Anthropic Unveiled Claude Mythos: AI for Zero-Day Discovery Shifts Internet Power Balance

Anthropic presented Claude Mythos as a model capable of autonomously finding unknown vulnerabilities and immediately turning them into working attack scenarios. This is why the company chose not to release the system to public access: according to its own description, such an AI can not only point out a weak spot, but methodically exploit it, gain elevated privileges, and use a chain of errors to compromise critical software. We're talking about so-called zero-day vulnerabilities — defects that developers don't yet know about and for which no ready-made fix exists.

If a tool can find such breaches faster than humans, the cost of failure rises sharply. In a typical defense model, companies have time between discovering a problem and its mass exploitation. With such an AI, this window could almost disappear: discovery, code writing, finding ways to bypass protection, and privilege escalation happen in a single cycle without lengthy manual work.

Anthropic claims that Mythos could theoretically link multiple vulnerabilities together to reach the level of major operating systems and popular browsers. This makes the story not a local problem of one vendor, but a question of the resilience of the entire digital infrastructure. If this approach actually works, the balance between attackers and defenders shifts: hacking no longer requires a team of rare specialists, but can rely on a machine that scales expertise, speed, and persistence.

Against this backdrop, the company launched Project Glasswing — a limited-access program for organizations that should use the model's capabilities for defensive purposes. Already 40 partners have been named, and all are American. This is an important detail: tools capable of simultaneously strengthening security and creating systemic risk concentrate in the center of the American digital ecosystem.

Formally, this is about preventive protection, when vulnerabilities need to be closed before malicious actors exploit them. But practically, this means that several private entities gain exclusive access to a technology whose impact extends far beyond their own networks. The only external partner outside the US is the United Kingdom, where the AI Security Institute gained access to the system for testing advanced models.

After becoming familiar with its capabilities, British ministers warned businesses: AI will make cyberattacks significantly easier, faster, and cheaper in the near future, and most companies are not ready for it. The next stage, according to available data, could be testing in European banks. This is a logical choice: the financial sector better understands the cost of vulnerabilities, but it is particularly sensitive to the consequences of errors in risk assessment.

The main question here is not just technical, but political. When a system can find universal weaknesses in widely used software, it becomes an instrument of infrastructural power. Then what matters is not just how well it works, but who decides who gets access, which bugs to close first, where the line is between research and offensive cyber operations, and how to verify the company's own claims about risk control.

The open internet was historically built on decentralization and shared rules, not on a few actors seeing all the cracks before everyone else. What this means. The emergence of Claude Mythos shows that the next phase of AI in cybersecurity will be determined not only by model quality, but by access regimes.

Technology that equally scales both defense and attack requires not only patches, but new accountability rules. Otherwise, control over digital security will begin to shift from public institutions and the broader ecosystem to a narrow circle of private companies.