For weeks, the cybersecurity world has been watching something shift under its feet: the time between a weakness existing and someone using it.
In that rush, Misryoum newsroom reporting says one recent effort stands out—Claude Mythos Preview being used to find thousands of zero-day vulnerabilities across major operating systems and major web browsers, plus other important software components. The big claim isn’t just that issues were found. It’s that the system did it at “pace and scale previously impossible,” with little to no human steering while identifying vulnerabilities—and, in many cases, developing exploits for them.
The story is wrapped in examples that are hard to ignore. Misryoum editorial desk noted that Mythos Preview uncovered a 27-year-old vulnerability in OpenBSD, a heavily security-hardened operating system used to run firewalls and other critical infrastructure. That flaw could let an attacker remotely crash any machine running the operating system just by connecting. Then there’s FFmpeg—used by innumerable pieces of software to encode and decode video—where a 16-year-old vulnerability was found in a line of code that automated testing tools had hit five million times without catching it. And in Linux, the model didn’t just spot individual problems; it chained vulnerabilities together so an attacker could escalate from ordinary user access to complete control of a machine.
Misryoum also reports that these vulnerabilities have been provided to the maintainers of the relevant software and have all now been patched. For many other vulnerabilities, the approach described today is more cautious: a cryptographic hash of the details is being shared now, with specifics planned for later once fixes are in place. There’s a particular kind of tension in that phrasing—like putting a lid on a boiling pot so it doesn’t suddenly spill everywhere.
The announcement leans hard on the idea that “urgency” has changed. Multiple partners describe a similar feeling: defenders can’t treat security like a phase anymore, because AI changes how quickly threats can move. Misryoum newsroom reported partner statements that say window-to-exploitation timelines have shrunk, and that models can surface risks faster than traditional processes. Someone also warned—pretty plainly—that attackers will inevitably look to use the same capabilities, which means the defensive community has to modernize too. It’s also not just abstract worry. One line gets repeated in spirit: open source maintainers need access to tools that help them find and fix vulnerabilities at scale, rather than leaving them to fend off sophisticated attacks with limited resources.
Under the hood, Misryoum editorial team noted that this work is positioned as part of a longer effort called Project Glasswing. Partners receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in foundational systems—systems described as making up a very large portion of the world’s shared cyberattack surface. The anticipated focus includes local vulnerability detection, black box testing of binaries, securing endpoints, and penetration testing. There’s also a defined financial structure: Anthropic’s commitment includes $100M in model usage credits for Project Glasswing and additional participants, followed by pricing for participants at $25/$125 per million input/output tokens. Access is described as being available through the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry. Misryoum desk also noted donations totaling $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5M to the Apache Software Foundation for open-source maintainers.
The most practical part of the plan is timing. Misryoum analysis indicates that within 90 days, Anthropic will report publicly on what it has learned, including vulnerabilities fixed and improvements that can be disclosed. There’s also mention of working with leading security organizations to produce practical recommendations for how security practices should evolve in the AI era—covering vulnerability disclosure processes, software update processes, open-source and supply-chain security, software development lifecycle practices, standards for regulated industries, triage scaling and automation, and patching automation.
By the end, it’s hard not to feel the shadow of an uncomfortable detail: the smell of warm electronics after a late-night deployment, the tiny fan whir in a server room—small sensory reminders that software isn’t theory. It’s infrastructure. And if the window between finding and exploiting keeps collapsing, then “secure-by-design” has to become less of a slogan and more of a habit. Or maybe it already is—just not for everyone, not yet, not everywhere.
VPD seeks witnesses after Fairview hit-and-run
Lachie Neale leans toward Lions beyond 2026, family still tugging
Milwaukee police shoot suspect dead after pursuit tied to homicide