Your data. Your choice.

If you select «Essential cookies only», we’ll use cookies and similar technologies to collect information about your device and how you use our website. We need this information to allow you to log in securely and use basic functions such as the shopping cart.

By accepting all cookies, you’re allowing us to use this data to show you personalised offers, improve our website, and display targeted adverts on our website and on other websites or apps. Some data may also be shared with third parties and advertising partners as part of this process.

Legal noticePrivacy notice
Shutterstock
Background information
7235

New AI model both threatens and enhances IT security

David Lee
9.4.2026
Translation: Natalie McKay

Anthropic’s new AI model – Mythos – is said to be so effective at identifying and exploiting IT security vulnerabilities that it’ll never see the light of day. But is there more to this than just a PR stunt?

Anthropic has developed a new AI model called Claude Mythos Preview (known as Mythos for short). It’s a general-purpose large language model (LLM), but according to Anthropic, it’s particularly effective at detecting IT security vulnerabilities. Mythos is said to have already discovered thousands of serious, previously unknown vulnerabilities, including some found in all major operating systems and web browsers.

Anthropic claims that, not only is Mythos able to identify security vulnerabilities, it can also patch some of them. On the other hand, the tool can also programme working exploits on demand – i.e. code that actually exploits the vulnerability. This means Mythos has the potential to drastically improve IT security – but also to cause serious damage were it to fall into the wrong hands.

Mythos not only detects vulnerabilities more often, but can exploit them much more frequently than Claude Opus.
Mythos not only detects vulnerabilities more often, but can exploit them much more frequently than Claude Opus.
Source: Anthropic

The model isn’t currently available to the public. Instead, Anthropic has launched Project Glasswing, a collaborative effort where selected participants are given access to the model so they can use it to fix security issues.

Among them are Apple, Google, Microsoft and the Linux Foundation – the developers of the most important operating systems and web browsers. Also joining them are Amazon Web Services, Anthropic, Broadcom, Cisco, CrowdStrike, JPMorgan Chase, Nvidia and Palo Alto Networks, plus over 40 other companies and organisations that aren’t named.

Compelling examples

Mythos even finds security vulnerabilities in software that’s considered extremely secure and has been tested countless times. As an example, Anthropic cites a bug in the OpenBSD operating system that apparently went undetected for 27 years. All it took was a remote connection to crash a computer. OpenBSD’s often used for servers and firewalls because of its high security standard.

Another example concerns the FFmpeg video software. A bug in it had gone unnoticed for 16 years despite millions of automatic security scans. A third example relates to the Linux kernel. According to Anthropic, a hacker managed to gain complete control over a computer by exploiting a combination of multiple vulnerabilities.

Since these issues have since been fixed, Anthropic has published the technical details of this case.

More answers needed

Anthropic plans to go public this autumn, and needs capital to do so. The company’s report should also be read in this light: as a signal to potential investors that Anthropic’s developing the most cutting-edge tools. But these examples are compelling, and the claim that Mythos is particularly effective when it comes to IT security seems credible overall.

The decision not to release the tool at this time is likely a good call as well. A tool capable of exposing thousands of serious security vulnerabilities in one fell swoop must under no circumstances fall into the wrong hands. But if the developers fix the vulnerabilities quickly, it could actually improve security.

However, some questions still need to be answered. First, whether the software can really be kept under wraps, and whether Anthropic even wants that. After all, Mythos wasn’t developed as a security tool, but as a general-purpose AI solution for widespread use. But even if Mythos remains unreleased, competing models are likely to approach a comparable level soon. It’s also possible that intelligence agencies, for instance, already have AI models with similar capabilities. Whatever the situation is, the developers would be wise to go full steam ahead to fix the vulnerabilities.

As always in such situations, it’s unclear whether the vulnerabilities that were discovered are unknown only to the developers or to the entire world. Many zero-day vulnerabilities are kept under wraps and fetch high prices on the black market. This market is not only used by criminals, but also by intelligence agencies and the police (I’m talking government-sponsored malware). If we assume that many of these vulnerabilities are already known in the underground, perhaps even with working exploits, then this AI tool should lead to improved security.

Is there actually a ban?

And finally, there’s the question of government regulation. The EU’s AI Act classifies AI applications into different levels of risk. The tools currently available to ordinary users are categorised as examples of the second-lowest risk level – «limited risk» – which involves no requirements other than a transparency obligation. But this situation might be different. I’m no lawyer, but as I understand it, AI that can be used to attack critical infrastructure without requiring specialised knowledge falls under the category of «unacceptable risk» – which would result in a ban.

The four levels of risk under the EU Act.
The four levels of risk under the EU Act.
Source: digital-strategy.ec.europa.eu
Header image: Shutterstock

72 people like this article

User Avatar
User Avatar
David Lee
Senior Editor
David.Lee@digitecgalaxus.ch

My interest in IT and writing landed me in tech journalism early on (2000). I want to know how we can use technology without being used. Outside of the office, I’m a keen musician who makes up for lacking talent with excessive enthusiasm.

Background information

Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.

Show all

These articles might also interest you

  • Background information

    Agents, not chatbots: why OpenClaw’s electrifying everyone right now

    by Luca Fontana

  • Background information

    Removing image noise: self-proclaimed test winner with grotesque results

    by David Lee

  • Background information

    International Women's Day: 5 works you should have on your radar

    by Pia Seidel

35 comments

Avatar
later