Dario Amodei warned this week of a narrow window to patch tens of thousands of vulnerabilities found by a model his own company won't release publicly. Cybersecurity experts say other AI can already do the same thing.

On Tuesday, Dario Amodei stood on stage with JPMorgan Chase CEO Jamie Dimon and delivered a warning that sounded like something from a threat briefing, not a product launch.

Anthropic's latest model, Mythos, has found tens of thousands of previously unknown vulnerabilities across the world's software infrastructure. Most of them remain unpatched. Chinese AI is roughly six to 12 months behind. That window, Amodei said, is how long the world has to fix the problems before adversaries can find them independently.

"The danger is just some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that's done from ransomware on schools, hospitals, not to mention banks," he said.

Anthropic has restricted Mythos to a small number of vetted partners under a program called Project Glasswing, citing concerns about what criminals or adversarial nations could do with unrestricted access.

The launch cohort includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, with over 40 additional organizations also given access.

The warning generated significant coverage. It also generated significant skepticism from the people who actually work in cybersecurity every day.

Here is the part of the story that got less attention: experts say the capability Amodei is warning about has been available in existing AI models for months. And the White House has quietly blocked Anthropic from expanding Mythos access further.

What Mythos Actually Did

The numbers are real and worth stating clearly.

An earlier Anthropic model found roughly 20 vulnerabilities in the Firefox browser. Mythos found nearly 300, and generated 181 working Firefox exploits compared to just 2 for its predecessor Claude Opus 4.6. Mozilla confirmed this, using a preview of the model to identify and patch 271 vulnerabilities in Firefox.

Mythos also found a vulnerability in OpenBSD, an operating system specifically known for its security, that had gone undetected for 27 years. It also found a 16-year-old flaw in FFmpeg's H.264 codec and a 17-year-old remote code execution vulnerability in FreeBSD, designated CVE-2026–4747, that it exploited fully autonomously with no human involvement after the initial prompt. Across all software, the total count of vulnerabilities found by Mythos now runs into the tens of thousands.

Anthropic's red team reported that engineers with no formal security training asked Mythos to find remote code execution vulnerabilities overnight and woke up to a complete, working exploit by morning. The model wrote exploits in hours that expert penetration testers said would have taken weeks. Over 99% of the vulnerabilities Mythos has identified have not yet been patched, according to Anthropic's red team blog. A public findings report is expected in early July 2026.

Anthropic committed $100 million in Mythos usage credits and $4 million in direct open-source security grants to support Project Glasswing.

What makes Mythos different from previous models is not just finding vulnerabilities. It is the next step: developing working exploits with little or no human input, effectively automating a process that previously required skilled researchers. The total cost of the thousand-run campaign that found the 27-year-old OpenBSD bug was under $20,000. The specific run that surfaced it cost under $50.

What the Experts Are Actually Saying

Cybersecurity experts and AI researchers told CNBC that the software vulnerabilities revealed by Mythos can be found using existing models, including those already publicly available.

"What we are seeing across the industry now is that people are able to reproduce the vulnerabilities found with Mythos through clever orchestration of public models to get very, very similar results," said Ben Harris, CEO of cybersecurity firm watchTowr Labs.

Klaudia Kloc, CEO of cybersecurity firm Vidoc, told CNBC: "The models that we have right now are powerful enough to detect zero days in a large scale, and this is scary enough." That has been the case for "a couple of months, if not a year," she said.

Researchers at AISLE, an AI cybersecurity startup, tested Anthropic's showcase vulnerabilities on small, cheap, open-weights models. Eight out of eight detected the FreeBSD exploit. A model with only 5.1 billion parameters recovered the core analysis chain of the 27-year-old OpenBSD bug. AISLE's conclusion: "The moat in AI cybersecurity is the system, not the model." Cheap models are finding the same bugs.

A February blog post showed that Claude Opus 4.6, a widely available Anthropic model, found more than 500 high-severity vulnerabilities in open-source software before Mythos was announced.

Amodei himself acknowledged at Tuesday's event that the trend was not new.

"The risks are very real. This is why we took the actions we did," he said. "But they're also, in some sense, not that surprising. We've been seeing warnings of this for a while."

David Lindner, CISO at Contrast Security with 25 years in the industry, told Fortune the harder problem was never finding vulnerabilities. "We've never had a problem finding vulnerabilities," he said. The problem has always been fixing them faster than attackers can exploit them. That problem is not solved by finding more of them faster.

Anthropic has also reported that hacking groups, including those linked to the Chinese government, have already attempted to use Claude in real-world cyberattacks. The adversary is not six to 12 months away. They are already operating.

The JPMorgan Setting Is Not Incidental

The choice to deliver this warning on stage with Jamie Dimon, at an event where Anthropic simultaneously announced 10 new AI agents for banking and back-office work and a unified Microsoft Office integration, deserves attention.

Amodei warned about critical cybersecurity risk. He did it while announcing financial services AI products. He did it flanked by the CEO of JPMorgan Chase, which happens to be one of the 12 launch partners with Mythos access, while both companies head toward potential IPOs.

OpenAI is also finalizing a model similar to Mythos that it will release only to a small set of companies through its existing "Trusted Access for Cyber" program. The race is not just between Western AI and Chinese AI. It is between Anthropic and OpenAI for the enterprise cybersecurity market.

Dimon described the cybersecurity risks created by AI as a "transitory period." He has a direct interest in the outcome. JPMorgan Chase is one of the most targeted institutions in the world for cyberattacks and a direct partner with access to the model being discussed. Dimon calling the risk transitory while standing next to the CEO of the company he is partnered with is not an independent assessment.

Both men said there is "a better world on the other side of this." Both men are in a commercial relationship centered on the tools that are supposed to get you there.

The Defense Versus Offense Question

The central factual dispute in the Mythos story remains genuinely unresolved.

Does AI-powered vulnerability discovery favor defenders or attackers?

Mozilla's cybersecurity engineer, speaking to TechCrunch after the Firefox vulnerability work, offered the most honest answer available: "It's useful for both attackers and defenders, but having the tool available shifts the advantage a little bit to defense. Realistically, nobody knows the answer to this yet."

Amodei's optimistic case rests on the claim that "there are only so many bugs to find." If defenders can use AI to find and patch all vulnerabilities first, the attack surface shrinks permanently. That is coherent. It assumes defenders move faster than attackers, that patches get deployed before exploits are developed, and that the most dangerous capabilities stay in the right hands.

Over 99% of the vulnerabilities Mythos has found remain unpatched. The unauthorized access happened on launch day. The White House blocked expanded access rather than accelerate it. All three of those facts point in the same direction.

My Take

Amodei is not manufacturing the risk. The 27-year-old OpenBSD flaw is real and confirmed by Anthropic's own red team blog with technical detail. The 271 Firefox vulnerabilities are real and confirmed by Mozilla. The FreeBSD remote code execution exploit is real, designated CVE-2026–4747, and was fully autonomous. The Chinese government's active attempts to use existing Claude models for cyberattacks are documented.

The problem is not the warning. The problem is the structure around it.

A company whose most dangerous model was found in a public database before it was announced, watched unauthorized users access it on launch day, had the White House quietly block its expansion plans, and is now using its existence to anchor a financial services product launch and an IPO narrative is not in a clean position to be the primary voice framing the danger.

The AISLE research finding that cheap open-weights models can reproduce Mythos's showcase vulnerabilities is the most important technical detail in the entire story and the one that got the least coverage. If the moat is the system and not the model, then restricting Mythos buys time but does not change the underlying trajectory.

The six-to-12-month window Amodei is describing assumes a race that started when Mythos was announced. The cybersecurity experts, and Amodei himself when pressed, say the capability was already present in publicly available models. The window was not opened by Mythos. It has been open. The warning is correct. The timeline is late.

The most important thing Amodei said Tuesday was not the warning. It was the automotive analogy: "You can't just start a car company without 'Are there brakes on this thing?'"

Mythos was exposed in a public database, accessed without authorization on launch day, and quietly capped by the White House before the Tuesday event. The brakes question applies to Anthropic too!

Questions Worth Sitting With

The model was found in a public database, then accessed by unauthorized users on launch day through a contractor. If Anthropic cannot control access to its most restricted model in the first 24 hours, what is the realistic expectation for the six-to-12-month window it is asking defenders to use?

AISLE researchers found that cheap open-weights models can reproduce Mythos's showcase vulnerabilities. If the moat is the system and not the model, what exactly does restricting Mythos access accomplish beyond buying a few months?

Over 99% of the vulnerabilities Mythos has found remain unpatched. A public findings report lands in July 2026. What happens to organizations outside the Project Glasswing coalition when those findings become public and attackers have the same information defenders do?

Amodei delivered a cybersecurity warning while announcing financial services AI products, flanked by one of his 12 Mythos launch partners. How should policymakers weigh a threat assessment delivered in a sales context by a company approaching an IPO?

Related reading:

Follow for AI accountability, cybersecurity reality checks, and what the product launches don't say.

This article reflects my personal analysis and opinions based on publicly reported information. I'd be more than happy if you share your opinion.

Sources: