www.it-connect.fr
Claude Mythos Finds 10,000 Security Flaws in a Month, Shaking Up Tech
As part of the Glasswing project, Anthropic's Claude Mythos Preview AI discovered more than 10,000 security flaws in one month. Anthropic has published an initial assessment: here is what you need to know.
Table of Contents
Performance That Is Reshaping the Cybersecurity Ecosystem
As part of Project Glasswing, Anthropic is working with around fifty partners, including major U.S. software vendors. After just one month of use, most of them found hundreds of significant, even critical, vulnerabilities in their tools. Several partners even estimate that they are uncovering security issues 10 times faster than before. To date, Anthropic says Claude Mythos Preview has helped discover more than 10,000 security flaws.
Take Cloudflare as an example: 2,000 security flaws (including 400 classified as high or critical severity) in its systems, with a false-positive rate that the team considers "better than human testers". It is also worth noting that Mozilla discovered and fixed 271 vulnerabilities for the release of Firefox 150 thanks to research work carried out with Mythos Preview. Microsoft, for its part, expects the number of patches to keep rising for some time yet.
This is part of a broader trend. It was confirmed by VulnCheck, whose recently published report highlighted the explosion in the number of vulnerabilities discovered in products from vendors such as Google, Mozilla, and VMware. I covered this in this article, where the figures are very telling.
"According to the UK AI Security Institute, Mythos Preview is the first model to end-to-end solve all of their cyber-games (multi-stage cyberattack simulations).", the report says.
Analyzing Open Source Software
Anthropic also used Mythos Preview to scan more than 1,000 open source projects, selecting popular projects that play a key role across the Internet. Following these analyses, Mythos Preview detected 6,202 vulnerabilities considered important or critical, out of a total of 23,019 security issues. However, a large-scale vulnerability triage effort was carried out to assess the findings (severity level, false positives, and so on). The goal was to evaluate the relevance of the alerts.
To do this, Anthropic, along with six independent security research firms, reviewed 1,752 flaws initially identified by Claude Mythos and deemed important or critical. And even though there were false positives, the success rate is still high: 90.6% (1,587 vulnerabilities) were validated, and 62.4% (1,094) were confirmed as actually high or critical severity.
In the open source world, one of the best examples is the discovery of a critical security flaw in wolfSSL, a cryptographic library used by billions of devices around the world. "Mythos Preview developed an exploit that would allow an attacker to forge certificates, making it possible, for example, to host a fake website for a bank or messaging provider. That website would appear perfectly legitimate to an end user, even though it is controlled by the attacker.", the report explains.
Several maintainers, with limited resources, have asked Anthropic to slow down disclosures so they have time to develop their fixes. That is understandable; software vendors are also struggling to keep up with the volume of reports. Above all, Anthropic's report explains that fixing a critical bug identified by Mythos Preview requires two weeks of work by a human.
To date, Anthropic says it has reported 530 critical flaws to open source project maintainers, but only 75 have been fixed (including 65 that resulted in a public security advisory). There is clearly a real backlog...
Will Claude Mythos Soon Arrive in Claude Code?
Over the past few hours, a rumor has been circulating on the web, especially on X: Anthropic may be preparing to integrate its claude-mythos-preview-1 model into Claude Code and Claude Security. It remains to be seen when it will be available and who will actually be able to access it. This does not mean the general public will be able to use it directly, but it did briefly appear in the list of available models on Claude.
