Claude Mythos will find more vulnerability exploits: What should you do?

There's no need to panic. This is nothing new and neither are the actions that you should take. Just don't wait too long.

Gopal Chand, MBA, PhD

~5 min read · April 18, 2026 (Updated: April 18, 2026) · Free: Yes

In an April 7th 2026 post on their website, Anthropic announced the preview release of their Claude Mythos AI model in which they stated:

During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.

A bold claim. Is it something to worry about?

Yes, it is something to worry about

Anthropic claim that Mythos finds vulnerabilities that are difficult to detect:

Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD — an operating system known primarily for its security.

The exploits Mythos constructs are advanced chains as well as the garden variety stack overflows. For example,

it autonomously wrote a remote code execution exploit on FreeBSD's NFS server that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain over multiple packets.

Breaking this down, Mythos hacked a file server by using twenty separate bits of code to send data over the network without even having to log in as a user.

Furthermore, using roughly a thousand code repositories, it was able to achieve:

full control flow hijack on ten separate, fully patched targets.

So, what's the secret? Has the model been trained by the best hackers in the world? The surprising answer is no:

We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.

So that helps explain how Mythos can deliver.

It's better at understanding code than other models so it can find more vulnerabilities in applications and operating systems.

It usually takes time for vulnerabilities to be turned into exploits. Anthropic are claiming that they have shortened that gap considerably.

Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit.

Mythos is therefore the latest in purple team capable models to help merge offensive (red team) and defensive (blue team) functions. And it is really capable.

Jumping to the end of the post:

The trajectory is clear. Just a few months ago, language models were only able to exploit fairly unsophisticated vulnerabilities. Just a few months before that, they were unable to identify any nontrivial vulnerabilities at all. Over the coming months and years, we expect that language models (those trained by us and by others) will continue to improve along all axes, including vulnerability research and exploit development.

Reassuringly they add:

In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened — in large part by code written by these models. But the transitional period will be fraught. We therefore need to begin taking action now.

In other words, although they foresee a future in which models such as Mythos are predominantly used defensively, there will be challenges along the way as bad guys push models in the same league as Mythos to the limit and generate exploits. The exploited vulnerabilities can, of course, be patched with the support of the very same models now being used defensively but only if those models have already found them.

We are in the transitional period right now. Models such as Mythos will enable the rapid development of exploits for vulnerabilities that have not been discovered. But the very same models will also speed up the development of exploits for those vulnerabilities that have been discovered and published. It's less work after all (or fewer tokens expended).

What should I do?

Vulnerabilities and their exploits are not new and ways of dealing with them are not new either. Just do most, if not all, of the following and you will be able to sleep at night while this new class of model does its thinking.

The recommendations apply to company and home networks.

Backups

Assume the worst: back-up your precious data. I mean really back it up and not just place it in the cloud somewhere and assume that it's safe. Ideally you should follow the 3–2–1 rule with three copies of your data including your original, two types of media and one encrypted copy kept off-site. The last of these is critical if you need to recover from a ransomware attack.

Up to date Antivirus

A lot of attacks start with phishing where the user is asked to click on a link that downloads bad software or open an infected attachment. So, it's important that an antivirus stops this from happening. Nothing beats training to avoid falling for a phishing attempt, but we all make mistakes and antivirus tools can help as long as they are kept up to date with the latest tricks used by the phishers.

Up to date Software

It is rare to find a computer or server free of all known vulnerabilities. But if a vulnerability has an exploit, it is only a matter of time before it is downloaded through phishing and either starts encrypting your precious files or allows an attacker to virtually sit on that computer while working out their next move. Therefore, if the operating system or application (especially web browsers) has a newly patched version or security patches, do not wait to update.

The latest iteration of antivirus software can also detect vulnerabilities and is likely to make recommendations that you should follow.

Reboot often

Rebooting not only ensures that any updates are fully applied but it can also slow down attackers who are trying to compromise systems. A daily reboot would be ideal but a weekly reboot should suffice.

This should also apply to consumer grade network equipment such as home routers but please don't go around rebooting corporate network switches, otherwise I'm going to get in trouble with that community.

Closing Remarks

Claude Mythos' offensive capabilities are just the latest in a long line of wake-up calls for information security. It's likely that there will be a large number of newly discovered exploitable vulnerabilities in the coming weeks and months.

However, what's more likely are exploits appearing for known vulnerabilities to complement that large library of exploits that have already been published.

Failure to patch and update software followed by reboots is like leaving the front door to your house open. Of course, if you have backed up you can recover from the break-in (or more accurately walk-in) but wouldn't you rather be doing something else?

#information-security #llm #cybersecurity #risk-management #ai