Anthropic says Mythos turned patches into exploits in minutes

Anthropic’s Mythos Preview Turns Software Patches Into Working Exploits in Hours

Anthropic’s Mythos Preview AI model can transform newly disclosed software vulnerabilities into functional exploits in hours rather than weeks, according to new research the company shared exclusively with Axios on Sunday. The findings underscore how advanced AI is compressing the window between the public disclosure of a security flaw and the appearance of weaponized code targeting it.axios

From Patch to Exploit in Minutes

Anthropic’s frontier red team evaluated Mythos Preview against vulnerabilities in Mozilla Firefox and the Microsoft Windows kernel that were disclosed in January and February — after the model’s knowledge cutoff — to gauge how quickly AI could reverse-engineer public patches into working attacks.yahoo

The results were stark. Mythos produced its first proof-of-concept exploit for a Windows kernel vulnerability in just 31 minutes. Across 21 kernel vulnerabilities tested, the model triggered a “blue screen of death” in 18 cases and developed eight unique privilege-escalation exploits, the most complex of which took approximately 5.7 hours. On the Firefox side, it generated eight operational code-execution exploits from 18 security patches.axios

Anthropic estimates the Windows exploit campaign cost roughly $15,700 in API credits — about $2,000 per working exploit.yahoo

A Shrinking Patch Window

The research carries direct implications for defenders. Most real-world cyberattacks exploit known but unpatched vulnerabilities, and organizations often need days or weeks to validate and deploy fixes without disrupting operations. Anthropic’s findings suggest that the so-called “N-day” window — the time attackers have to weaponize a disclosed flaw before patches are broadly applied — is collapsing.axios

“N-day has become dangerously misleading — N-hour is closer to the reality we now operate in,” Anthropic researchers wrote. The concern extends beyond Mythos: some open-source models are already identifying vulnerabilities at comparable levels, and OpenAI’s GPT-5.5-Cyber shows similar capabilities, according to Axios.yahoo

Broader Context

Mythos Preview was first announced on April 7, 2026, when Anthropic disclosed that the model had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser. Anthropic withheld the model from public release, instead granting access to 12 major technology companies — including Amazon, Apple, and Cisco — exclusively for defensive security work. The Trump administration is now beginning to roll out a new executive order evaluating national security threats from increasingly capable AI.helpnetsecurity