Modena360 Blog

blog image

Anthropic's Claude Mythos and the Rise of Autonomous Zero-Day Discovery

In early April 2026, AI company Anthropic announced Claude Mythos (Preview) — a frontier AI model so capable at computer-security tasks that the company chose not to release it publicly — alongside a defensive coalition called Project Glasswing. The reason for the caution was clear: Mythos can autonomously discover previously unknown ("zero-day") software vulnerabilities and build working exploits for them, without human guidance. In testing, it identified thousands of high- and critical-severity flaws across every major operating system and web browser — including a now-patched 27-year-old bug in OpenBSD, a system renowned for its security hardening — and built working exploits for many of them, in one case chaining four separate vulnerabilities to escape a web browser's sandbox.

This is a genuine turning point. For years, progress in software security was limited by how quickly skilled humans could find new vulnerabilities. Mythos shows that bottleneck is disappearing — and that the window between a vulnerability being discovered and being weaponised, which once took weeks or months, is collapsing to hours. Anthropic responded by restricting the model to a small coalition of major technology companies — including AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, NVIDIA, Palo Alto Networks and the Linux Foundation — and committing up to US$100 million in usage credits (plus US$4 million to open-source security organisations) to find and fix critical bugs before hostile actors can. But the underlying message for every business is sobering: machine-speed offence has arrived, and most organisations are still defending at human speed.

Why This Is a Turning Point for Your Business

You don't need to run a tech company for this shift to reach you. A few realities now apply to organisations of every size:

  1. The volume of critical vulnerabilities is about to surge. As AI-assisted research uncovers flaws in widely used operating systems, browsers and open-source libraries, those become published CVEs that every organisation running that software must address.
  2. Time-to-exploit is collapsing. The average time between a vulnerability becoming known and being actively exploited has fallen from years a decade ago to days — and for some flaws, hours. The grace period to patch is shrinking fast.
  3. The capability won't stay in friendly hands. Anthropic locked Mythos down, but comparable offensive-AI capabilities are emerging elsewhere. Over time, this kind of power proliferates beyond research labs and well-funded actors to ordinary criminals.
  4. Discovery is now outpacing remediation. The hard part is no longer finding the bugs — it's fixing them in time. Even within Glasswing, only a fraction of the vulnerabilities found have been patched so far. The bottleneck has shifted to disciplined, prioritised remediation — exactly where most businesses struggle.

What Every Business Should Do Now

  • Know what you're running. You can't patch what you can't see. Maintain an accurate inventory of your systems, software and third-party components so you can react quickly when a new critical flaw is announced.
  • Move to risk-based, faster patching. With critical CVEs set to multiply, prioritise fixes by real-world risk and shrink the time between a patch being released and applied.
  • Test continuously, not once a year. If attackers use always-on, automated tools, an annual penetration test no longer reflects your real exposure.
  • Harden the fundamentals. Most attacks still begin with the basics — weak or reused passwords, exposed remote services and misconfigurations. Enforce multi-factor authentication, apply least-privilege access, and reduce your external attack surface.
  • Detect at machine speed. Real-time monitoring and behavioural analytics help spot the rapid, automated activity these threats generate.
  • Keep tested backups and a ready response plan. Regularly tested, off-site backups and a rehearsed incident-response plan keep a single intrusion from becoming a crisis.

How a Managed Service Provider (MSP) Helps

  • 24/7 security monitoring — analysts and tooling watching for intrusion around the clock.
  • Risk-based vulnerability & patch management — continuous scanning, prioritisation and remediation so the most dangerous flaws are closed first.
  • Threat intelligence & early warnings — proactive alerts so you learn about emerging techniques and critical CVEs early.
  • Incident response planning — ready-made playbooks and expert support to contain and recover quickly.
  • Responsible adoption of defensive AI — guidance on AI-powered security tooling and the controls around it.

Claude Mythos is a preview of the environment every business now operates in: one where vulnerabilities are found faster than they can be fixed, and the time to exploit them is measured in hours. It is no longer a question of if a weakness in your systems will be discovered, but how quickly you can find and fix it before someone else does. By adopting a defence-in-depth strategy and partnering with a trusted MSP like Modena360, your business can close that gap and stay resilient.


Worried about what AI-powered vulnerability discovery means for your business?

Let us build a proactive, continuously tested cybersecurity strategy — before the next threat strikes.

Talk to Modena360