Anthropic has announced the AI model Mythos for automatically detecting vulnerabilities and building complete attack chains. The NCSC, part of the Ministry of Justice and Security, provides specific advice to organizations: shorten time-to-patch and ensure basic security is in place, as attacks are becoming faster and more automated.
Anthropic has announced the AI model Mythos, designed to automatically detect vulnerabilities and link them into complete attack chains. According to tests, Mythos identified thousands of zero-day vulnerabilities in major operating systems and web browsers, including a 27-year-old TCP vulnerability in OpenBSD and a 17-year-old security flaw in FreeBSD. The model achieves an autonomous exploit success rate of 72.4 percent, compared to virtually zero for the previous Opus 4.6 model.
Mythos thus goes a step further than Anthropic’s previous AI security work. In February 2026, the company launched Claude Code Security to scan code for vulnerabilities, but Mythos can also directly combine and exploit those vulnerabilities. During tests, the model produced 181 working exploits on Firefox’s JavaScript engine.
Project Glasswing: Defensive Use for a Select Group
Due to security risks, Anthropic is not widely marketing Mythos. Instead, the company launched Project Glasswing. This coalition of more than 40 organizations, including Amazon, Apple, Microsoft, Google, and the Linux Foundation, is permitted to use the model exclusively for defensive purposes. Anthropic is making up to $100 million in usage credits and $4 million in direct donations available to open-source security organizations.
But access remains limited. Experts warn that comparable capabilities from other AI labs could become more widely available within six to eighteen months, including to parties with malicious intent.
NCSC: Basic security must be in order now
The National Cyber Security Centre (NCSC) responds to developments surrounding Mythos with clear advice. Organizations must incorporate AI advancements into their patch management processes to significantly reduce time-to-patch. “You can’t prevent zero-days, but the ‘time-to-patch’ must be reduced; delays of days or weeks no longer fit the current threat landscape,” according to the NCSC.
In addition, the NCSC advises anticipating attacks that are becoming faster and more automated. AI can also be deployed on the defensive side, for example, to detect anomalous behavior in networks. The center further points out that details about Mythos had already leaked via a data breach before Anthropic officially announced the model.