Anthropic says Mythos can turn software patches into exploits in minutes

Axios Axios

Anthropic's Mythos Preview can now turn newly disclosed software vulnerabilities into working exploits in hours instead of weeks, according to https://red.anthropic.com/2026/n-days/" target="_blank">new Anthropic research shared first with Axios.

Why it matters: AI's ability to https://www.axios.com/2026/04/07/anthropic-mythos-preview-cybersecurity-risks" target="_blank">find new bugs has been getting most of the attention.

But Anthropic's findings suggest advanced models may be just as effective at rapidly weaponizing flaws that defenders already know about.

  • That could dramatically shrink the "patch gap" between a vulnerability's disclosure and widespread patching.

Driving the news: Anthropic's frontier red team tested Mythos against vulnerabilities in https://www.axios.com/2026/03/06/anthropic-mozilla-claude-opus-bug-hunting" target="_blank">Mozilla Firefox and the Microsoft Windows kernel that were disclosed in January and February.

  • Researchers evaluated bugs disclosed after the models' knowledge cutoff dates to measure how quickly AI could turn public patches into working exploits.

Threat level: Within 31 minutes, Mythos generated its first proof-of-concept exploit for a Windows kernel vulnerability.

  • In 18 out of the 21 kernel bugs tested, Mythos was able to cause a "blue screen of death." Mythos also created 8 distinct exploits, with the longest exploit taking about 5.7 hours to create.
  • On Firefox, Mythos also had success: Across 18 security patches, Mythos built 8 working code-execution exploits.

The big picture: Most cyberattacks target known vulnerabilities that companies haven't patched yet.

  • Patching a system isn't always as easy as downloading a software update: IT and security teams often need to test patches to avoid system crashes, and many fixes require downtime.

Between the lines: It's not just Mythos that poses this problem.

Some open-source models are https://www.theregister.com/security/2026/04/24/open-source-models-can-find-bugs-as-well-as-mythos/5224166" target="_blank">already finding bugs at a similar level as Mythos and OpenAI's competitor, GPT-5.5-Cyber.

  • Anthropic estimates Mythos generated its Windows privilege-escalation exploits for about $15,700 in API credits — roughly $2,000 per exploit.

What to watch: The Trump administration is beginning to implement a new https://www.axios.com/2026/06/02/trump-signs-new-ai-executive-order" target="_blank">AI security executive order aimed at assessing the national security risks posed by increasingly capable AI models.

Go deeper: https://www.axios.com/2026/06/02/cisco-revamps-vulnerability-disclosures-for-the-ai-era" target="_blank">Cisco revamps vulnerability disclosures for the AI era

Read full article at Axios →