Back to Blog
News

Anthropic's most powerful AI raises the stakes for cybersecurity

adminDatabase Expert
April 11, 2026
5 min read
#Artificial Intelligence#Security#IT infrastructure
Anthropic's most powerful AI raises the stakes for cybersecurity
Anthropic's most powerful AI raises the stakes for cybersecurity - Image 2
Anthropic's most powerful AI raises the stakes for cybersecurity - Image 3

A new AI model from Anthropic is rewriting assumptions about what artificial intelligence can do, exposing vulnerabilities that have been hiding in plain sight for decades and forcing enterprise security teams to rethink their defenses from the ground up.The model, calledMythos, was not built as a hacking tool. But the same reasoning power that makes it an exceptional coder also makes it good at finding and exploiting software flaws, and its limited release to a vetted group of technology companies under a program calledProject Glasswinghas set off debates about whether existing defenses can hold.“This is a step change,”Dave McGinnis, Vice President of Global Managed Security Services at IBM, told IBM Think in an interview. “It’s not like they created the bugs. The people who wrote that code didn’t know those things were there.”The concern is not simply that Mythos is a more powerful language model, though it is. Anthropicsaysthe system has already identified thousands of zero-day vulnerabilities (previously unknown flaws) across every major operating system and web browser, some of which had survived decades of human review and millions of automated security tests. Among the findings: a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in the world, that would have allowed an attacker to remotely crash any machine running it, simply by connecting to that device.What distinguishes Mythos from previous systems, according to McGinnis, is its capacity for what security professionals call “vulnerability chaining,” the ability to connect a series of individually minor software flaws into an attack that reaches a target. Anthropicnotedthat the model autonomously identified and chained together several vulnerabilities in theLinux kernel,allowing an attacker to escalate from ordinary user access to complete control of a machine.A second capability is potentially more consequential. Mythos can analyze compiled binary code, the machine-readable instructions that software runs on, without needing access to the original source code. That means legacy systems running on equipment that has been in operation for decades, with source code that has long since been lost or forgotten, are no longer out of reach for an AI-assisted attacker.“You’re talking [about] stuff sitting around—a Windows 3.11 machine in the corner, some ancient piece that everybody doesn’t want to look at because it’s still working,” McGinnis said. “I don’t have source code for it; I don’t know how to fix the vulnerability. And if I can fix it, I can exploit it.”

One of the most consequential dimensions of the Mythos situation is its implications for open-source software, the freely available code that underpins a vast share of the world’s digital infrastructure, from web servers to operating systems to the tools that AI models themselves use to write new software. Open-source projects are typically maintained by small teams with limited security resources, and they represent an enormous and largely unsecured attack surface.Rob Thomas, Senior Vice President of Software and Chief Commercial Officer at IBM,arguedon LinkedIn that the Mythos moment reveals something structural: once AI becomes critical infrastructure, closed development becomes harder to defend. Security, he wrote, improves more reliably through scrutiny than through concealment, and the open-source model is the clearest precedent for how to manage that.“The more critical the technology, the stronger the case for openness,” Thomas wrote.Anthropic has committed USD 2.5 million to Alpha-Omega and the Open Source Security Foundation (OSSF) through the Linux Foundation, and an additional USD 1.5 million to the Apache Software Foundation, to help open source maintainers respond to the changing landscape. Project Glasswing brings together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, along with other organizations that build or maintain critical software infrastructure.Anthropic has not published a technical paper describing how Mythos was built. TheStanford Foundation Model Transparency Index, which tracks corporate openness in the field, found last year that companies across the industry have been moving away from transparency, a trend that one IBM researcher said makes it harder to assess risk.“When you don’t have transparency, you don’t know,”Kush Varshney, an IBM Fellow who leads human-centered trustworthy AI research at the company’s Thomas J. Watson Research Center, told IBM Think in an interview.

The controlled release of Mythos to Project Glasswing reflects a logic that McGinnis finds sound, even if he believes the window for defenders to get ahead of attackers is narrow. Other frontier AI labs, he said, are likely months away from comparable capability, and the only meaningful question is whether defenders can build fast enough to stay ahead of them.“If the attackers aren’t humans anymore, the defenders can’t be humans anymore either,” McGinnis said. “It’s machine speed versus machine speed.”Despite the alarm, neither Varshney nor McGinnis said they believe Mythos represents a fundamental rupture in AI’s trajectory. Existing safety benchmarks still have room to be meaningful, Varshney said, and the model has not crossed into territory that existing evaluation frameworks cannot handle—at least not yet.“I don’t think we’ve entered some new era,” Varshney said.

Comments (0)