Introduction

In November 2022, ChatGPT 3.5 debuted, marking a major milestone for generative AI. Since then, new tools and models have emerged rapidly—bringing distinct capabilities and new security risks. As these technologies evolve toward more advanced reasoning and agentic capabilities, security leaders are evaluating what they could mean for vulnerability discovery, exploit development, and defense.

On April 7, 2026, Anthropic announced its latest frontier model, Claude Mythos, and warned that the unreleased system had reportedly identified thousands of previously unknown, exploitable vulnerabilities across major operating systems and web browsers. If those claims are substantiated, they could accelerate the pressure on traditional patch cycles, increase the need for rigorous code review, and elevate the importance of segmentation and access controls to limit impact.

Even so, this development changes the speed and scale of vulnerability discovery more than it changes the fundamentals of cybersecurity. Organizations can still rely on established best practices—while preparing for a world where new vulnerabilities are identified faster than teams can remediate them.

What Is Claude Mythos?

Claude Mythos is an unreleased, general-purpose AI model built by Anthropic with strong coding and reasoning capabilities. Combined with autonomous security logic, it is designed to identify software vulnerabilities by reviewing code for weaknesses, analyzing potential exploit paths, and proposing patch options. It can also chain multiple weaknesses into an attack path and generate proof-of-concept outputs for exploitation testing.

Anthropic has not released the model publicly, choosing instead to provide limited access to a small set of large technology companies—positioning the approach as a way to give defenders a head start before similar capabilities become widely available.

Anthropic has reported that the model has identified thousands of potential zero-day vulnerabilities across major operating systems and web browsers. Publicly discussed examples include:

• A 27-year-old OpenBSD integer-overflow vulnerability that can induce a remote crash
• A reported FFmpeg vulnerability that evaded detection across millions of automated test runs
• A Linux kernel exploit chain that links multiple weaknesses for privilege escalation

At present, Mythos is not available for public use, which limits immediate risk. However, given the pace of AI development, comparable capabilities could become broadly accessible within the next 12 to 18 months, including through open-source models.

What Is Project Glasswing?

To harness these capabilities defensively, Anthropic created Project Glasswing—an initiative that brings together major technology organizations to collaborate on secure development and improved defensive measures. Participants reportedly include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia, the Linux Foundation, Palo Alto Networks, JPMorgan Chase, and others. In total, roughly 40 organizations are participating.

Anthropic has committed $100 million in usage credits and has donated $4 million to open-source security organizations. Early reports suggest Linux kernel maintainers have already used the model to uncover vulnerabilities previously missed by traditional approaches.

Early testing also highlights an important limitation: while AI can accelerate vulnerability discovery and propose fixes, remediation still requires significant human validation, engineering judgment, and defense-in-depth thinking. Security teams should prepare for faster discovery cycles by strengthening foundational controls across multiple layers.

Call to Action

If current trends continue, the race to identify and fix vulnerabilities before threat actors exploit them may become increasingly difficult to sustain. That reality makes it even more important to reinforce the fundamentals of a holistic cybersecurity program—preventing exploitation where possible, limiting impact when incidents occur, enabling resilience, and accelerating recovery.

Start with attack surface visibility and asset governance. As environments expand, incomplete inventories create blind spots. Make asset inventories a routine discipline—similar to user access reviews—covering IP space, cloud and physical assets, software, and third-party relationships. Pair that work with attack surface management to document externally exposed services and reduce exposure through access controls, configuration hardening, and removal or restriction of unnecessary services.

Next, review the full vulnerability management program—from scanning and prioritization through patching and remediation. Many organizations scan well but struggle to patch consistently within SLAs and risk tolerance. Strengthen coordination between security operations and IT operations, reduce patch timelines where feasible, and address backlog risk before it compounds.

Then evaluate the software development life cycle. AI can accelerate coding, but speed should not erode secure engineering. Invest in developer training, code scanning, testing, and disciplined release and remediation processes to maintain cyber hygiene. Truly integrating security into the development life cycle is essential.

Finally, test resilience. Ensure monitoring is comprehensive, incident response is practiced, backups are recoverable, and the organization can safely isolate and restore systems when needed. Don’t wait for a crisis to validate these fundamentals.

In Summary

Mythos is an early signal of how AI may reshape the security landscape. AI tools can rapidly explore “what if” scenarios to identify weaknesses, but reliable remediation remains complex and often depends on human decision-making and layered controls. That dynamic makes foundational security disciplines—asset visibility, vulnerability management, secure engineering, and resilience—more important, not less.

Organizations should use this moment to reassess defense-in-depth strategies and communicate clearly with executives and the board about how AI-driven discovery could compress response timelines. The organizations that prepare now will be best positioned to reduce risk later.

How Protiviti Can Help

Protiviti’s cybersecurity experts help organizations design, assess, and enhance information security strategies and privacy risk management. Protiviti’s cybersecurity experts help organizations design, assess, and enhance information security strategies and privacy risk management.

We take a holistic business and technology view of risk posture, using industry-recognized frameworks to assess current capabilities and identify gaps. Based on your environment, we develop pragmatic roadmaps to guide cybersecurity investments that protect customers and support sustainable growth.