Anthropic's Claude Mythos: The AI That Finds Zero-Day Flaws Raises Global Security Fears
New model can autonomously exploit system weaknesses, prompting warnings that most businesses are unprepared for AI-powered cyberattacks
L'essentiel
- Anthropic unveiled Claude Mythos, an AI model capable of finding and exploiting zero-day vulnerabilities in operating systems and browsers.
- The company refused public release, comparing it to giving burglars keys to every building.
- Forty US organizations are partnered in Project Glasswing to patch vulnerabilities before exploitation.
Résumé généré par IA
Pourquoi c'est important
AI-powered cybersecurity tools represent a new category of digital threat. Traditional hacking requires specialized skills, but AI democratizes these capabilities. The article notes that smaller, cheaper models can achieve similar results, suggesting the breakthrough may reflect broader industry shifts rather than unique Anthropic breakthroughs.
Anthropic announced its latest AI model, Claude Mythos, this month but said it would not be released publicly, because it turns computers into crime scenes. The company claimed that it could find previously unknown "zero-day" flaws, exploit them and, in principle, link these weaknesses in order to take over major operating systems and web browsers. Mythos did so autonomously, writing code and obtaining privileges. The implications are significant. It's like a burglar being able to target any building, get inside, unlock every door and empty every safe. The Silicon Valley company has so far named 40 organisations as partners under Project Glasswing to help mount a defence – asking them to "patch" vulnerabilities before hackers get a chance to exploit them. All are American, sitting at the heart of the US-led digital system. Anthropic shared Mythos with only Britain outside the US, allowing the AI Security Institute to test frontier models. After seeing it up close, British ministers warned: AI is about to make cyber-attacks much easier and faster, and most businesses are not ready. Banks in Europe are likely to test it next. This may not be a moment too soon. Reports of unauthorized access surfaced this week – raising the question whether any private company can be trusted with a capability like this. Mythos doesn't necessarily create a new kind of cyber threat. It turns a latent weakness into a systemic risk. Hacking has traditionally been hard and time-consuming, requiring skills that few people have. But AI tools are spreading fast, putting system breaches within reach of many – not just experts. A poacher can also be turned into a gamekeeper. Mozilla tested Mythos on its Firefox browser: it found 10 times more flaws than before – and fixed them. Crucially, none were ones a human couldn't spot. What changes is that AI discovers "cyber vulnerabilities" quickly, cheaply and at scale. The US government's embrace of Anthropic marks a shift. In February, the Pentagon deemed the company a "security risk" and cut it off from lucrative deals after it refused to allow its technology to be used for mass surveillance or autonomous weapons. OpenAI got the contract instead. Anthropic, with its Claude chatbot, has long pitched itself as the ethical alternative among its competitors – though its image was dented by a $1.5bn piracy settlement last year. Mythos is powerful, but Anthropic's PR has shaped the narrative as much as the technology. There is also a question of how advanced Mythos really is. Researchers have shown that smaller, cheaper models deployed at scale can do similar feats. What seems a breakthrough may reflect a broader shift across the field. The White House thinks that Anthropic has strategic value – inviting it back into the fold and signalling a shift from treating AI firms as contractors to partners. That raises a deeper concern: whether private firms' control of critical infrastructure risk is wise – especially if less responsible actors gain technical leverage.
À surveiller
Perspective IA — des possibilités, pas des certitudes
European banks will begin testing AI vulnerability assessment tools within the next 3 months
Probable · En quelques mois
More AI companies will announce similar vulnerability research capabilities within 6 months
Très probable · En quelques mois
US government will formalize AI security partnership framework within the year
Probable · En quelques mois
Questions ouvertes
- How exactly did unauthorized access reports this week relate to Mythos capabilities?
- What specific vulnerabilities did Mythos find in Firefox?
- Will European banks actually test Mythos and under what oversight?
- How many of the 40 Project Glasswing partners have actually patched vulnerabilities?






