The AI That Found Thousands of Zero-Day Vulnerabilities — And Why Anthropic Refuses to Let Anyone Use It

Anthropic built an AI so capable at finding security vulnerabilities that the company concluded the greatest immediate threat was not the vulnerabilities themselves , it was the tool they used to find them. The result is a launch announcement that is simultaneously one of the most significant AI security stories of 2026 and a deliberate exercise in strategic opacity: Anthropic is telling the world what its AI can do while ensuring that almost nobody can use it.

What Actually Happened

In April 2026, Anthropic announced Claude Mythos Preview alongside Project Glasswing , a selective access program that uses Mythos Preview specifically to find and fix critical vulnerabilities in the world's most important software infrastructure. Claude Mythos Preview is a frontier model with capabilities that substantially exceed prior Claude releases across most domains. In the security domain, the results it produced were alarming in scale.

Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser , in a matter of weeks, not years. Among the most striking discoveries: the model fully autonomously identified and exploited a 17-year-old remote code execution vulnerability in FreeBSD, catalogued as CVE-2026-4747, that allows an attacker to obtain complete control over the affected server with no user interaction required. This vulnerability had survived nearly two decades of human security review, academic research programs, professional penetration testing, and bug bounty programs before an AI found it in automated testing cycles. Project Glasswing partners , a curated group of critical infrastructure operators and open source maintainers , receive access to Claude Mythos Preview to find and fix vulnerabilities in their systems before models with similar capabilities become more broadly available.

Why This Matters More Than People Think

Zero-day vulnerabilities represent the most dangerous class of software flaw: unknown to developers, unpatched, exploitable silently. Historically, finding them required years of specialization, focused human effort, and significant luck. Top-tier security researchers , with PhDs, decade-long careers, and access to the best available tools , might discover a handful of significant zero-days per year. The fact that Claude Mythos Preview found thousands across all major platforms in weeks of testing represents a step-change so large it strains credibility , until you consider the FreeBSD finding, which is independently verifiable.

CVE-2026-4747 is not a subtle bug. A 17-year-old remote code execution vulnerability in a widely deployed operating system that allows complete server takeover with no user interaction is exactly the class of vulnerability that top security researchers specifically hunt for. The fact that it remained undiscovered for 17 years despite substantial human security review suggests two things: first, the vulnerability was genuinely subtle and difficult to find by conventional means; second, if Claude Mythos Preview found it autonomously in weeks, the model's security reasoning capability is fundamentally different in kind from anything that has existed before.

The Competitive Landscape

The AI security space has been building toward this moment for years. Startups including Vicarius, Vulcan Cyber, Protect AI, and Semgrep have deployed smaller models to assist vulnerability research , automating static analysis, triaging CVE reports, and flagging code patterns associated with common vulnerability classes. Google Project Zero has been exploring AI assistance for vulnerability research internally. Microsoft's Security Copilot integrates AI into security operations workflows. None of these approaches have produced results at the scale Anthropic is describing.

The key difference is not just capability , it is autonomy. Claude Mythos Preview did not assist a human researcher in finding CVE-2026-4747. It found and exploited the vulnerability fully autonomously. That distinction matters enormously. A tool that helps a human researcher find more vulnerabilities scales linearly with the number of human researchers. A tool that autonomously discovers vulnerabilities at thousands-per-platform scale with no human in the loop does not scale with human effort at all. It scales with compute. And compute is something the AI industry has in historically unprecedented supply.

Hidden Insight: The Glasswing Paradox That Nobody Is Addressing

Here is the uncomfortable truth at the center of this story: Anthropic has disclosed that Claude Mythos Preview can find thousands of zero-day vulnerabilities across all major platforms, but has not disclosed which specific vulnerabilities were found, in which specific versions of which specific systems, or how many have been patched. That means the global security community is simultaneously being told that the threat is vast and being denied the specific information needed to assess their own exposure.

This is the Glasswing Paradox. The more capable the defensive AI becomes, the more dangerous the information about its capabilities becomes. Anthropic's decision to restrict disclosure is rational , publishing a detailed list of discovered zero-days before they are patched would hand attackers a roadmap. But it also means that every organization running software covered by Mythos Preview's scan , which appears to include every major OS and browser , cannot make fully informed decisions about their own security posture based on public information. They must either join Project Glasswing (if they qualify) or trust that Anthropic's coordination with their software vendors is proceeding faster than adversarial AI development.

The 17-year-old FreeBSD vulnerability is a perfect illustration of the paradox's stakes. CVE-2026-4747 survived countless security audits precisely because it was subtle enough to evade the pattern-matching that humans and conventional tools perform. If Claude Mythos Preview found it by reasoning about code in a fundamentally different way , by exploring behavioral paths rather than matching patterns , then the implication is that every major software project likely contains comparable hidden flaws that have survived all previous human-led review. The global software security infrastructure has been operating with a false sense of assurance, and an AI just proved it.

The second-order implication that the security industry is not yet fully reckoning with: if Claude Mythos Preview can find these vulnerabilities, then any AI model of comparable capability , deployed by a sophisticated attacker, a nation-state, or a criminal organization , can find them too. The capability race between defensive AI and offensive AI is not symmetric: defenders must patch every vulnerability before attackers exploit it, while attackers need only exploit one. Anthropic's restricted disclosure approach is designed to give defenders a head start. But the size of that head start , and whether it is sufficient , depends entirely on how quickly comparable capabilities emerge elsewhere. The history of dual-use technology suggests that window may be measured in months.

What to Watch Next

Track Project Glasswing's public patch announcements over the next 90 days. If major software vendors , Microsoft, Apple, Google, the FreeBSD Foundation, the Linux kernel team , release coordinated CVE disclosures in batches that reference AI-assisted discovery, it will confirm the scale of what Mythos Preview found and provide the first independent validation of Anthropic's claims. Watch for the rate of disclosure: a sudden wave of high-severity CVEs from multiple major vendors simultaneously would suggest that Glasswing's coordination timeline is compressing as patch work completes.

Watch also for regulatory response in both the US and EU. The EU AI Act's provisions on high-risk AI systems and dual-use capabilities may require Anthropic to disclose Mythos Preview's security capabilities to European AI regulators under the Act's conformity assessment requirements. In the US, CISA's AI security framework is directly relevant , the agency has been developing guidance on AI systems used for vulnerability research, and a model that autonomously discovers thousands of zero-days at national infrastructure scale may trigger new regulatory requirements. The deeper governance question that no framework currently answers: if a private company now controls the most capable autonomous vulnerability discovery system in history, who decides how that capability is deployed, at what targets, and with what oversight? Today the answer is Anthropic. Whether governments, critical infrastructure operators, and the open source community find that answer acceptable over the next 12 months is the story to watch.

The most powerful security tool ever built is not a weapon , it is an AI that Anthropic decided was too dangerous to release, and that may already be outmatched by what adversaries are building in private.