Anthropic’s advanced artificial intelligence tools for finding software vulnerabilities have drawn significant media attention. In March, Mozilla researchers reported that Anthropic’s Claude Opus 4.6 identified 14 high-severity bugs and 22 CVEs in two weeks, surpassing the performance of human researchers at Mozilla.
Using a trial version of Anthropic’s Mythos model, security researchers from Calif, a Palo Alto-based cybersecurity firm, claimed to have bypassed security measures of Apple’s macOS. They stated that a “privilege escalation exploit,” combined with another attack vector, could enable malicious actors to gain control of a target device.
The researchers explained they developed software linking two separate bugs and employed various techniques to “corrupt the Mac’s memory” to access restricted components. Discovery of the exploit took five days, requiring collaborative effort from human hackers and the Mythos model.
Apple is currently reviewing the researchers’ report to verify its findings. “Security is our top priority, and we take reports of potential vulnerabilities very seriously,” an Apple spokesperson told The Wall Street Journal.
Anthropic launched Mythos, initially known as Project Glasswing, in April with access limited to around 40 selected tech companies. The company reported that Mythos has identified thousands of high-severity vulnerabilities across various operating systems and web browsers, warning of severe consequences if such capabilities fall into the hands of malicious individuals.
Michał Zalewski, a Google security researcher, evaluated the findings from Calif, albeit without direct involvement in the research. He noted that while some hype surrounding Mythos may be “overblown,” it still offers potential for significant vulnerability research and code auditing.
Amid the discussions of Mythos’s capabilities, concerns have emerged about the model’s potential dangers if made publicly available. Gary McGraw, a former cybersecurity executive at Synopsys, entered the conversation, asserting that the technology is not inherently too dangerous to release. He emphasized the necessity of addressing the actual cybersecurity challenges rather than restricting access to useful tools.
