- Anthropic reported Mythos Preview uncovered over 10,000 high‑ and critical‑severity vulnerabilities in under two months, with Cloudflare alone finding 2,000 bugs
- Independent validation confirmed 90% of assessed findings as real, though critics argue the breakthrough may stem from massive compute and workflows rather than unique reasoning
- The bottleneck has shifted from discovery to verification, disclosure, and patching, as AI now surfaces vulnerabilities faster than organizations can remediate them
In less than two months, Anthropic and its partners have discovered more than ten thousand critical and high-severity security vulnerabilities using the Mythos Preview artificial intelligence tool.
In a project update published last week, Anthropic stated that roughly 50 organizations using the tool each found “hundreds” of vulnerabilities.
“Several have told us that their rate of bug-finding has increased by more than a factor of ten,” the company said. “For instance, Cloudflare has found 2,000 bugs (400 of which are high- or critical-severity) across their critical-path systems, with a false positive rate that Cloudflare’s team considers better than human testers.”
Anthropic explained that sharing details on vulnerabilities is usually done with a 90-day delay, to give users time to patch and to avoid putting anyone at risk. Therefore, it only shared general, “illustrative examples” to demonstrate the tool’s power.
With that in mind, it said that Mythos found an estimated 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total, including medium- and low-severity findings).
Skepticism Lingers
Of those, 1,752 have been assessed by independent security researchers, and 90% were confirmed as valid positives, while 62.4% were confirmed as either high- or critical-severity.
But while the overall reaction to Mythos Preview has been extremely positive, some argue the hype may be overstated. Analysis from Techzine suggests AI-assisted vulnerability discovery already existed through systems like Google’s Big Sleep, and that the real challenge remains human operational security.
A recent academic paper, “Benchmarking Mythos-Linked Bug Rediscovery,” found that under controlled conditions, public frontier models like GPT-5.5 were able to rediscover some of the same vulnerabilities attributed to Mythos. On Reddit, different communities have expressed similar skepticism. The key takeaway is that Mythos may be leveraging enormous amounts of compute and long-running agentic workflows rather than possessing qualitatively different reasoning abilities.
In any case, Anthropic now states that progress on software vulnerability discovery is no longer limited by speed, but rather by the speed of verification, disclosure, and patching.
The best antivirus for all budgets
Our top picks, based on real-world testing and comparisons
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.