Thousands of high-severity vulnerabilities. That’s what Anthropic’s Claude Mythos Preview has already uncovered across every major operating system and web browser in 2026. Impressive? Absolutely. Terrifying? Also yes.
I’ve spent the last week digging through Anthropic’s technical documentation on red.anthropic.com and cross-referencing it with CrowdStrike’s independent assessment. What I found confirms what many of us suspected: we’ve built something extraordinarily powerful, and we have no idea how to keep it from being used against us.
The Double-Edged Sword Nobody Wants to Talk About
Let’s start with what Mythos Preview actually does well. CrowdStrike’s assessment confirms that when you pair Frontier AI capabilities with real-world threat intelligence, the results compound in ways that traditional security tools simply can’t match. The model doesn’t just scan for known vulnerabilities—it reasons about code structure, identifies novel attack vectors, and connects patterns across disparate systems.
This is genuinely new territory for automated security analysis. Previous AI security tools operated more like very fast pattern matchers. Mythos Preview actually understands what it’s looking at.
But here’s where Anthropic’s own language becomes revealing. They describe “unprecedented cybersecurity risks” in their official documentation. Not “challenges.” Not “considerations.” Risks. That word choice matters because it signals something important: even the people who built this system are concerned about what happens next.
Project Glasswing Won’t Save Us
Anthropic’s response to these concerns is Project Glasswing, which restricts Claude Mythos to security professionals and approved use cases. On paper, this sounds reasonable. In practice, it’s a band-aid on a bullet wound.
The fundamental problem is that the same capabilities that make Mythos Preview excellent at finding vulnerabilities also make it excellent at exploiting them. You can’t separate the two. The model’s ability to reason about code, identify weaknesses, and chain together attack vectors doesn’t magically disappear based on who’s using it.
Access controls only work until they don’t. We’ve seen this pattern repeatedly with powerful technologies. The question isn’t whether bad actors will eventually get access to similar capabilities—it’s when.
What the Security Community Actually Thinks
I’ve spoken with several security researchers who’ve tested Mythos Preview under NDA. Their reactions fall into two camps: excitement about the defensive possibilities, and deep anxiety about the offensive ones.
One researcher put it bluntly: “Every vulnerability this thing finds is something an attacker could theoretically find too. We’re in an arms race now, and we just gave both sides better weapons.”
The experts warning that this technology could enable attackers aren’t being alarmist. They’re being realistic. When you create a tool that can systematically identify security flaws across entire technology stacks, you’ve created something that’s equally valuable to defenders and attackers.
The Uncomfortable Truth
More capable models don’t reduce the need for governance—they increase it. Anthropic acknowledges this in their documentation, but acknowledgment isn’t the same as solution.
We’re now in a situation where AI systems can find vulnerabilities faster than humans can patch them. The thousands of high-severity bugs Mythos Preview has already identified represent real security holes in systems millions of people use daily. Each one is a potential entry point for attackers who gain access to similar capabilities.
The security community needs to have an honest conversation about what happens when AI-powered vulnerability discovery becomes commoditized. Because it will. The techniques Anthropic has developed won’t stay proprietary forever.
What Happens Next
Anthropic has built something genuinely powerful. CrowdStrike’s confirmation of Mythos Preview’s capabilities leaves no doubt about that. But power without adequate safeguards is just risk with a different name.
The real test isn’t whether Mythos Preview can find vulnerabilities—it clearly can. The test is whether we can deploy these capabilities responsibly in a world where the same technology that protects us can be turned against us.
Right now, I’m not convinced we have good answers to that question. And based on Anthropic’s own language about “unprecedented cybersecurity risks,” neither are they.
đź•’ Published: