In 1999, when the internet was still in its infancy, a small flaw quietly slipped into the code of an obscure operating system called OpenBSD. For the next 27 years, the world's best security researchers reviewed that code over and over. Automated scanning tools checked it millions of times. None of them found the flaw. Then, in early 2026, an AI company called Anthropic told its newly built model: "Look at this code." A few hours later, the 27-year-old bug had been uncovered.
It wasn't just OpenBSD. The same AI found thousands of security vulnerabilities in Firefox, in the FFmpeg video library, in FreeBSD — in essentially every major piece of software the world uses every day. And it did most of it in minutes, at costs measured in cents rather than dollars. Anthropic introduced this model, called Claude Mythos Preview, to the public on April 7, 2026 — but decided not to release it widely. Because it was too powerful.
In this article, we explain what Mythos is, why it caused such a stir, how it affects ordinary users and businesses, and what you can do to stay safe in this new era. If you're curious about the technical background, you can also explore how Anthropic's developer tools work in our Claude Skills guide.
What Is a "Zero-Day Vulnerability," Really?#
Let's clarify a basic concept first, because the whole story rests on it.
Think of a piece of software like a house in your neighborhood. Inside are valuable things: your photos, your passwords, your bank details, your private messages. The architect who built the house installed locks on the doors, glass in the windows, walls around the perimeter. But no house is perfect. Somewhere, a window latch is loose, a lock is missing, a wall is too low. These flaws aren't a big problem unless someone notices them. The problem starts when a thief spots the flaw and figures out how to use it to get in.
In software, those flaws are called vulnerabilities. The technique a thief uses to exploit one is called an exploit. If a flaw has never been discovered before — meaning even the homeowner doesn't know about it — it's called a zero-day vulnerability. The name comes from this: the homeowner has had zero days to learn about it and patch it. The thief already knows the way in.
Now imagine that a thief had an assistant that could examine every house in your neighborhood at the same time, find each one's flaws within hours, and teach the thief exactly how to exploit them. What Anthropic built is the digital equivalent of that.
What Did Mythos Actually Do?#
During development, Anthropic gave the model the code name "Capybara" — a reference to the cute, oversized rodents from South America. The name changed, but not the capability.
Over a few weeks, Anthropic's researchers turned Mythos loose on the world's most widely used software. Here's what they got:
- Thousands of vulnerabilities were discovered
- They were in every major operating system (Linux, OpenBSD, FreeBSD, Windows, macOS)
- They were in every major web browser (Firefox, Chrome, Safari)
- The oldest flaw was 27 years old — in one of OpenBSD's most security-critical components
- Another bug had been hiding for 16 years inside FFmpeg, a library used by nearly every video player on the internet
- Yet another had lurked for 17 years inside FreeBSD — a system that runs significant portions of internet infrastructure
IMPORTANT
These aren't fringe consumer programs. These systems run banking infrastructure, government servers, encrypted email services, internet routers, and firewalls. Meaning the digital walls that billions of people thought were protecting them have, in fact, had cracked-open doors for decades.
"No One Saw It in Decades, AI Found It in Hours"#
To understand how shocking that sentence is, we need a bit more context.
OpenBSD was designed to be the world's most secure operating system. Its developers pride themselves on hand-reviewing every line of code. It's open source, which means anyone can read the code. For decades, thousands of professional researchers have inspected it under a magnifying glass. Massive corporations, governments, and academics use and test it. None of them found that 27-year-old flaw.
Even more striking: automated scanners had checked the FFmpeg code 5 million times. None of them flagged anything.
Anthropic gave the initiative a name: Project Glasswing. The name comes from the glasswing butterfly — its wings are so transparent that it can hide in plain sight while you're looking right at it. Anthropic's message is clear: these vulnerabilities were always there. No one just saw them. Mythos saw them without blinking.
What Do the Numbers Say?#
AI's progress in security work had been incremental for years. But Mythos is doing something different — and the numbers show it.
| Test | Previous best model (Opus 4.6) | Mythos Preview |
|---|---|---|
| Firefox browser exploit success | 0.5% | 90% |
| Complex control flow analysis success | 1 unit | 10 units |
To translate: the previous model could create a working Firefox attack in just 1 out of every 200 attempts. Mythos succeeds 9 out of 10 times. In other words, 180 times better.
Elia Zaitsev, the CTO of CrowdStrike — one of the world's largest cybersecurity companies — summarized it like this: "What once took months now happens in minutes with AI."
What does this mean financially? Anthropic disclosed the cost of having Mythos discover a Linux kernel vulnerability and turn it into a working attack: less than $1,000, less than a day. By comparison, a professional security researcher doing the same work would take weeks and charge tens of thousands of dollars.
Why Is Anthropic Afraid?#
A natural question arises here: if Mythos is so powerful, why isn't Anthropic releasing it to everyone?
The answer is simple: every capability cuts both ways. What's great for defense is also great for offense.
Logan Graham, who leads Anthropic's Frontier Red Team, put it this way: "This is the starting point for what we believe will be an industry change point — or a reckoning."
That's why Anthropic restricted the model to a coalition called Project Glasswing. Who's in the coalition? The list is striking:
| Company | Sector |
|---|---|
| Apple | Consumer electronics, iOS, macOS |
| Microsoft | Windows, Azure cloud |
| Android, Chrome, search (Anthropic's competitor) | |
| Amazon (AWS) | Cloud infrastructure |
| NVIDIA | AI hardware |
| JPMorgan Chase | Financial giant |
| Cisco | Networking hardware |
| Broadcom | Semiconductors |
| CrowdStrike | Cybersecurity |
| Palo Alto Networks | Network security |
| Linux Foundation | Open-source kernel |
What's interesting about this list: even Google, Anthropic's direct competitor, is in the coalition. This signals that giants who normally fight tooth and nail are coming together against a shared threat. On top of that, more than 40 critical infrastructure organizations also got access to the model.
Anthropic backed the initiative with serious financial commitment:
- $100 million in Claude usage credits
- $4 million in donations to open-source security organizations
NOTE
Anthropic's chief science officer Jared Kaplan summarized the message: "The goal is both to raise awareness and to give good actors — meaning the defenders — a head start on the process of securing open-source and private infrastructure."
Is History Repeating Itself? The Ghost of GPT-2#
This story has an interesting side note. Back in 2019, another AI company called OpenAI made a similar decision. They refused to release their GPT-2 model on the grounds that it was "too dangerous." At the time, they said its text generation capability could be used to mass-produce propaganda.
A few months later, GPT-2 was released and the world didn't end. The fears were exaggerated.
Now here's the twist: many members of the GPT-2 team later left OpenAI to found Anthropic. So the same people, years later, are making a similar call. The question is: were they right this time, or are they being overly cautious again?
Critics are asking exactly that. A security research firm called AISLE tested the same vulnerabilities Anthropic claimed Mythos found, but using small, free, open-source models. The result was telling: eight out of eight models AISLE tried could also find Mythos's flagship FreeBSD example. According to AISLE, Anthropic is overstating how exclusive these capabilities really are.
So the truth is probably somewhere in the middle: Mythos really is a powerful model, but these capabilities are no longer exclusive to giants. And that makes the story even more concerning — because it means malicious actors aren't far behind.
What Does All This Mean for You?#
Now we get to the part that really matters. As an ordinary user — someone who uses a phone, a banking app, email — how does this story affect you?
First, calm down: This doesn't mean "all your accounts will be hacked tomorrow." Anthropic shared the model in a controlled way. Most of the discovered vulnerabilities are being patched. Apple, Google, Microsoft and other giants are urgently closing them.
But pay attention: The story proved one thing — systems we thought were secure for decades actually weren't. People just couldn't see the weaknesses. Now AI can. So in the future:
- Software updates will come more frequently than before. The habit of postponing the "update available" notification on your phone has become much more critical.
- A password manager is now mandatory. Reusing the same password in multiple places is like leaving valuables in plain sight.
- Two-factor authentication (2FA) should be standard. Turn it on for your bank, your email, your social media. It's like adding a second lock to your door.
- Trust your "this looks suspicious" instinct. Email, message, link — if something feels off, it probably is.
- Stop using outdated software. If you're still on Windows 7, an old phone model, or an outdated browser — these aren't "a bit risky" anymore. They're an open door.
TIP
The Mythos story is essentially an automatic-update advertisement. Patches are coming for the discovered vulnerabilities — but if you don't install them, they don't help anyone. Keep automatic updates enabled on your devices. It's the smallest effort for the biggest security gain.
For Businesses: New Rules of the Game#
If you run a business — a restaurant, a café, a factory, an e-commerce site, a small software company, whatever — this story is far more important to you than to an ordinary user. Because you're responsible not just for your own data, but for your customers' data as well.
The old "patch cycle" mindset — doing security updates monthly or quarterly — is no longer valid. The Mythos story tells us this: the time between discovery and exploitation is shrinking. It used to take attackers weeks or months to weaponize a newly discovered flaw. Now, with AI, it takes days, sometimes hours.
In this new world, here's what your business needs to do:
- Turn on automatic updates. On servers, customer-facing terminals, networking gear — the era of "I'll check and apply updates manually" is over.
- Apply defense-in-depth. Build multiple layers of security. Trusting a single firewall is like locking the house with one key.
- Modernize legacy systems. That 10-year-old software might be comfortable, but now it's a serious threat. Plan modernization.
- Scrutinize your vendors. What's the security policy of your POS system, accounting software, e-commerce platform? How often are they updated? If you don't know, ask.
- Use AI for defense. The Mythos story isn't just a threat — it's an opportunity. The same AI can scan your systems, find your flaws for you, harden your defenses.
- Have an incident response plan. Knowing the answer to "what do we do if we get hacked?" is no longer optional.
As we touched on in our website vs mobile app comparison article, your digital presence sits at the heart of your business model. Keeping it secure isn't just a technical job — it's a core requirement for business continuity.
"This Is the Least Capable Model We'll Have"#
Before we wrap up, we want to share one more sentence from Anthropic's chief scientist Jared Kaplan, because it captures the essence of the whole story:
"As the slogan goes: this is the least capable model we'll have access to in the future."
Think about that. Mythos is shaking the world right now. It finds decades-old security flaws in hours. It uncovers things professional researchers couldn't. And this is the weakest of all the models likely to come.
What will happen a year from now? Five years? Ten?
This question — both terrifying and exciting — is the central question of the AI era. And the answer depends less on what technology emerges than on how people and institutions respond to it. Those who stay passive will fall behind. Those who act proactively will win in this new world.
Conclusion: Don't Panic, Prepare#
The Mythos story is a wake-up call for the cybersecurity world. But it's a call to action, not panic. The threat is real, but so is the solution. For home users: keep your devices updated, use a password manager, turn on 2FA. For businesses: speed up your patch cycle, layer your defenses, modernize legacy systems.
The key is to remember that modern AI isn't only a threat — it's also our most powerful defensive tool. The technology itself isn't the issue. What matters is putting it in the right hands and using it the right way.
Mythos is the least capable model we'll have access to. That sentence is both a warning and a promise. A warning, because threats will keep escalating. A promise, because defenders will have the same powerful tools. Which side you're on depends on how quickly you adapt.
At Çelenk Yazılım, we offer services in digital security for businesses, modernization of legacy infrastructure, and AI-assisted security solutions. If you'd like to prepare your business for this new era, reach out via our contact page.
