Facts and Mythos: understanding the future of AI security analysis
Mythos undoubtedly represents an advancement in the capability of frontier models. It’s also not the apocalypse.
Michael Lieberman
Ben Cotton
April 13, 2026
Last week, Anthropic made big news with the announcement of Claude Mythos Preview. This new model purports to be so much more capable at coding and reasoning that it is dangerous to put into public hands. So Anthropic has partnered with large enterprises and the Linux Foundation to create Project Glasswing — a cooperative effort to analyze and secure critical open source projects before bad actors can use Mythos to attack. This, of course, caused a lot of excitement. Even the U.S. Secretary of the Treasury and the Chair of the U.S. Federal Reserve are paying attention to this story.
Everyone should stop and catch their breath for a moment. Mythos undoubtedly represents an advancement in the capability of frontier models. It’s also not the apocalypse.
Why you shouldn’t panic
Why would attackers spend thousands of dollars in tokens to figure out a potential zero-day exploit when they could spend less bribing someone or attack the known exploitable vulnerabilities that already exist in an organization's outdated software? The economics of attacks hasn’t changed. Attackers will use the cheapest route available: social engineering, compromising upstream packages, and credential theft. Mythos just changes the volume of known vulnerabilities.
But not every vulnerability is created equal. Just because a vulnerability is found, that doesn’t mean it’s trivially exploitable. Many vulnerabilities require just the right combination of factors to line up before they can be exploited. Vulnerabilities that aren’t reachable, that can’t connect to sensitive resources, or that can’t be exploited in your running configuration aren’t game changers. Mythos doesn’t change the nature of vulnerabilities, just the volume.
Everything we know about Mythos comes from Anthropic. We’re sure they’re truthful in what they’ve said about Mythos’s capabilities. At the same time, it’s in Anthropic’s interests to make Mythos sound as powerful as the truth will allow. “Our product is so incredibly capable that we’re not sure it can be unleashed on the public” is a powerful marketing message.
What Mythos changes
This isn’t to say that Mythos is irrelevant. It will find a lot of long-hidden vulnerabilities, especially those that require a chain of events to exploit. There will be a lot of new vulnerabilities to respond to in the coming months. In fact, the bigger concern may not be the newly-discovered severe vulnerabilities but rather the deluge of low-importance vulnerabilities. Software maintainers will need to triage every report and a sudden influx of new vulnerabilities will increase the workload on an already over-burdened community.
For a while, it will be hard to keep up with the rate of vulnerabilities in the news. Some of them will be of the “drop everything and fix this right now” variety. Most of them won’t. Eventually, we’ll reach an equilibrium of sorts.
How to be ready
Security researcher Katie Moussouris said “the repo man for technical debt is coming when it comes to all these new AI-generated vuln reports.” That’s a great analogy. Anthropic is giving organizations and foundations a head start by making Mythos available to them ahead of public availability. This means the critical open source software that we all depend on every day has a chance to be analyzed by maintainers before attackers.
If you’re not in the group that gets early Mythos access, the best thing you can do is to start paying down your security technical debt. The same advice that has always applied still applies. Pin your dependencies to a specific, verified hash. Automatically update dependencies with a cooldown period. Adopt frameworks like the Open Source Project Security Baseline. Use Kusari Inspector to evaluate the safety of each change. Use Kusari Platform to get visibility into your dependency graph so that you can respond quickly to new vulnerabilities.
Application security can’t be focused on fixing everything. There’s too much out there and it’s only getting worse. Instead, application security is about fixing what matters. That’s where Kusari’s approach comes in. We eliminate the noise so that you can focus on the vulnerabilities that matter to your specific applications. Start evaluating your dependencies’ security today: sign up for Kusari Inspector for free, or book a demo to see the full platform in action.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?