extremely competent at finding vulnerabilities, even if they are much less effective at creating exploits. With Opus 4.6, we found high- and critical-severity vulnerabilities almost everywhere we looked: in OSS-Fuzz, in webapps, in crypto libraries, and even in the Linux kernel. Mythos Preview finds more, higher-severity bugs, but companies and software projects that have not yet adopted language-model driven bugfinding tools could likely find many hundreds of vulnerabilities simply by running current frontier models.
[...]
Shorten patch cycles. The N-day exploits we walked through above were written fully autonomously, starting from just a CVE identifier and a git commit hash. The entire process from turning these public identifiers into functional exploits—which has historically taken a skilled researcher days to weeks per bug—now happens much faster, cheaper, and without intervention.
This means that software users and administrators will need to drive down the time-to-deploy for security updates, including by tightening the patching enforcement window, enabling auto-update wherever possible, and treating dependency bumps that carry CVE fixes as urgent, rather than routine maintenance.
[...]
Ultimately, it’s about to become very difficult for the security community. After navigating the transition to the Internet in the early 2000s, we have spent the last twenty years in a relatively stable security equilibrium. New attacks have emerged with new and more sophisticated techniques, but fundamentally, the attacks we see today are of the same shape as the attacks of 2006.
But language models that can automatically identify and then exploit security vulnerabilities at large scale could upend this tenuous equilibrium. The vulnerabilities that Mythos Preview finds and then exploits are the kind of findings that were previously only achievable by expert professionals.
[...]
We see no reason to think that Mythos Preview is where language models’ cybersecurity capabilities will plateau. The trajectory is clear. Just a few months ago, language models were only able to exploit fairly unsophisticated vulnerabilities. Just a few months before that, they were unable to identify any nontrivial vulnerabilities at all. Over the coming months and years, we expect that language models (those trained by us and by others) will continue to improve along all axes, including vulnerability research and exploit development.
In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened—in large part by code written by these models. But the transitional period will be fraught. We therefore need to begin taking action now.
This video by an anthropic employee working on security gives a bit of insight into what is going on security-wise. It does sound mostly as a plead to everyone to pitch in to secure what we can...
This video by an anthropic employee working on security gives a bit of insight into what is going on security-wise. It does sound mostly as a plead to everyone to pitch in to secure what we can and hope that these tools will ultimately benefit the defense. Bad actors will be using the increasing capabilities of LLMs to find and execute exploits. This can basically be set up to be done autonomously at this point.
Yeah I would hate to run an online service right now. You’ll be the recipient of more non-consensual pen-tests than ever before. And there will also be a preponderance of vibe-coded applications...
Yeah I would hate to run an online service right now. You’ll be the recipient of more non-consensual pen-tests than ever before. And there will also be a preponderance of vibe-coded applications that aren’t properly vetted and built by developers who aren’t paying close attention to the security implications of what’s being introduced. These will increasingly be incorporated into production code bases for real companies hosting real (and important) PII. It’s gonna be bad!
I don't mean this in a mean way, but in what sense is it "all marketing?" We all know that anthropic is presenting themselves in the best possible light here. That's understood. But they're...
I don't mean this in a mean way, but in what sense is it "all marketing?" We all know that anthropic is presenting themselves in the best possible light here. That's understood. But they're providing evidence of the bugs that Claude is finding and fixing.
From the article:
[...]
[...]
[...]
This video by an anthropic employee working on security gives a bit of insight into what is going on security-wise. It does sound mostly as a plead to everyone to pitch in to secure what we can and hope that these tools will ultimately benefit the defense. Bad actors will be using the increasing capabilities of LLMs to find and execute exploits. This can basically be set up to be done autonomously at this point.
Yeah I would hate to run an online service right now. You’ll be the recipient of more non-consensual pen-tests than ever before. And there will also be a preponderance of vibe-coded applications that aren’t properly vetted and built by developers who aren’t paying close attention to the security implications of what’s being introduced. These will increasingly be incorporated into production code bases for real companies hosting real (and important) PII. It’s gonna be bad!
I don't mean this in a mean way, but in what sense is it "all marketing?" We all know that anthropic is presenting themselves in the best possible light here. That's understood. But they're providing evidence of the bugs that Claude is finding and fixing.