DEV Community: codePirates

Mythos..... An AI That Can Find and Exploit Zero-Day Vulnerabilities — What This Means for Cybersecurity

codePirates — Wed, 22 Apr 2026 13:46:53 +0000

On April 7, 2026, Anthropic published a detailed technical assessment of Claude Mythos Preview, a new general-purpose language model with unexpectedly advanced cybersecurity capabilities. Accompanying the assessment, the company announced Project Glasswing — an initiative to deploy these capabilities defensively, securing critical software before models of similar capability become broadly available.

The research, authored by a team of Anthropic security researchers, documents findings that represent a significant leap from previous AI models. Mythos Preview was found capable of autonomously identifying and exploiting security vulnerabilities across every major operating system, every major web browser, and a wide range of critical open source software — often without any human involvement after the initial prompt.

What Changed — And Why It Matters

To understand why this is significant, it helps to understand what a zero-day vulnerability is. The term refers to a security flaw that has not yet been discovered or publicly disclosed. Unlike a "known" vulnerability — where a patch exists but hasn't been applied — a zero-day has no fix available. Finding one requires genuine technical insight, not just pattern matching against existing databases.

Previous AI models, including Anthropic's own Claude Opus 4.6, performed poorly at this task. In one benchmark test — attempting to exploit vulnerabilities in Firefox 147's JavaScript engine — Opus 4.6 succeeded only twice out of several hundred attempts. Mythos Preview, given the same task, produced working exploits 181 times, and achieved partial control in 29 additional cases.

Critically, these capabilities were not explicitly trained into the model. They emerged as a downstream consequence of general improvements in code understanding, reasoning, and autonomous action — the same improvements that also make the model more effective at patching and defending systems.

Notable Vulnerabilities Discovered

The research team used a consistent testing approach: running Mythos Preview inside an isolated container pointed at source code, with a simple instruction to find vulnerabilities. The model would read the code, form hypotheses, test them, and report findings with proof-of-concept exploits. Below are three illustrative examples from the public disclosure.

The OpenBSD finding is particularly notable for its subtlety: it involved chaining together two separate bugs — an inadequate boundary check and a signed integer overflow in TCP sequence number handling — which together created a path to crash any vulnerable host remotely. This kind of multi-step reasoning has historically required expert human analysis.

For the FreeBSD case, Mythos Preview not only found the vulnerability but autonomously wrote a working exploit — a 20-gadget Return Oriented Programming (ROP) chain, split across multiple network packets to work within size constraints. Expert penetration testers reviewed the result and stated it would have taken them weeks to develop manually. The total cost of the automated run was under $50.

The Scale Question

Individual findings are significant, but the broader implication is one of scale. The Anthropic team ran Mythos Preview across thousands of open source repositories and found thousands of high- and critical-severity vulnerabilities, with professional human validators agreeing with the model's severity assessments in 89% of reviewed cases.

The model also demonstrated capability across closed-source software through reverse engineering — reconstructing plausible source code from compiled binaries and finding vulnerabilities in commercial browsers, operating systems, and firmware. It identified authentication bypasses in cryptography libraries implementing TLS, AES-GCM, and SSH, as well as logic vulnerabilities in web applications that would grant attackers administrator access without any credentials.

In internal benchmark testing across roughly 7,000 entry points into open source repositories, Mythos Preview achieved full control flow hijack (the most severe category) on ten separate, fully patched targets. Previous models achieved zero at this level.

A Defensive Use Case — Eventually

Anthropic is careful to frame this not as a purely threatening development, but as a capability that must be navigated thoughtfully. The research team draws a parallel to software fuzzers — automated tools that, when first deployed, raised concerns about enabling attackers to find vulnerabilities faster. Over time, fuzzers became a cornerstone of defensive security practice, with projects like OSS-Fuzz now securing critical open source software at scale.

The same trajectory is anticipated for language model-driven vulnerability research. But the team acknowledges the transition period may be turbulent. By releasing Mythos Preview initially to a limited group of critical industry partners and open source developers through Project Glasswing, Anthropic aims to give defenders a head start before models with comparable capabilities become broadly available.

Mythos Preview will not be made generally available. The company plans to develop and refine cybersecurity-specific safeguards with an upcoming Claude Opus model before considering broader deployment of Mythos-class capabilities.

Recommendations for Defenders

What Security Teams Should Do Now
Anthropic's research team offered a set of concrete recommendations for organizations responding to this development. These apply regardless of whether a team has access to Mythos Preview itself.

Conclusion: A Stable Equilibrium That May Not Hold

The research team concludes with an observation that is both measured and sobering. The security industry has operated in a relatively stable equilibrium for roughly twenty years. The fundamental shape of attacks today is not dramatically different from the shape of attacks in 2006. Mythos Preview represents the beginning of a disruption to that equilibrium — one driven not by a new class of vulnerability, but by AI systems capable of finding and exploiting existing ones at a pace and scale no human team can match.

Anthropic's position is that defense will ultimately benefit more from these capabilities than offense — but the transitional period requires proactive action now, not once the landscape has already shifted. Project Glasswing is framed as the first step in a much broader conversation about how the security community must adapt.

The capabilities that future models will bring, the team argues, will ultimately require a ground-up reimagining of computer security as a field. Given the pace of recent progress, that rethinking should begin immediately.

Introducing Claude Design - Anthropic's New Visual Collaboration Platform

codePirates — Wed, 22 Apr 2026 12:04:58 +0000

Anthropic has launched Claude Design, an AI-powered tool that allows professionals to create polished visual work through natural conversation — from interactive prototypes to pitch decks and marketing assets.

Anthropic has officially launched Claude Design, a new product under its Anthropic Labs umbrella that enables users to collaborate with its AI to produce visual deliverables including designs, prototypes, presentations, one-pagers, and more. The product is currently available in research preview for Claude Pro, Max, Team, and Enterprise subscribers.

Claude Design is powered by Claude Opus 4.7, Anthropic's most capable vision model to date. The product represents a meaningful shift in how AI tools can be applied to the design process — moving beyond image generation toward an iterative, conversational creative workflow.

What is Claude Design?

At its core, Claude Design is a collaborative creative environment. Users describe what they need, and Claude generates a working first version. From there, teams can refine through conversation, inline comments, direct text editing, or custom adjustment controls for spacing, color, and layout.

One of its distinguishing features is brand integration. During onboarding, Claude reads a team's existing codebase and design files to construct a design system — incorporating the organization's colors, typography, and components, which are then applied automatically to every subsequent project. Teams can maintain and refine multiple design systems over time.

Core Capabilities

Who is it designed for?

Anthropic has positioned Claude Design broadly across creative and product roles, noting several specific professional workflows the tool is already being used to support:

Designers can turn static mockups into interactive prototypes that can be shared for feedback and user testing — without requiring code review or pull request workflows. The ability to rapidly generate multiple design directions addresses one of the most consistent constraints in the creative process: time available for exploration.

Product managers can sketch out feature flows and wireframes independently, then hand them off directly to Claude Code for implementation or to designers for further refinement — reducing the back-and-forth typically required to communicate visual intent.

Founders and account executives can generate complete, on-brand pitch decks from rough outlines within minutes, and export directly to PPTX or share to Canva for additional polish. Marketers can create landing pages, social media assets, and campaign visuals at speed, then bring in designers to finalize.

The platform also supports what Anthropic calls "frontier design" — code-powered prototypes incorporating voice, video, shaders, 3D, and built-in AI capabilities — making it relevant to more technically ambitious creative work as well.

Availability

What comes next

Anthropic has indicated that over the coming weeks, it will focus on making it easier to build integrations with Claude Design, enabling connections to the tools teams already use in their existing workflows. No specific integrations have been announced at this stage.

Claude Design represents part of a broader expansion of Anthropic's product suite beyond conversational AI, following the growth of Claude Code and its enterprise and IDE integrations. Whether Claude Design achieves meaningful adoption among professional design teams — alongside established tools such as Figma — will be a key indicator of Anthropic's ability to extend its reach into specialized creative workflows.