A month of real-world testing by main firms is giving us a greater thought of Anthropic’s Mythos frontier LLM’s capabilities in safety. The corporate’s replace, which comes a month after the preliminary launch of Venture Glasswing, suggests the mannequin is surfacing actual vulnerabilities at scale whereas additionally highlighting ongoing challenges round noise and belief in its output.
In whole, Anthropic says Mythos has scanned greater than 1,000 open supply software program tasks and recognized 6,202 bugs it classifies as excessive or vital severity. That makes the mannequin one of the distinguished examples but of AI getting used to hunt for flaws in reside codebases, particularly in security-sensitive open supply software program.
However the headline isn’t just about quantity. It’s also about reliability. The most recent findings level to a system that may clearly discover points however nonetheless produces hallucinations and false positives. Though the false optimistic price stays inside regular business ranges, Mythos’ means to uncover multi-step assaults means the time required for investigation can shortly compound.
What the Replace Says
In response to Anthropic, Mythos handed 28% of the excessive or vital severity findings, or 1,752 bugs, to 6 impartial safety analysis corporations for evaluation. These corporations discovered a 9.4% false optimistic price and confirmed 62.4% of the bugs as genuinely excessive or vital severity.
Anthropic additionally mentioned it has up to now disclosed 530 of the bugs to open supply maintainers and hopes to reveal one other 827 as shortly as potential. Of the 530 already reported, 75 have been patched and 65 have obtained public advisories. Anthropic mentioned the patch price displays a broader downside within the safety ecosystem, noting that even with a comparatively gradual disclosure tempo, Mythos Preview is including strain to an already overloaded system.
One instance Anthropic highlighted was a vital WolfSSL vulnerability, CVE-2026-5194, which it rated CVSS 9.1. The corporate mentioned the bug may enable certificates forgery, underscoring the form of high-stakes subject the mannequin can floor when it really works as meant.
Why the Outcomes Matter
Mythos has generated each pleasure and concern as a result of it seems able to chaining collectively a number of steps in an assault in methods earlier AI programs couldn’t. That raises the stakes. A mannequin that may transfer from one weak spot to a different and assemble a proof of idea isn’t just a scanner. It’s nearer to an energetic safety analyst and probably a robust offensive software as properly.
That’s one cause Anthropic has not launched the mannequin publicly. As a substitute, it has restricted entry to a small group of firms by Venture Glasswing, a managed program designed to check the mannequin in actual safety environments. The method lets Anthropic collect suggestions whereas lowering the chance of the system being misused at scale.
The early reception has been largely optimistic. Taking part firms have reportedly discovered 1000’s of high-severity flaws, together with bugs affecting main working programs and widespread net browsers. That means Mythos can ship actual worth to defenders, particularly when paired with robust triage and human evaluation.
Nonetheless, the newest replace complicates the image. A 9.4% false optimistic price shouldn’t be excessive by business requirements, however as a result of Mythos is discovering 1000’s of bugs, absolutely the variety of false positives can nonetheless create important operational friction.
What Comes Subsequent
Cloudflare’s Chief Safety Officer, Grant Bourzikas, mentioned Mythos represents “a transparent enchancment” over earlier fashions, however he additionally warned that hallucinations and false positives stay an ongoing problem:
“Ask a mannequin to search out bugs, and it’ll discover them, whether or not the code has any or not. Findings come again hedged with ‘probably,’ ‘probably,’ and ‘may in concept,’ and the hedged findings vastly outnumber the strong ones. That’s an affordable bias for an exploratory software. It’s a ruinous one for a triage queue.”
His level was that the mannequin could also be higher at producing helpful output, however it’s nonetheless probabilistic, that means the identical request can yield completely different outcomes relying on how and when it’s requested.
That inconsistency issues as a result of safety groups want dependable triage, not simply attention-grabbing findings. If a mannequin produces too many hedged or unsure outcomes, it could actually gradual the very groups it’s meant to assist. As Bourzikas famous, sooner scanning alone doesn’t clear up the deeper downside as a result of patching nonetheless is dependent upon testing, validation, and protected deployment.
Anthropic can also be attempting to strengthen the broader ecosystem across the mannequin. It has partnered with the Open Supply Safety Basis’s Alpha-Omega challenge to assist OSS groups triage bug stories, whereas different companions comparable to Cisco are open-sourcing associated safety frameworks.
For now, Mythos appears like a robust sign that frontier fashions can materially change software program safety. However the replace additionally reveals the boundaries of that promise. The tougher half will not be discovering bugs, however proving which of them matter and fixing them with out creating new issues within the course of.
