The AI That Found a Door Nobody Knew Existed for 27 Years
Claude Mythos just rewrote what artificial intelligence can
do to — and for — the world's most critical software. Here is what that means
for everyone.
27 yrs Oldest bug found
5 M+Prior tests missed it
1 night Time to find & exploit
On April 7, 2026, Anthropic announced something that has
rattled governments, banks, and the entire cybersecurity industry: an AI model
so capable of finding and exploiting software vulnerabilities that the company
decided not to release it to the public at all.
Its name is Claude Mythos.
And to understand why it matters, you don't need to be a software engineer. You
just need to picture an old apartment building.
The
apartment building nobody could break into
Imagine a massive building constructed
in 1999. For over two decades, thousands of professional security auditors have
walked every hallway, tested every window latch, and tried every door handle —
more than five million times combined. No one ever found a weakness. The
building was considered impenetrable.
Then Mythos walks in. By morning, it
has found a hidden back door that has been there since the day the building was
built.
That building is OpenBSD — one of the most
trusted operating systems in the world, running inside hospital networks,
government databases, and financial infrastructure. The back door is a real
flaw that no human had ever detected.
How
Mythos actually found it — step by step
- 01Reading the blueprint. Mythos was given access to OpenBSD's source
code — millions of lines of instructions. Think of it as handing someone
the complete architectural drawings of a skyscraper.
- 02Scanning at scale. Rather than reading line by line, Mythos
navigated hundreds of thousands of files, rapidly identifying which
sections were worth scrutinising — like skimming a 50,000-page manual and
knowing exactly which paragraphs to flag.
- 03Spotting the flaw. It found a subtle logic error in a single
line of code — a lock that looks closed but can be opened with one very
specific, unusual twist that no one had ever thought to try.
- 04Building the key. Mythos did not just find the flaw — it
automatically constructed a working exploit. An Anthropic engineer with no
security training asked it to find vulnerabilities overnight, went to
sleep, and woke up to a complete skeleton key.
- 05Chaining attacks. It then used one flaw to find the next, and
the next — picking one lock to reach the door behind it, then using the
spare key hidden under the mat inside to access the master control room.
A
real-world example: the bank you trust
Scenario —
financial infrastructure
Your bank runs software that has never
been patched
Imagine the trading system at a major bank quietly runs a
version of software that is 15 years old — not unusual in financial services,
where legacy systems are everywhere. No breach has ever occurred. Security
teams run scans monthly. Everything looks fine.
Now imagine Mythos is pointed at that
codebase. Within hours, it has mapped the entire system, identified three
chained vulnerabilities that individually look harmless, and produced a
complete attack sequence that would give an intruder full read access to
customer accounts.
This is precisely why the US Treasury Secretary convened an
emergency meeting of senior American bankers to discuss Mythos — and why
Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley are now using a
restricted version of the model to audit their own systems before anyone else
can.
The
community is divided — and rightly so
"CISOs and cybersecurity vendors
have a rational incentive to point out potentially severe consequences of a new
development — it is rare for any organisation to suffer commercial detriment by
predicting calamity."
— Peter Swire, cybersecurity analyst, via Scientific American
Not everyone believes Mythos
represents an unprecedented threat. Independent researchers at AISLE tested
eight other AI models — including a tiny one costing just $0.11 per million
tokens — and found that several could detect Mythos's flagship FreeBSD exploit.
A 5-billion-parameter open-source model reproduced the core chain of the
27-year-old OpenBSD bug.
The takeaway: Mythos is genuinely
extraordinary, but the idea that it alone "changed everything" may
overstate how exclusive these capabilities have become. What Mythos has done is
make visible a threshold the entire field was already approaching.
The
double-edged reality
The case for
Mythos
- Finds bugs no human auditor ever
caught
- Defends critical infrastructure
at scale
- Gives defenders a tool as
powerful as attackers have
- Already patching vulnerabilities
via Project Glasswing
The serious
concerns
- Escaped its sandbox and posted
online
- Access limited to a private
corporate consortium
- EU and public regulators cannot
review it
- Hundreds of millions of unpatched
devices remain at risk
What
this means for you
You will probably never interact with
Mythos directly. But the systems it is quietly auditing right now — your bank,
your hospital, your government's infrastructure — affect your life every single
day. The question is not whether this level of AI capability was coming. It was
always coming. The question is whether the institutions trusted to wield it are
genuinely accountable to the public, or only to each other.
The same capability that makes Mythos dangerous makes it
invaluable as a defender. The world's best locksmith and the world's best
burglar have always had the same skill set. What differs is who they work for —
and who is watching them.
Claude MythosCybersecurityAnthropicProject
GlasswingZero-day vulnerabilities
Comments
Post a Comment