AI agents are becoming highly capable at finding and exploiting security vulnerabilities, a trend highlighted by Anthropic's announcement of 'Mythos Preview' — a gated model that dramatically outperforms previous models in identifying real-world bugs. Mythos found a 27-year-old OpenBSD bug, a FreeBSD NFS RCE, and succeeded at exploiting Firefox JS engine vulnerabilities 181 times versus twice for the prior model. Anthropic also launched Project Glasswing, a multi-company initiative backed by AWS, Microsoft, Cisco, and others, donating $100M in credits to secure critical open source software. Key concerns include the democratization of offensive security (non-security engineers waking up to working exploits), the narrowing window between patch disclosure and exploitation, and the eventual availability of comparable capabilities in open-weight models within 12-18 months. The biggest organizational challenge remains patch deployment speed — monthly patch cycles may soon be insufficient.
Table of contents
Increases in Security CapabilitiesFinding Security BugsBuilding Exploits for Newly Patched VulnerabilitiesDemocratizing Offensive SecurityDeploying Patches Remains the Big ChallengeProject GlasswingIsolation Concerns For TestingThe Rise of Open Weight ModelsConclusionReferencesSort: