Mythos Preview Finds Thousands of Unpatched Bugs Across Major Operating Systems and Browsers.
UK security researchers say AI vulnerability-hunting is doubling every four months. The 99 percent unpatched rate is the floor, not the ceiling.
Anthropic built Mythos Preview to find vulnerabilities that nobody else could. Then it told the world what it found: thousands of them, scattered across every major operating system and browser. Of those vulnerabilities, 99 percent had not yet been patched.Anthropic Technical Blog
That is the number worth sitting with. Not the 73 percent success rate on expert-level capture-the-flag challenges, or the fact that Mythos became the first model to complete a 32-step corporate network attack simulation in 3 out of 10 attemptsAISI Blog — numbers that generated most of the coverage. The 99 percent is the story.
The UK AI Security Institute evaluated Mythos Preview and confirmed it represents a step change in autonomous vulnerability discovery. Its cyber capabilities benchmark is doubling every four months, the AISI assessed in an open letter signed by two UK ministersUK Gov — roughly double the pace the institute had previously estimated. Mythos completed an average of 22 out of 32 steps on the institute is most demanding corporate network simulation; the previous best model managed 16.AISI Blog
But the thing Mythos found most effectively was how long defenders had been asleep. Among the vulnerabilities it identified: a bug in OpenBSD that had been sitting in the code for 27 years, and one in FFmpeg that was 16 years old. Nobody had patched them.Anthropic Technical Blog
The obvious question — why not — has an uncomfortable answer. A separate analysis by the security firm AISLE found that a model with 3.6 billion parameters, costing $0.11 per million tokens, detected the same flagship FreeBSD exploit that Anthropic highlighted as Mythos is most significant result. Eight out of eight models tested, including the budget option, flagged the vulnerability.AISLE The implication is not that Mythos is ordinary. It is that the vulnerability was findable by methods that already existed.
Richard Horne, chief executive of the UK National Cyber Security Centre, offered a different reading at the CyberUK conference: the Mythos moment, he said, might finally persuade companies to replace their obsolete systems.The Guardian That is a lower bar than solving the problem. It is also a more honest one.
The vulnerabilities Mythos found were not newly introduced by AI. They had been sitting in production code for years, in some cases decades, undetected or unfixed. The speed at which AI can now surface them does not change the underlying failure. It just makes the cost of maintaining it higher.
