Anthropic’s Mythos and the New Era of Autonomous Exploits

Andy InfoFina

Welcome to the show. April 7th, 2026: Anthropic announces Project Glasswing, and buried inside it is a model called Claude Mythos Preview -- their MOST powerful model yet -- and you cannot just go use it. Not in the normal API, not as a product, not as a shiny new chatbot tab. [pauses] That alone made me sit up.

Andy InfoFina

Because this wasn’t a consumer launch. It was a controlled deployment to a handpicked group of defenders: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, and Nvidia. That is not a random customer list. That’s cloud, endpoints, chips, banking, operating systems... basically the people standing closest to the blast radius if something this capable goes sideways. [reflective]

Andy InfoFina

And Anthropic added another detail that feels small until you think about it: $100 million in model usage credits. [skeptical] That’s not marketing confetti. That says they expect REAL operational volume. Lots of scanning, lots of testing, lots of cycles. They are subsidizing usage at a scale that sounds less like “demo the future” and more like “please run this hard against real systems.”

Andy InfoFina

I mean, as a guy who mostly lives in documents and spreadsheets, my plain-English translation is: this thing is not being introduced as a clever assistant. It’s being introduced as a security program.

Andy InfoFina

And here’s the weird, slightly chilling reaction I had: is this the first time an AI company has basically said, out loud, “This is too powerful for everyone, but safe enough for the right people”? [short pause] Not “not ready yet.” Not “limited beta.” More like a velvet-rope launch for autonomous cyber capability.

Andy InfoFina

Now, the obvious pushback is: well, security vendors have always had private tools. Sure. But this feels different. Anthropic is not just restricting features. They are restricting a MODEL because of what it can do. That is a new category of sentence. And if you’re hearing alarm bells, yeah... same. [sighs]

Andy InfoFina

The proof point that changed this from theory to, uh, very real, is FreeBSD. Mythos independently found and exploited a 17-year-old remote code execution bug in FreeBSD, now tracked as CVE-2026-4747. The reported impact is brutal: an unauthenticated attacker can get root on any machine running NFS.

Andy InfoFina

Seventeen years. Just let that number sit there for a second. A bug old enough to vote in some countries. [dry laugh] And it wasn’t just, “Hey, maybe this code looks weird.” Anthropic says Mythos triaged it, reproduced it, and demonstrated exploitation end-to-end with no human guidance.

Andy InfoFina

That is the jump. That’s the whole story, really. We’ve had AI systems that help analysts. We’ve had copilots that suggest things. This sounds like something closer to an autonomous offensive-capable researcher. It didn’t stop at suspicion. It kept going until it could PROVE impact. [emphasis]

Andy InfoFina

Imagine the moment for the FreeBSD folks. You’ve got a vulnerability sitting there for 17 years, tucked inside a real operating system used by real machines, and then a model walks the chain by itself. No tired human red teamer with coffee and three monitors. Just the model working the problem. [pauses]

Andy InfoFina

And if you’re thinking, “Okay, but it’s one bug,” yeah, that’s the comforting version. The less comforting version is this: if it can do that in one mature system, what happens when you point Mythos-class capability at the long tail of Linux distributions, macOS components, Windows services, browser stacks, all of it? [quietly] Because software is full of old rooms nobody has opened in years.

Andy InfoFina

Anthropic’s argument is pretty direct. Mythos is dangerous as an offensive tool, but uniquely valuable for defenders trying to get ahead of attackers. That’s the tradeoff. Restrict it, aim it at defense, buy time.

Andy InfoFina

And to be fair, I get that logic. If you had a system that could autonomously find, reproduce, and exploit serious bugs, you would not want to toss it into the public internet like free sample day at Costco. [chuckles] You’d want guardrails. You’d want named partners. You’d want lawyers sleeping slightly better.

Andy InfoFina

But the counterweight here matters. Bruce Schneier’s concern is basically: restricting access to specific defenders does not stop leakage, reverse engineering, or equivalent capability from showing up somewhere else. It may only buy time. And maybe it widens the gap between well-resourced organizations and everybody else. [skeptical]

Andy InfoFina

That part hits. Because if you work in security, you already know how this movie goes. The big players get early warning, the rest of the ecosystem gets the patch storm.

Andy InfoFina

Practically, the thing to watch is coordinated responsible disclosure. Anthropic’s own framing points to a 30-to-90-day wave of CVEs across FreeBSD, Linux, macOS, Windows, and major browsers. So if you’re on the defensive side, the move is not philosophical debate first. It’s patch prioritization. Inventory. Exposure mapping. Which internet-facing systems can’t wait. [matter-of-fact]

Andy InfoFina

And man, if you’ve ever watched a “routine” patch cycle turn into a full fire drill by lunchtime, you know exactly what kind of workflow-breaker this could become. [exhales sharply]

Andy InfoFina

One detail I keep coming back to is JPMorganChase being on that early-access list. When a major bank is included from day one, that tells you where this is headed. Critical infrastructure and financial services are not treating AI-assisted vulnerability discovery like a lab experiment. They’re treating it like an operational advantage.

Andy InfoFina

So over the next 12 to 18 months, I think security teams need to start interrogating vendor roadmaps a lot harder. [matter-of-fact] Don’t just ask, “Do you use AI?” That question is basically useless now. Ask: can your tool triage a finding, reproduce it, and prove exploitability? Or is it just relabeling alerts with fancier wording?

Andy InfoFina

That also raises the bar for anyone building SAST, DAST, or vulnerability management products. “Find suspicious code” used to sound good. Now the standard is shifting toward autonomously validate impact. That is a much tougher job. It’s the difference between a smoke alarm and a firefighter who can point to the exact burner you left on. [reflective]

Andy InfoFina

And this is the question I can’t shake: if defenders get a head start with Mythos-class systems, does that actually narrow the gap? Or does it just define the next arms race, where everybody now has to assume the other side can chain bugs at machine speed? [long pause]

Andy InfoFina

I don’t know. But I do know this -- once the baseline becomes “the model can verify the exploit,” security teams won’t be judged on how many alerts they saw. They’ll be judged on how fast they moved before somebody else did. [softly] That’s a different world. Thanks for listening.