Claude Mythos: AI Vulnerability Hype vs. Evidence

The trend is stable, and the claims are contested. Hedge your bets on any single model's capability claims. Anchor planning to the verified direction of AI-driven vulnerability discovery, and discount the magnitude of the latest announcement.

Several AI security milestones predate Mythos and are already independently confirmed. XBOW became the first autonomous system to top HackerOne's US leaderboard in June 2025. DARPA's AI Cyber Challenge found 54 vulnerabilities in four hours across 54 million lines of code, and Google's Big Sleep found 20 real zero-days in open source projects.

Davi Ottenheimer's teardown of the Mythos system card examines Anthropic's headline 72.4% exploit success rate on Firefox. That figure drops to 4.4% once the top two pre-discovered bugs are removed from the evaluation corpus.

Mean time to exploit for zero-days has dropped to under a day. Organizations still take five or more days to patch critical vulnerabilities, and 94% have not fully automated their endpoint management. Those were calculated risks when time to exploit ran to weeks. At human speed, the math no longer works.

Anthropic's companion guidance points defenders at probabilistic triage over CVSS. You patch the KEV list first, then everything above a chosen EPSS threshold. NIST has acknowledged it cannot keep up with CVSS. EPSS is published through FIRST and already integrated into 120 security products.