A flaw sat inside OpenBSD for 27 years. An AI closed the case before lunch.
Claude Mythos found a security flaw that survived nearly three decades of human review. Here is what the discovery actually proves, what it does not, and who gets to act on it first.
Image Credit: Leonardo AI
- Claude Mythos Preview, Anthropic's unreleased AI model, autonomously found a 27-year-old zero-day vulnerability in OpenBSD's TCP stack, a flaw that had survived millions of automated security tests and decades of expert review.
- The same model identified thousands of zero-day vulnerabilities across every major operating system and web browser, often overnight, with no human guidance after the initial prompt.
- Anthropic did not release the model publicly and instead launched Project Glasswing, a 104-million-dollar emergency initiative with Apple, Google, Microsoft, and nine other organizations to patch critical infrastructure first.
- Mythos reached a 72.4 percent exploit success rate on Firefox's JavaScript engine, compared to 14.4 percent for its predecessor, Claude Opus 4.6, though that figure measures lab conditions, not guaranteed real-world exploitability.
- The single model run that surfaced the 27-year-old OpenBSD bug cost under 50 dollars in compute, a number that is reshaping how cheaply this kind of vulnerability research can now be done.
This report draws on Anthropic's published red team documentation for Project Glasswing, the UK AI Security Institute's independent evaluation, AISLE's comparative testing of open-weight models, and reporting from VentureBeat, Engadget, SC Media, and The Hacker News, alongside Mozilla's own security disclosure, "The zero-days are numbered". Figures attributed directly to Anthropic reflect the company's own findings and have not all been independently re-verified by an outside auditor, a distinction we return to later in this piece.
A flaw sat inside OpenBSD's network code for 27 years. Security researchers reviewed that exact code across multiple generations of audits. Automated fuzzers tested it millions of times. None of them found it. In April 2026, an AI model read the same code, confirmed the flaw within hours, and built a working exploit from it before the day was over.
- The bug that survived 27 years
- How Claude Mythos actually found it
- Numbers that reframe the conversation
- What does 72.4 percent actually measure
- OpenBSD was not alone
- Nobody programmed it to do this
- Real-world case study: Mozilla Firefox
- Project Glasswing: the 104-million-dollar response
- Who gets to patch first, and who pays for it
- What this means for your devices and your data
- The triage problem nobody mentions
- Are human security researchers now obsolete
- What gets dropped when this story goes viral
- Triage at AI-discovery volume
- DesiDaily take
- The question nobody wants to answer
The bug that survived 27 years
OpenBSD is not an average operating system. It powers the firewalls protecting banks, government servers, and critical public infrastructure. Security researchers treat it as one of the most hardened platforms ever engineered. Its founding philosophy is secure by default, a claim backed by decades of auditing and a culture that treats every line of code as a potential liability.
Despite that, a signed integer overflow flaw sat dormant inside OpenBSD's TCP SACK implementation from 1998 until April 2026. Human security experts reviewed that exact code across multiple generations of audits. Automated fuzzers hammered it millions of times. Nobody caught it. According to Anthropic's Frontier Red Team technical documentation, Claude Mythos Preview identified and exploited it autonomously, without a human guiding the search after the initial prompt. Two specifically crafted network packets are enough to crash any OpenBSD server responding over TCP. That is the entire attack surface: two packets and 27 years of invisibility, gone in one afternoon.
Image Credit: Leonardo AI
How Claude Mythos actually found it
This is where the story moves from impressive to unsettling. Mythos does not scan code the way traditional security tools operate. It does not simply match patterns against a known database of flaws. According to Anthropic's published red team methodology, the model reads source code, forms hypotheses about where vulnerabilities might exist, runs the actual software against those hypotheses, uses debuggers to confirm findings, and constructs working exploits from scratch.
It reasons about code the way a senior security engineer would, without breaks, without fatigue, and without stopping at the end of a shift.
The OpenBSD flaw required understanding that a value called sack start was never validated against the lower bound of the TCP send window, and that specific sequence comparison macros overflow when values sit roughly 2 billion apart. That level of semantic reasoning had eluded automated fuzzers for nearly three decades. Researchers at AI cybersecurity firm AISLE later showed that a 5.1-billion-parameter open-weights model recovered the core analysis chain of the same bug in a single API call, as documented in their published evaluation of post-Mythos cybersecurity capabilities. That detail matters, and we return to it later in this report.
Numbers that reframe the conversation
These figures come directly from Anthropic's Project Glasswing report and are corroborated by VentureBeat's security analysis published after the RSAC 2026 conference. They are documented results from real codebases, not projections.
For context, Claude Opus 4.6, the model generation immediately before Mythos, scored 14.4 percent on the same Firefox test set. Mythos scored 72.4 percent. On SWE-bench Pro, a demanding software engineering benchmark, Mythos scored 77.8 percent against Opus 4.6's 53.4 percent. Our earlier reporting on how SpaceX is integrating AI coding tools through its deal with Cursor offers useful context for how elite engineering organizations are responding to models reaching this performance tier.
What does 72.4 percent actually measure
That 72.4 percent figure deserves a closer look before it gets repeated as proof that AI has solved offensive security on its own. A successful exploit attempt in Anthropic's benchmark means Mythos triggered the vulnerability and demonstrated control over the target inside a controlled lab environment. It does not automatically mean the exploit survives outside that lab.
Production software runs behind layers the benchmark does not always include: address space layout randomization, control flow integrity checks, sandboxing, and active monitoring that can catch an exploit attempt mid-execution. A proof of concept that crashes a browser tab in a lab is a different achievement than a repeatable exploit chain that works against a patched, monitored, real-world deployment.
The 50 dollar figure that circulated widely after the announcement is also easy to misread. It is the cost of the single model run that surfaced the OpenBSD bug, not the cost of the full discovery campaign. Anthropic's own reporting puts the broader OpenBSD scanning effort at roughly 20,000 dollars in total compute. Both numbers are accurate. They answer different questions, and conflating them overstates how cheap this capability is in practice.
Exploit difficulty also varies sharply by target type. Browser JavaScript engines, built for speed and feature support, tend to expose a wider attack surface than memory-safe kernel code or hardened network daemons. A 72.4 percent success rate against Firefox's JavaScript engine says as much about how that category of software is built as it does about AI capability in general.
| Factor | Lab benchmark | Production environment |
|---|---|---|
| Target visibility | Full source access, known version | Often partial, patched, version-mixed |
| Defensive layers | Typically minimal or disabled | ASLR, sandboxing, monitoring active |
| Repeatability needed | Single successful run counts | Must work reliably at scale |
| Cost reflected | Marginal cost of one run | Full campaign and verification cost |
OpenBSD was not alone
The 27-year-old OpenBSD flaw attracted headlines, but it was one data point in a larger picture. SC Media's reporting on Anthropic's red team findings documents several major discoveries made within weeks of Mythos being deployed.
- A 16-year-old flaw in FFmpeg's H.264 video decoder. Automated fuzzers exercised the vulnerable code path more than 5 million times without triggering it. Mythos identified it by reasoning about what the code was semantically doing, not only what bytes it was processing.
- A 17-year-old remote code execution vulnerability in FreeBSD, catalogued as CVE-2026-4747. An unauthenticated attacker anywhere on the internet could gain complete root access to a server running the affected NFS implementation. Mythos built the exploit without human intervention, using a 20-gadget return-oriented programming chain split across six sequential network packets.
- A guest-to-host memory corruption vulnerability inside a virtual machine monitor written in a memory-safe programming language, showing that memory safety alone does not eliminate exploitable logic flaws at the application level.
- Multiple Linux kernel local privilege escalation chains, built by linking two to four individually low-severity vulnerabilities into a single high-severity attack sequence.
The total count: thousands of zero-day vulnerabilities across every major operating system and web browser, found within weeks. A large team of skilled human security researchers would need years to produce equivalent output at equivalent technical depth.
Nobody programmed it to do this
This is the sentence worth reading twice.
Nobody designed Mythos to become a world-class vulnerability researcher. The engineering team trained it to reason and to code. Those two capabilities, pushed far enough, produced a model that can identify and exploit security flaws in software protecting global financial systems, government infrastructure, and hundreds of millions of personal devices.
If you want to understand how AI autonomous decision-making intersects with national security and geopolitical risk, our deep dive on what AI can actually do in warfare contexts traces where autonomous capability starts raising policy-level concerns for governments around the world.
Image Credit: Leonardo AI
Real-world case study: Mozilla Firefox
Mozilla, the organization behind Firefox, used by hundreds of millions of people worldwide, joined Project Glasswing as one of its vetted partners. Within weeks of testing Claude Mythos Preview against their codebase, Mozilla's security team identified and patched 271 vulnerabilities in a Firefox release. Mozilla's own published assessment stated that it found no category or complexity of vulnerability that human researchers can find that Mythos cannot, while also confirming that none of the bugs Mythos surfaced were fundamentally beyond what a skilled human expert could have found, given unlimited time and unlimited resources. That qualification is the point: Mythos had neither unlimited time nor unlimited budget, and it still found 271 of them. This is independently reported by Engadget and corroborated by Mozilla's own published blog post following the Project Glasswing partnership.
That is not a theoretical benchmark score. It is a production browser used by real people every day, now measurably more secure because an AI model did in weeks what traditional security processes had not done across years of continuous auditing. The 271 figure also gives a calibrated floor for what Mythos-class models contribute when given legitimate access to real production codebases at scale, which matters when weighing the more dramatic claims circulating elsewhere about this technology.
Project Glasswing: the 104-million-dollar response
Anthropic did not sit on these findings. On April 7, 2026, the same day it publicly announced Mythos Preview, the company launched Project Glasswing, a coordinated defensive initiative meant to put the model's capabilities in the hands of builders before adversaries gain access to equivalent tools.
The coalition includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic committed up to 100 million dollars in usage credits and 4 million dollars in direct donations to open-source security organizations. Beyond the named twelve, access was extended to more than 40 additional organizations that build or maintain critical software infrastructure globally.
Microsoft's public statement on joining the coalition was direct: the window between vulnerability discovery and active exploitation has collapsed, with timelines shrinking from months to minutes in AI-augmented attack scenarios. That shift already affects how corporate security teams structure their incident response. Our analysis of Microsoft's 10-billion-dollar Japan AI infrastructure deal documents how that urgency is already translating into capital allocation at scale.
Glasswing's first public findings report is scheduled for early July 2026. Security teams across every sector should expect a high-volume patch cycle immediately after that release, covering operating systems, browsers, cryptography libraries, and core infrastructure software. Over 99 percent of the vulnerabilities Mythos has identified remain unpatched at the time of publication, according to Anthropic's red team blog.
Who gets to patch first, and who pays for it
Project Glasswing did not emerge in a vacuum. The United States has used a formal process since 2010 called the Vulnerabilities Equities Process to decide whether a newly discovered software flaw gets disclosed to the affected vendor or held back for government use. Glasswing functions as a private-sector parallel to that same decision: who learns about a dangerous flaw first, and who waits.
The difference is oversight. The Vulnerabilities Equities Process, however imperfect in practice, includes formal interagency review and some public accountability. Glasswing's list of 12 founding partners, later expanded to more than 40 organizations, was selected by Anthropic. There is no independent body confirming that selection or auditing how access decisions get made as the program grows.
That structure also reshapes the economics of bug bounty programs. Platforms like HackerOne and Bugcrowd built payout models around the assumption that finding a serious vulnerability takes real time, skill, and often months of unpaid effort. When a model can surface a comparable finding in a single run for under 50 dollars, the labor that bounty payouts were originally compensating starts to disappear, and payout structures built for scarcity face pressure to adjust.
The organizations left outside Glasswing face the sharpest version of this gap. A single maintainer running a widely used open source library does not have 100 million dollars in Anthropic usage credits or a security team built to absorb AI-discovery volume. The same capability that hardens Firefox and FreeBSD leaves smaller, unfunded projects exactly as exposed as before, even as public conversation moves on as though the problem is solved.
| Mechanism | Who decides | Oversight |
|---|---|---|
| Vulnerabilities Equities Process | U.S. interagency review board | Formal, government-defined |
| Project Glasswing | Anthropic selects partners | Self-managed, not independently audited |
| Traditional bug bounty | Vendor sets payout terms | Market-based, varies by platform |
What this means for your devices and your data
The economics of cyberattacks just changed
Scanning the entire OpenBSD codebase for exploitable vulnerabilities cost one Anthropic discovery campaign roughly 20,000 dollars in total compute. The specific model run that surfaced the 27-year-old flaw cost under 50 dollars, according to cost data documented by VentureBeat. Individual vulnerability identification on isolated targets now takes minutes and costs under 50 dollars per run. That is not an incremental cost reduction. It removes a barrier that previously required either nation-state resources or a well-funded criminal organization with serious technical talent. Anthropic's own system card names China, Iran, North Korea, and Russia as state actors with an active interest in acquiring equivalent AI vulnerability discovery capability.
Unpatchable devices carry the highest ongoing risk
Many of the vulnerabilities Mythos surfaces affect legacy firmware running inside home routers, industrial control systems, medical devices, and Internet of Things hardware that manufacturers stopped supporting years ago. Patches for those systems will never arrive. The flaw sits indefinitely, waiting for an attacker with 50 dollars and a capable model. If your devices support automatic updates, enable them now. If they do not, treat that as a documented risk and prioritize replacement. The coordinated July 2026 disclosure will prioritize actively maintained software, but legacy hardware sitting outside Glasswing's scope remains exposed indefinitely.
The triage problem nobody mentions
Finding thousands of vulnerabilities is only useful if an organization can act on them. Security teams that already run mature, high-volume triage operations, the kind Mozilla had in place before testing Mythos, can absorb a flood of new findings and turn them into patches. Teams without that infrastructure face a different outcome: a growing backlog of flagged issues nobody has the staff hours to verify, and a slow drift toward ignoring the scanner's output altogether.
This is the part of the story that gets lost in headline coverage. Anthropic's own disclosure notes that over 99 percent of the vulnerabilities Mythos identified remained unpatched at the time of publication, not because the flaws are unfixable, but because remediation at this volume requires staffing, budget, and process that most organizations do not have lined up yet.
Alert fatigue is a documented problem in security operations long before AI scanning entered the picture. A scanner that returns thousands of findings, some critical and some low priority, without a reliable way to separate them by real-world exploitability, can push overworked teams toward the same outcome as having no scanner at all: findings that sit unread.
- An intake process that can dedupe and route thousands of findings without manual bottlenecks
- A prioritization method beyond raw severity scoring, since most findings will score as critical on paper
- Enough verification staff to confirm a finding is real before it consumes remediation time
- An owner is assigned to every category of system the scan covers, not just the flagship products
- A documented policy for what happens to findings that are real but not urgent enough to fix immediately
Before adopting AI-assisted vulnerability scanning at this scale, a team benefits from asking a narrower question than whether to use it. The more useful question is whether the organization already has a working intake and remediation pipeline that can absorb a sudden tenfold increase in flagged issues, because the tool's value depends entirely on what happens after the scan finishes.
Are human security researchers now obsolete
Not yet. But the professional landscape is shifting faster than most organizations are prepared to acknowledge.
The AISLE evaluation tested eight different open-weight AI models against the specific vulnerabilities Mythos showcased. All eight detected the FreeBSD exploit, including one with only 3.6 billion active parameters costing 11 cents per million tokens. A 5.1-billion-parameter model recovered the core analysis chain of the 27-year-old OpenBSD bug in a single call. AISLE's documented conclusion is that the competitive advantage in AI cybersecurity sits in the workflow and the system, not in any single model. Cheap models find the same bugs. The cost floor is collapsing across the entire category, not only at the expensive frontier.
What this means practically is that the expertise required to conduct sophisticated vulnerability research is no longer gated behind years of specialized human training. As SC Media reports, CVE counts are expected to rise significantly in the months after the Glasswing public disclosure, as AI-assisted discovery accelerates across both defensive and offensive contexts at once. The most valuable human skill in security going forward is not finding vulnerabilities. It is triaging, prioritizing, and coordinating remediation at machine-generated volume. Our analysis of how AI is reshaping employment across industries places cybersecurity within the broader pattern of what changes and what does not once AI capability crosses a functional threshold. If you want to understand the mindset of the people building these systems, our reporting on why tech leaders say they fear AGI but keep building anyway is worth reading alongside this piece.
What gets dropped when this story goes viral
Coverage of Mythos has compressed a complicated technical story into a small number of repeated claims. Some hold up against the source material. Others lose important context once you trace them back.
| What gets repeated | What the evidence actually shows |
|---|---|
| Anyone can hack like a nation-state for 50 dollars | The 50-dollar figure covers one model run inside a 20,000-dollar campaign. Using the output still requires infrastructure, target access, and the skill to verify and operationalize a finding. |
| This makes the internet safer overnight | Anthropic's own report states that more than 99 percent of the vulnerabilities Mythos found remain unpatched as of publication. |
| Human security researchers are now replaceable | Mozilla's published assessment found nothing beyond what a sufficiently resourced human expert could already find. The documented gain was speed and cost, not a new category of discovery. |
| This is independently verified across the board | Most circulating statistics trace back to Anthropic's own red team report. AISI and AISLE published separate, partial evaluations that support some claims but were not designed to verify every figure attributed to Mythos. |
None of this makes the underlying findings less significant. It does mean the more careful version of this story is less dramatic than the version that goes viral, and more useful to anyone trying to make an actual security decision based on it.
Triage at AI-discovery volume
For a security team that has already decided to adopt AI-assisted vulnerability scanning, the operational question shifts from whether to use it to how to process what it returns without overwhelming the team that has to act on it.
CVSS severity scoring, the standard most teams default to, breaks down at this volume. When a scan returns hundreds of findings and a large share score as critical or high on paper, severity alone stops functioning as a useful prioritization signal. Teams operating at this scale increasingly layer the Exploit Prediction Scoring System, known as EPSS, on top of CVSS, since EPSS estimates the probability that a given vulnerability will be exploited in the wild within the next 30 days, based on observed attacker behavior rather than theoretical severity alone.
- Deduplicate findings against known issues first, since the same root cause often surfaces through multiple code paths in a single scan.
- Rank by EPSS score and real exposure, not by CVSS severity alone, since severity does not reflect how likely a flaw is to be exploited soon.
- Assign verified findings to owning teams with a remediation deadline tied to exploit probability rather than a flat, one-size-fits-all policy.
- Patch and re-scan to confirm the fix holds, since a model capable of finding a flaw is equally capable of confirming whether a patch actually closed it.
- Log the remaining backlog as documented vulnerability debt with a scheduled review, rather than leaving it as an unspoken assumption that everything eventually gets fixed.
Automation handles deduplication, scoring, and re-verification well at this scale. The decision about which risks an organization is willing to carry, and for how long, still requires a person with business context to make that call.
DesiDaily take
The discovery itself is well documented and corroborated by parties outside Anthropic, including Mozilla's own patch count and the UK AI Security Institute's independent evaluation. The headline framing built around it, that AI has made hacking nearly free and human security work obsolete, goes further than the underlying evidence supports. The more accurate read is narrower: discovery cost has dropped sharply for a specific category of vulnerability research, remediation capacity has not caught up to match it, and the organizations with the resources to act on AI-discovery volume right now are a short list. For most readers, the practical takeaway is not an alarm. It is making sure automatic updates are enabled on every device that supports them, since unpatched legacy hardware, not the existence of Mythos itself, is the part of this story with the most direct bearing on everyday risk.
The question nobody wants to answer
There is something worth sitting with after reading all of this. A 27-year-old flaw survived every human review, every automated test, and every security audit that OpenBSD's famously rigorous culture demanded for nearly three decades. It did not survive a single afternoon of a machine that cost 50 dollars to run.
The UK Government's AI Security Institute, which independently evaluated Mythos and published its findings at aisi.gov.uk, confirmed that on expert-level cybersecurity tasks no AI model could complete before April 2025, Mythos now succeeds 73 percent of the time. Two years ago, the best available AI models could barely complete beginner-level security challenges. The capability curve is not moving in a straight line.
The point worth holding onto is not only what Mythos found. It is what else is still waiting inside software trusted for decades, and how quickly the tools capable of finding those things are becoming accessible to everyone, not only to the small list of organizations Anthropic has approved through Glasswing so far. For the full picture of how AI investment is reshaping the hardware and infrastructure layer underneath this capability growth, our piece on the scale of current AI chip investment connects the capability story to the capital story in ways that matter for anyone trying to understand where this is heading next.