Anthropic Mythos just broke the four-minute mile in cyber offense

Keypoints

• Anthropic’s Claude Mythos autonomously discovered and produced large numbers of working exploits (e.g., 181 working Firefox JS engine exploits versus two from a prior model) and found long-standing bugs in OpenBSD and FFmpeg.
• Advances in general reasoning and code generation have emergent offensive capabilities, with experts estimating 9–12 months until advanced cyber-reasoning is widely distributed.
• Anthropic restricted Mythos via Project Glasswing, but frontier and open-weight models already demonstrate autonomous vulnerability research, and tools like the Zero Day Clock show time-to-exploitation collapsing.
• The Cloud Security Alliance, SANS, OWASP Gen AI Security Project and 250 security leaders produced the expedited “AI Vulnerability Storm” briefing mapping 13 risks to NIST CSF 2.0 and MITRE ATLAS and prescribing 11 priority actions, six rated critical with immediate deadlines.
• Practical defensive steps recommended: integrate AI agents into code review and CI/CD, create joint governance for innovation, prepare for continuous patching, build automated response capabilities, and establish measurement frameworks for agents.
• The window to build AI-driven defensive resilience is limited—teams that act now can close the gap between vulnerability discovery and response, while those that delay will face greater exposure.