Claude Mythos Preview: A New Era in Cybersecurity

Today, we unveiled Claude Mythos Preview, a groundbreaking language model that excels in computer security tasks. This model is at the heart of Project Glasswing, our initiative to fortify the world's critical software against cyber threats. Our testing reveals that Mythos Preview can autonomously identify and exploit zero-day vulnerabilities across major operating systems and web browsers, often finding subtle bugs that have existed for decades. For instance, it discovered a 27-year-old bug in OpenBSD and crafted complex exploits like a JIT heap spray that bypasses multiple security layers.

Mythos Preview's capabilities extend beyond expert use, enabling even non-experts to uncover sophisticated vulnerabilities. In one benchmark, it developed working exploits for Mozilla's Firefox JavaScript engine 181 times, a stark contrast to its predecessor, Opus 4.6, which succeeded only twice. This model's prowess is not a result of explicit training for exploitation but rather an emergent property of its enhanced code reasoning and autonomy.

Our internal benchmarks show Mythos Preview achieving full control flow hijack on multiple patched targets, a feat unmatched by previous models. While the model's potential benefits for defenders are immense, there is a risk that attackers could exploit these capabilities if models are not carefully managed. To mitigate this, we've initially released Mythos Preview to a select group of industry partners under Project Glasswing.

In evaluating Mythos Preview, we focused on its ability to find zero-day vulnerabilities, which are genuine discoveries not present in its training data. This approach not only validates the model's capabilities but also contributes to the responsible disclosure and patching of critical bugs. Our findings include memory safety vulnerabilities, which are prevalent in critical systems built with languages like C and C++.

We employ a systematic approach to vulnerability discovery, using isolated containers and agentic scaffolds to let Mythos Preview autonomously hypothesize, test, and report vulnerabilities. This method has uncovered thousands of high-severity vulnerabilities, though our disclosure process limits us to discussing only a fraction of them publicly.

Mythos Preview has also demonstrated the ability to autonomously reverse-engineer exploits, turning N-day vulnerabilities into sophisticated attacks. For example, it fully autonomously exploited a 17-year-old remote code execution vulnerability in FreeBSD, achieving root access without human intervention.

In the short term, attackers might gain an edge if models like Mythos Preview are not carefully controlled. However, we believe that in the long run, defenders will benefit more by using these models to preemptively fix vulnerabilities. Our strategy involves releasing the model to critical partners first, allowing them to secure essential systems before broader availability.

Overall, Mythos Preview represents a significant leap in cybersecurity capabilities, prompting a reevaluation of defense strategies. While it poses challenges, it also offers unprecedented opportunities to enhance software security on a global scale.