Hello! Firstly, I just want to apologise for the radio silence on here recently. Running a fast-moving startup is, as expected, a lot of work! We’re heads down prepping for an upcoming launch and as such time has been a precious commodity.

I felt my pull to come back to the newsletter having seen all the stories around Claude Mythos, and I felt that everyone was saying the same thing and no one was saying what it really meant, so that’s what today is all about. Not ‘here is what Claude Mythos can do’ but ‘why does this matter’.

To get to that though, let’s do a TL;DR in case you’ve been living under a rock

What is Claude Mythos?

TL;DR Anthropic released Claude Mythos Preview on 7 April 2026, a frontier model that can autonomously discover and exploit zero-day vulnerabilities ‘across every major operating system and browser’. They’ve explicitly refused to make it generally available, instead restricting access to around 50 organisations through a new initiative called Project Glasswing. Most people can’t use it and won’t be able to for the foreseeable future so much of what people are discussing is just speculation. For the purpose of this newsletter we’ll take everything at face value.

The model found thousands of previously unknown vulnerabilities, including a 27-year-old denial-of-service bug in OpenBSD’s TCP SACK implementation, a 16-year-old flaw in FFmpeg’s H.264 codec, and CVE-2026-4747, a 17-year-old remote code execution vulnerability in FreeBSD’s NFS implementation that gives an attacker complete control over the server from an unauthenticated position. The reason that this is getting so much hype is that some of these bugs have been sitting there since before I started my career.

In response to all of this, Anthropic launched Project Glasswing, giving restricted access to 12 launch partners including AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks, plus over 40 additional organisations. They’re backing it with $100M in usage credits and $4M in donations to open-source security organisations. The goal is to get the defensive benefit out before the offensive capability runs away.

Why This Was Always Coming

So why is an AI model so good at finding vulnerabilities? When you step back and think about it, this shouldn’t be surprising. Vulnerability research, at its core, is about understanding code, theorising about edge cases, fuzzing inputs, and recognising patterns across large codebases. Every single one of those tasks is something AI is demonstrably good at. It’s not like asking a model to make a business judgement call or write something genuinely creative - it’s systematic analysis of software, which is exactly what these models excel at, as had been proven way before Claude Mythos.

I’ve said before that many areas of security (vulnerability research being one) are not going to be safe from AI for long. But I’ll admit I didn’t expect the impact to feel this immediate or damning. It’s one thing to predict it, another to see a model uncover bugs that human researchers missed for 27 years at a cost of $50 in compute. The full OpenBSD analysis cost under $20,000 for 1,000 scaffold runs. Individual exploits ranged from $50 to $2,000 each. Compare that to what a senior vulnerability researcher costs per day, and you start to see why this is such a significant shift.

The important caveat here - and I’ll come back to this - is that a lot of these results were achieved with full source code access. That’s a privileged position to be in and does not affect a huge amount of current software.

The Good News - Raising the Baseline

Let’s talk about what this means for defence first, because there genuinely is a positive story here.

In theory, tools like Mythos raise the generic baseline for security across the board. If every organisation that builds software can run AI-assisted vulnerability scanning against their entire codebase, continuously, as part of their development pipeline, then the average security posture improves dramatically (at least in theory).

We’re already doing this here at Secure Agentics. We’ve got tools running regularly on our entire codebase - automated full end-to-end testing of the environment every couple of days. That’s something that historically wasn’t possible, certainly not at the frequency and depth we’re achieving now. And critically this has become part of the build process, not a final check or annual test post-deployment. When you treat automated vulnerability discovery as a development capability rather than an external audit, you start to get to meaningful ‘shift left’ and the power of things like Mythos are best harnessed.

Project Glasswing’s approach of giving access to major vendors first makes sense too, and I’m glad that it was done this way…even if it does feel a bit like a marketing ploy. If you can get the big platforms patched before Mythos-class capabilities become widely available then you should have closed off a big part of the risk. This is making one huge and almost always untrue assumption, which we’ll cover next. Long-term, this should benefit defenders more than attackers.

The Reality Check

That’s the optimistic take on everything. Here’s where my experience as a pentester makes me considerably less optimistic.

I have previously spent several years going back to the same organisations, year after year, finding the same bugs I’d raised the previous year. Unfixed. Sometimes it was triage priorities, sometimes budget constraints, sometimes it was the way internal security teams were structured, and sometimes just laziness. The existing problem for most organisations was already an overwhelming volume of things to fix. Now imagine that volume multiplied by ten…

That’s where I see this causing mayhem - the same team, the same budget, the same headcount, the same tooling, but now with far more findings to deal with. There is also the fact that most automated tools (speaking from experience) raise things as the worst-case scenario / ‘omg fix this now’. When everything is flagged as critical, nothing gets prioritised effectively, which will lead to those organisations being paralysed by the volume of new things to fix.

And then there’s the offensive side. We’ve already covered in this newsletter how threat actors have been using AI tools effectively. Back in Update #29, I wrote about the Chinese state-sponsored campaign that used Claude Code for espionage, with AI executing 80-90% of operations independently against roughly 30 targets. In Update #30, we covered the broader weaponisation of the distributed AI ecosystem.

Since then, we’ve seen the Mexican government breach where a single actor used Claude Code and GPT-4.1 to breach nine government agencies, exfiltrating hundreds of millions of citizen records. Here, Claude Code was reported as driving 75% of the operation which proves that the attackers are already weaponising AI with devastating effect, even before Mythos.

This was with publicly available tools, and Mythos is, supposedly, a massive leap beyond that. Anthropic was right not to release it publicly, but let’s be honest: determined state actors will either get access to it, build something comparable, or maybe Anthropic will accidentally release the source code for Mythos too…

What People Are Overlooking

There’s one important nuance that I think a lot of the coverage is missing: source code access.

The majority of Mythos’ most impressive results were achieved with full access to the source code. Open-source projects - OpenBSD, FFmpeg, the Linux kernel, Firefox - are exactly where this approach works best, because the entire codebase is there to analyse. For commercial, closed-source products, the situation is very different. An attacker would still need to go through the existing channels: web UIs, API endpoints, compiled binaries. That’s considerably less information (and therefore opportunity) than having the full source repository in front of you.

I’d also argue that you don’t need Mythos to do a lot of this. Claude Code, which is publicly available right now, can already be used surprisingly effectively for vulnerability research, particularly when you’ve got source access. Mythos is a step up - the Firefox comparison makes that clear - but the gap between “publicly available tools” and “restricted frontier model” may not be as wide as the marketing suggests. We’ll know more once people actually get hands-on with Mythos at scale, but until then, there’s a lot that can already be done with what’s out there as proven time and time again.

Where This Leaves Us

The security paradigm is changing faster than I think most of the industry is prepared for. We’ve now got AI systems that can do full penetration tests, web application research, elements of red teaming operations, and deep vulnerability research when given source code access. I don’t remember any of this being genuinely effective this time last year!

Whether this ends up being a force for good or for bad depends entirely on how the industry responds. For organisations already integrating AI-assisted security into their development process this is a massive force multiplier. The security posture of your products gets materially better.

For everyone else, the honest assessment is that this makes an already difficult situation worse. The volume of vulnerabilities being discovered is going to increase dramatically, and the existing model of annual pentests, quarterly vulnerability scans, and security teams stretched thin across too many priorities can’t absorb that. Something has to change, and it is likely those same tools being repurposed for patching just as effectively as they are finding.

Either way, this appears to be another significant step in what AI can do, both defensively and offensively. What is next on the AI kill list? Full covert multi-phase red teaming across a mature organisations entire tech stack? How long before that is possible is a big question in my mind, but its feeling closer and closer every week.

Thanks for reading, and as always, let me know your thoughts.