Claude Mythos and the New Math of AI Vulnerability Discovery

On Monday, April 6, Anthropic announced Claude Mythos Preview and redefined what AI vulnerability discovery means for every security team on the planet. By Tuesday morning, the cybersecurity world was processing something most of us weren’t ready for: a single AI model had autonomously discovered and exploited zero-day vulnerabilities that survived 16 to 27 years of human review, automated fuzzing, and hardened security practices. One of those bugs sat in OpenBSD’s TCP stack for 27 years. Two simple packets can crash any OpenBSD host responding over TCP. The model found it, confirmed it, and built the exploit without human intervention.

Here’s the thing. This isn’t a research curiosity. Claude Mythos achieved a 72.4% exploit success rate, compared to near-zero for prior models. It chained 3 to 5 vulnerabilities together for privilege escalation and lateral movement. It reverse-engineered closed-source binaries. And it did all of this as what Anthropic calls “a downstream consequence of general improvements in code, reasoning, and autonomy,” not because anyone trained it to hack.

For those of us responsible for securing networks full of devices that will never receive a patch, this is what AI vulnerability discovery looks like at machine speed, and it changes the math entirely.

What Mythos actually did

Let me be specific about what happened, because the details matter more than the headlines.

Anthropic’s red team turned Mythos loose on real codebases. The model reads source code, forms hypotheses about where vulnerabilities might exist, runs the actual software, uses debuggers to confirm its findings, and then develops working exploits. It doesn’t just find bugs. It weaponizes them.

The headline vulnerabilities tell the story. A 27-year-old signed integer overflow in OpenBSD’s TCP SACK implementation. A 17-year-old remote code execution flaw in FreeBSD’s NFS server (CVE-2026-4747) that allows unauthenticated root access, exploited with a 20-gadget ROP chain split across six sequential packets. A 16-year-old FFmpeg H.264 codec bug where “slice number 65535 collides exactly with the sentinel,” enabling out-of-bounds writes. Automated fuzzers had encountered that FFmpeg code path 5 million times without catching it.

The validation numbers are worth pausing on. When human security professionals reviewed 198 of Mythos’s vulnerability reports, 89% received exact severity agreement. 98% were within one severity level. This isn’t a model hallucinating vulnerabilities. It’s producing work that expert humans confirm as accurate.

Then there’s the economics. Scanning the entire OpenBSD codebase costs under $20,000. A Linux kernel root exploit: under $2,000 in roughly a day. Individual vulnerability identification: under $50 in minutes (Anthropic Red Team). The barrier to sophisticated AI vulnerability discovery and exploit development just dropped by orders of magnitude.

Anthropic knows what it built. Newton Cheng, their Frontier Red Team Cyber Lead, stated plainly: “We do not plan to make Claude Mythos Preview generally available due to its cybersecurity capabilities.” They’ve restricted access to 12 launch partners through Project Glasswing, backed by $100 million in usage credits, with the explicit goal of finding and fixing critical vulnerabilities before adversaries develop equivalent capabilities.

Why the patch window math no longer works

The reality is, the gap between vulnerability discovery and exploitation has been shrinking for years. But Mythos didn’t just narrow it. It collapsed the assumption that friction protects you.

Consider the current state. Average time-to-exploit has dropped to 5 days, down from 30 days in 2022 (CrowdStrike 2026 Global Threat Report). In the first half of 2025, 32.1% of CVEs were exploited on or before the day they were disclosed. Average breakout time from initial access to lateral movement is now 29 minutes, with the fastest observed at 27 seconds (CrowdStrike).

Now compare that to the defense side. The median organizational patch window sits at approximately 70 days, unchanged since 2022. The percentage of organizations deploying critical patches within 30 days has actually declined, from 45% to 30% over the same period. Defense isn’t just slower than offense. It’s getting slower while offense accelerates.

Anthropic’s own red team made an observation that should be on every CISO’s wall: “Language models like Mythos Preview might require reexamining defense-in-depth measures that make exploitation tedious rather than impossible, since language models can grind through these tedious steps quickly” (Anthropic Red Team). Read that again. Defenses that work by being complicated, by adding friction, by relying on obscurity or manual effort to deter attackers: those defenses are failing against AI. Models don’t get tired, frustrated, or bored. They grind.

And Mythos is not alone. Google’s Big Sleep (DeepMind combined with Project Zero) has autonomously found 20 vulnerabilities in FFmpeg, ImageMagick, and SQLite. The DARPA AIxCC finalists analyzed 54 million lines of code and found 86% of synthetic vulnerabilities at an average cost of $152 per task. XBOW became the first AI system to reach the number one position on HackerOne’s US leaderboard. Google tracked 90 zero-days exploited in the wild in 2025, a 15% increase over 2024.

The math has changed. AI vulnerability discovery has made a working exploit cheaper than a decent dinner and faster than most organizations can schedule a change window. Patching is no longer a primary defense. It’s a secondary one.

We already have proof this isn’t theoretical. In November 2025, Anthropic itself disclosed GTG-1002, the first documented large-scale AI-orchestrated cyber espionage campaign. A Chinese state-sponsored group used AI to automate 80 to 90% of their intrusion lifecycle across roughly 30 global targets. Human operators stepped in at only 4 to 6 decision points per campaign. The AI autonomously mapped networks, escalated privileges, harvested credentials, and executed lateral movement.

The 25 billion devices you can’t patch

Here’s the uncomfortable truth that makes all of this worse: unpatchable device security was already a crisis, and the devices most vulnerable to AI-discovered exploits are the ones that will never receive a patch.

We’re projecting over 25 billion IoT devices in 2026. Of those, 60% have unpatched CVEs older than two years. 75% lack any auto-update mechanism. In healthcare, 99% of hospitals are exposed to IoMT vulnerabilities, and over 40% of medical IoT devices are at end-of-life with no patches available at all.

The reasons are structural, not organizational laziness. IoT and OT devices run unique operating systems with limited processing power, memory, and storage. Firmware patches carry a real risk: the probability of damage from a bad patch may exceed the probability of exploit.

Many devices lack interfaces for patch deployment entirely. In healthcare and manufacturing, 24/7 uptime requirements mean even brief maintenance windows can cause significant financial losses or safety risks. FDA certifications for medical devices and safety certifications for industrial equipment may be invalidated by patches.

The scale of real-world impact from unpatched devices is already devastating. WannaCry infected 81 of 236 NHS hospitals, 603 primary care practices, and up to 70,000 devices. Those devices included MRI scanners and blood-storage refrigerators. Over 19,000 patient appointments were canceled. In manufacturing, 708 ransomware incidents occurred in Q1 2025 alone. Attackers use valid credentials and commodity infostealers to pivot from IT VPN portals into OT boundary networks via RDP, SMB, and WMI. From there they reach SCADA, HMI, and engineering workstations.

In my experience, the disconnect is this: organizations have known about the IoT/OT patching gap for years, but treated it as a risk-register item. A line in a quarterly report. Something to monitor. AI vulnerability discovery just turned it from a known risk into an active, automated threat. When AI can scan an entire OS codebase for under $20,000 and produce working exploits for bugs that human reviewers missed for decades, every unpatched device becomes a ticking clock.

Linux kernel maintainers are already seeing the effects: vulnerability submissions have escalated from 2 to 3 reports per week two years ago to 5 to 10 per day today, with most reports now correct. One maintainer predicted that security embargoes will disappear entirely because “what’s the point of hiding something that others can instantly find?”

Inside the exploit chain: how Mythos actually attacks

For those who want to understand the technical mechanics, it’s worth walking through what an autonomous AI exploit chain actually looks like. This isn’t science fiction. It’s documented in Anthropic’s red team writeup.

Mythos starts with static analysis. It reads source code and ranks files on a 1-to-5 scale for vulnerability likelihood, focusing computational resources on high-probability targets. This is analogous to how a senior security researcher would triage a large codebase, but Mythos does it across millions of lines in hours.

Once it identifies a candidate vulnerability, the model doesn’t stop at the bug report. It spins up the actual software, attaches debuggers, and confirms the flaw is exploitable under real conditions. For the FreeBSD NFS vulnerability (CVE-2026-4747), Mythos constructed a 20-gadget ROP chain split across six sequential NFS packets that bypassed NFSv4 EXCHANGE_ID authentication to achieve unauthenticated root access. It delivered a working exploit in approximately four hours of compute time.

The chaining behavior is what makes this particularly dangerous from a network defense perspective. Mythos doesn’t find one bug and stop. It autonomously chains 3 to 5 vulnerabilities into multi-stage attack sequences. The pattern is consistent: initial access exploit, then privilege escalation (often via KASLR bypasses or use-after-free exploitation), then credential harvesting, and finally lateral movement to adjacent systems. One documented chain transformed a single one-byte read primitive into complete root access by exploiting CVE-2024-47711 through heap sprays and credential structure manipulation.

It also reverse-engineers closed-source binaries, reconstructing source code to identify vulnerabilities in proprietary software where no source is available. And it found memory corruption in a production Rust-based virtual machine monitor by exploiting unsafe pointer operations within otherwise memory-safe code, demonstrating that even modern memory-safe languages aren’t immune.

The critical insight for defenders: every one of these exploit chains relies on lateral movement as the force multiplier. A compromised device is a problem. A compromised device with unrestricted network access to every other device on its segment is a catastrophe. That’s where network-level containment changes the equation.

Defending against AI vulnerability discovery when patching isn’t an option

If you can’t patch the vulnerability, you have to contain the device. That’s not a new concept. But the urgency is new, and the specifics of how you do it matter more than ever.

Microsegmentation works against AI threats because it operates at a layer the exploit chain can’t bypass. A compromised device can run whatever code the attacker wants, but it still can’t send packets to destinations the network won’t allow. This is what Anthropic was getting at when they warned about “friction-based” defenses. Microsegmentation isn’t friction. It’s a hard barrier at the infrastructure level.

CISA validated this directly in its July 2025 guidance, calling microsegmentation “a critical component of ZTA” and confirming it applies to “any technology environment, such as information technology (IT), operational technology (OT), industrial control system (ICS), internet of things (IoT).” SC Media’s summary: “CISA signals that microsegmentation is no longer optional.”

The MITRE ATT&CK framework provides additional precision. Microsegmentation addresses all 9 techniques and 14 sub-techniques in TA0008 (Lateral Movement), including Exploitation of Remote Services (T1210), Remote Services like RDP, SMB, SSH, and WinRM (T1021), Lateral Tool Transfer (T1570), and Use Alternate Authentication Material including Pass-the-Hash and Pass-the-Ticket (T1550). Consider that 82% of attacks are now malware-free, relying on valid credentials for lateral movement instead. Traditional endpoint detection misses these entirely.

The TeamViewer breach in June 2024 is the clearest real-world proof point. Russian state-sponsored group Midnight Blizzard (APT29) breached TeamViewer’s corporate IT environment via compromised employee credentials. Network segmentation between corporate IT, the production environment, and the connectivity platform prevented lateral movement to customer-facing systems. No customer data was affected. A nation-state actor with valid credentials, stopped cold by segmentation.

The pattern that Mythos demonstrates, chaining 3 to 5 vulnerabilities for privilege escalation and lateral movement, is exactly what microsegmentation is designed to interrupt. Even if an attacker compromises a device through an unpatched vulnerability, segmentation prevents them from reaching critical systems. The vulnerability doesn’t disappear. But the blast radius collapses from “the entire network” to “one device.”

The compliance case: what frameworks already require

Microsegmentation as a compensating control for unpatchable devices isn’t a novel argument. The major security frameworks have been saying this for years. What Mythos changes is the urgency. Here’s where the regulatory landscape already stands.

IEC 62443 is the gold standard for industrial cybersecurity. Its zones-and-conduits model (IEC 62443-3-2) was explicitly designed for brownfield OT environments where legacy equipment can’t be updated. The standard defines “compensating countermeasures” as the formal mechanism for meeting Security Level Targets when devices lack native security capabilities. At higher security levels (SL 3-4), the granularity approaches what we now call microsegmentation. IEC 62443-2-3 addresses patch management directly, and 4-1 covers product end-of-life, the exact conditions most IoT/OT devices operate under today.

NIST SP 800-207 (Zero Trust Architecture) names micro-segmentation as one of three ZTA deployment approaches, alongside enhanced identity governance and software-defined perimeters. NIST’s position is that a full Zero Trust solution will include elements of all three. For unmanaged devices that can’t participate in identity governance, network-based microsegmentation becomes the primary enforcement mechanism. NIST CSF 2.0 reinforces this with a new control (PR.IR-01) that explicitly requires segmenting networks “according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests)” and restricting communications to only what’s required.

HIPAA is undergoing its most significant update in over a decade. The 2025 NPRM (expected finalized in 2026) moves network segmentation from an “addressable” specification to a mandatory requirement under 45 CFR 164.312(a)(2)(vi). That’s a major shift. Organizations that previously documented a rationale for not segmenting will no longer have that option. The proposed rule also mandates comprehensive asset inventories and 72-hour system restoration requirements, both of which drive the case for containment architectures over patch-dependent ones.

HHS 405(d) / HICP goes further, explicitly addressing “unmanaged devices, those without a software agent or additional IT control capabilities” that “typically use old operating systems and cannot be patched.” The framework calls microsegmentation a “cornerstone recommendation” and notes that organizations adopting HICP practices for 12+ months receive mitigated fines and favorable regulatory treatment during investigations.

PCI DSS 4.0 (Requirements 1.2 through 1.5) requires network segmentation to reduce the scope of the cardholder data environment. Appendix B provides the compensating controls framework for “legacy systems that cannot be updated.” For organizations using scope reduction through segmentation (most do), the segmentation itself becomes a compliance obligation, not a recommendation.

FDA Section 524B (effective March 2023) requires medical device manufacturers to submit cybersecurity plans including patch and update capabilities. But for the installed base of devices already in hospitals, healthcare delivery organizations use network segmentation as the primary compensating control. The FDA explicitly acknowledges this in its premarket guidance.

The pattern across all of these frameworks is the same: when you can’t fix the device, you contain it at the network level. That was sound guidance before Mythos. Now it’s urgent.

Why network-based microsegmentation, and why now

Not all segmentation approaches are equal in the context of AI-accelerated threats. The approach matters, and the specific architecture matters even more.

Agent-based microsegmentation products require software installed on every endpoint. That’s a non-starter for OT, IoT, and IoMT devices. You can’t install agents on PLCs, HMIs, medical infusion pumps, HVAC controllers, or building management systems. Any segmentation approach that requires endpoint software is structurally incapable of protecting the devices most at risk from Mythos-class AI exploitation.

Firewall-based segmentation, including next-gen firewalls and internal segmentation firewalls, enforces policy at chokepoints. But east-west traffic between devices on the same VLAN or subnet often bypasses these chokepoints entirely. When Mythos chains vulnerabilities for lateral movement within a flat network segment, perimeter and chokepoint-based controls never see the traffic.

VLAN segmentation is better than nothing, but VLANs are static, coarse-grained, and identity-blind. They group devices by subnet, not by role or risk profile. A compromised infusion pump and a healthy infusion pump sit on the same VLAN with full access to each other.

Network-based, identity-driven microsegmentation solves these problems. It enforces policy at the switch port level, where every device connects. Elisity’s approach uses existing network switches as enforcement points, requiring no agents on devices and no inline appliances. The Elisity IdentityGraph builds a real-time identity for every connected device (managed, unmanaged, IoT, OT, IoMT) by integrating with asset discovery platforms like Claroty, Dragos, Armis, Nozomi, and Asimily, as well as identity providers like CrowdStrike, Microsoft Entra ID, and Okta.

Policies are defined by identity and context, not by IP address. An infusion pump can communicate with its clinical gateway and nothing else. A PLC can reach its engineering workstation and the historian, but not the corporate network. When Mythos compromises one of those devices through a vulnerability that will never be patched, the blast radius is limited to what the policy explicitly allows. The exploit chain breaks at the lateral movement stage because the network won’t carry the traffic.

This is what I mean when I talk about hard barriers versus friction. Elisity enforces at Layer 2/3 on the switch itself. There’s no agent to disable, no software to bypass, no appliance to route around. The enforcement is in the infrastructure.

What we don’t know yet

It’s important to be clear about what we don’t know. Mythos’s capabilities are based on Anthropic’s self-reported data. Independent third-party validation of exploit success rates hasn’t been published yet. Over 99% of the vulnerabilities Mythos discovered remain unpatched and undisclosed, meaning the full scope of the threat will only become clear as responsible disclosure proceeds over the coming months.

Microsegmentation is a compensating control, not a silver bullet. It doesn’t fix the underlying vulnerability. It doesn’t prevent initial compromise. It contains blast radius and blocks lateral movement, which addresses the most damaging phase of most attacks, but it works best as part of a layered security architecture alongside detection, response, and (where possible) patching.

The adoption gap is also real. Only 9% of organizations have 81% or more of their critical systems microsegmented (Omdia, survey of 352 decision makers). 60% of companies experienced an AI-enabled cyberattack in the past year, yet only 7% currently use AI for defense. The microsegmentation market is projected to reach $62.3 billion by 2030 at a 23.6% CAGR, which tells you the demand is there. But deployment has to accelerate dramatically to match the threat timeline Mythos just demonstrated.

What to do this quarter

If you’re a CISO or security architect managing OT, IoT, or IoMT device fleets in the age of AI vulnerability discovery, here’s what I’d prioritize in the next 90 days.

First, inventory your unpatchable attack surface. You need a clear, current count of every device on your network that can’t receive patches: end-of-life medical devices, legacy industrial controllers, embedded systems running decade-old firmware. If you don’t know what you can’t patch, you can’t protect it. Asset discovery platforms from vendors like Claroty, Dragos, and Armis can automate this.

Second, segment your highest-risk devices now. Don’t wait for a perfect policy architecture. Start with your most critical and most vulnerable devices. Isolate OT networks from IT networks. Restrict medical device communication to only the clinical systems they need. Even coarse segmentation is dramatically better than flat network access.

Third, evaluate agentless microsegmentation that can enforce policy at the switch level. For IoT/OT environments, agent-based approaches are a non-starter. You need enforcement that works with existing infrastructure and covers devices that can’t run software. Elisity’s identity-based approach, enforcing policy at the network edge using existing switches, is purpose-built for this scenario.

Fourth, pressure-test your lateral movement prevention. Run tabletop exercises that assume a device on your network has been compromised via an AI-discovered zero-day. Can the attacker reach your crown jewels? If the answer is yes, or “probably,” that’s your deployment priority.

The Mythos announcement didn’t create a new problem. It removed the remaining ambiguity about a problem we’ve been discussing for years. AI vulnerability discovery and automated exploit development are here. The 70-day patch window isn’t a gap anymore for devices that will never be patched. It’s a permanent opening. The only question is whether your network architecture treats every unpatched device as already compromised, or still assumes the patch will arrive in time.

AI vulnerability discovery has made this undeniable. Containment isn’t optional anymore. It’s the primary defense.

Frequently asked questions about AI vulnerability discovery

Can AI like Claude Mythos actually find and exploit zero-day vulnerabilities?

Yes. Claude Mythos Preview achieved a 72.4% exploit success rate across real-world codebases, compared to near-zero for prior AI models. The model autonomously discovered vulnerabilities that persisted for 16 to 27 years in hardened systems like OpenBSD, FreeBSD, and FFmpeg, then developed working exploits without human intervention. When human security professionals reviewed 198 of the model’s vulnerability reports, 89% received exact severity agreement. Anthropic has restricted the model to 12 partners through Project Glasswing specifically because its capabilities are too dangerous for general release.

How do you protect devices that cannot be patched against AI-discovered vulnerabilities?

The primary compensating control for unpatchable devices is microsegmentation, which restricts what network resources a device can access regardless of its patch status. When a device is compromised through an unpatched vulnerability, microsegmentation prevents the attacker from moving laterally to reach critical systems. For IoT, OT, and IoMT devices, agentless microsegmentation enforced at the network switch level is essential since these devices can’t run endpoint agents. CISA’s July 2025 guidance specifically identified microsegmentation as applicable to IT, OT, ICS, and IoT environments.

What is Project Glasswing and why does it matter for enterprise security?

Project Glasswing is Anthropic’s responsible deployment framework for Claude Mythos Preview, pairing the model with 12 founding partners including AWS, Apple, Cisco, CrowdStrike, Google, and Microsoft. Backed by $100 million in usage credits, the program’s goal is to find and fix vulnerabilities in critical infrastructure before adversaries develop equivalent capabilities. It matters for enterprise security because the vulnerabilities Mythos finds will eventually be patched in supported software, but the discovery process also demonstrates that AI-powered vulnerability research is now a capability that adversaries will replicate. Organizations need to prepare for a world where zero-day discovery is automated and economically accessible.

Why does CISA recommend microsegmentation as a critical component of zero trust architecture?

CISA’s July 2025 publication “Microsegmentation in Zero Trust, Part One: Introduction and Planning” identifies microsegmentation as foundational because it reduces the attack surface, limits lateral movement, and enhances network visibility across all technology environments. The guidance is significant because it explicitly covers IT, OT, ICS, and IoT, recognizing that traditional perimeter-based defenses and VLAN segmentation are insufficient against modern attack patterns where 82% of attacks are malware-free and rely on valid credentials for lateral movement. Read more about CISA’s microsegmentation guidance.

Further reading

• What is microsegmentation?
• The top 11 cyberattacks using lateral movement
• CISA microsegmentation in zero trust: introduction and planning
• Leading vendors for securing OT
• Zero-day exploits: what we learned and why lateral movement prevention is critical
• AI agent network security and microsegmentation in 2026
• Living off the land attacks and OT segmentation
• IoT device security: camera hack case study
• How to secure IoT devices