Anthropic Research Shows Mythos Model Built Working Exploits For Newly Disclosed Software Flaws In Hours

Cybersecurity teams have long raced to patch software vulnerabilities after they become public, but new research shows that, thanks to newer AI models, the time required to convert those flaws into working exploits has narrowed significantly.

According to research released by Anthropic and reported by Axios, the company’s Mythos Preview system successfully transformed newly disclosed software vulnerabilities into working exploits within hours, compared to the weeks this often requires for human researchers.

Anthropic’s frontier red team tested Mythos against vulnerabilities affecting Microsoft Windows and Mozilla Firefox that were publicly disclosed in January and February. Researchers deliberately selected vulnerabilities that became public after the model’s knowledge cutoff date to measure how quickly it could analyze patches and develop functioning exploits.

The testing showed Mythos generated its first proof-of-concept exploit for a Windows kernel vulnerability within 31 minutes. Across 21 Windows kernel vulnerabilities examined during the evaluation, the system triggered a “blue screen of death” in 18 cases. Researchers also produced eight separate exploit chains, with the most time-consuming exploit requiring approximately 5.7 hours to create, according to Anthropic’s findings.

The model also demonstrated success against Firefox vulnerabilities. Researchers evaluated 18 Firefox security patches and found Mythos generated eight working code-execution exploits, according to the company’s report.

The research focused on publicly disclosed vulnerabilities rather than previously unknown software flaws. Security experts have long warned that the period between vulnerability disclosure and patch deployment remains one of the most active windows for cyberattacks.

Data from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) show that many of the most actively exploited vulnerabilities involve flaws that have already been publicly disclosed and patched, but remain unaddressed on affected systems. Federal agencies regularly issue directives requiring government departments to remediate known vulnerabilities because attackers frequently target organizations that have delayed updates.

The challenge is often operational rather than technical. Large organizations typically test software updates before deployment to avoid outages or compatibility problems, while some critical systems require scheduled downtime before patches can be installed.

The findings also come as governments increase scrutiny of advanced computing systems and their cybersecurity implications. The White House earlier this year outlined a new executive order focused on assessing national security risks associated with increasingly capable artificial intelligence systems and strengthening federal oversight of emerging technologies, according to administration documents.

Anthropic estimated that Mythos generated its Windows privilege-escalation exploits using roughly $15,700 worth of API credits, translating to approximately $2,000 for each exploit created during testing, according to the report.

The company’s researchers noted that the issue extends beyond a single system. Open-source models and other commercially available systems have demonstrated growing capabilities in vulnerability research and software analysis, reflecting broader advances across the cybersecurity sector.

Recent reporting from Reuters highlighted increasing concern among cybersecurity researchers about the use of advanced computing systems in offensive security research, even as companies continue to promote their value in identifying and fixing software flaws. Security experts have argued that the same tools used to assist defenders can also accelerate analysis of publicly available vulnerability information.

Separately, a 2025 assessment published by Google’s Project Zero found that attackers continue to rely heavily on exploiting known vulnerabilities, reinforcing long-standing concerns that patch management remains one of the most important defenses against cyber intrusions. The report documented widespread exploitation of previously disclosed software flaws across multiple industries and government targets.