Claude Mythos Preview Uncovers Vulnerabilities in OpenBSD and Other Systems
Anthropic has launched Project Glasswing — a program for scanning critical infrastructure using the non-public Claude Mythos Preview model. In just weeks of operation, the AI discovered thousands of unknown vulnerabilities in major OSes and browsers. Partners include AWS, Apple, Google, Microsoft, NVIDIA, and more than 40 organizations that gained access to audit their systems.
The model is not being released publicly due to its advanced cyber capabilities. On benchmarks, Mythos Preview outperforms Opus 4.6:
- SWE-bench Verified: 93.9% vs. 80.8%;
- Terminal-Bench 2.0: 82% vs. 65.4%;
- CyberGym: 83.1% vs. 66.6%.
Anthropic plans to refine safety mechanisms in Opus before releasing Mythos-class models.
27-Year-Old Vulnerability in OpenBSD
In OpenBSD, renowned for its strict security, the model autonomously found a bug that allowed remotely crashing a machine with a simple connection. The vulnerability had existed for 27 years and was patched after discovery.
This demonstrates the effectiveness of AI in analyzing legacy code without human hints. OpenBSD is the gold standard for minimalism and auditing, where such flaws are rare.
Bugs in FFmpeg and Linux Kernel
In FFmpeg, Mythos Preview uncovered a 16-year-old defect in a single line of code that evaded 5 million automated tests. The bug could cause crashes during media processing.
In the Linux kernel, the AI independently pieced together a vulnerability chain granting a regular user root access. All findings have been patched.
Such chains require deep understanding of component interactions — a task where AI surpasses manual auditing.
Funding and Model Access
Anthropic is allocating $100 million in credits to participants and $4 million for open source security:
- $2.5 million — Alpha-Omega and OpenSSF via Linux Foundation;
- $1.5 million — Apache Software Foundation.
After the preview, Mythos Preview will be available to partners at $25 per million input tokens and $125 per million output tokens via Claude API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry.
The project is named after the Greta oto butterfly with transparent wings — a metaphor for hidden vulnerabilities and the need for transparency.
Key Takeaways
- Mythos Preview autonomously finds legacy vulnerabilities in OpenBSD (27 years), FFmpeg (16 years), and Linux kernel.
- Benchmarks: leadership in SWE-bench (93.9%), Terminal-Bench (82%), CyberGym (83.1%).
- $104 million in investments for infrastructure and open source security.
- Model integrates into API platforms from AWS, Google, and Microsoft for enterprise auditing.
- Results report in 90 days.
Prospects for Developers
For mid-level and senior specialists, this is a signal to integrate AI into CI/CD for security scanning. The model excels at:
- Autonomous fuzzing of legacy code;
- Assembling exploit chains;
- Bypassing existing test scenarios.
Project Glasswing focuses on infrastructure where manual auditing can't keep up with the codebase. The expected report will reveal best practices for the industry.
— Editorial Team
No comments yet.