Schneier: Anthropic's Restricted Mythos AI Signals a New Era of AI-Powered Vulnerability Discovery
Summary
- • Anthropic's Claude Mythos Preview finds vulnerabilities so effectively it was restricted from public release — available only to select partners for internal scanning
- • Mozilla used Mythos to find and fix 271 Firefox vulnerabilities; UK AI Security Institute finds GPT-5.5 (publicly available) has comparable capability
- • Security expert Bruce Schneier argues Mythos's restricted access partly reflects operational cost constraints, not just safety
- • AI reshapes cybersecurity offense and defense — near-term attacker advantage, but Schneier argues long-term defenders win
Details
Anthropic restricted Mythos from public release — available only to select partners for internal scanning
Anthropic announced Claude Mythos Preview last month, withholding general access citing exceptional vulnerability-finding capability. Partners use it to scan and fix their own software.
Schneier argues restricted release reflects operational cost constraints as much as safety concerns
Mythos is reportedly expensive to run and Anthropic may lack resources for general release — Schneier suggests the safety framing also serves a valuation strategy: hint at capabilities without fully proving them.
GPT-5.5 (publicly available) has comparable capability per UK AI Security Institute; smaller models reproduce results
The company Aisle reportedly reproduced Anthropic's published results with smaller, cheaper models. This undermines the uniqueness of Mythos's claimed capability gap and suggests the vulnerability-finding threshold has already been widely crossed.
Mozilla used Mythos to discover and fix 271 Firefox vulnerabilities
All 271 vulnerabilities are now patched and permanently removed from the attacker's surface — a concrete defensive deployment demonstrating AI's upside for security teams.
Near-term: finding and exploiting vulnerabilities is currently easier than patching them
Many systems cannot be patched; many that can be patched are not. Schneier warns this asymmetry points to a more dangerous short-term security environment, with AI enabling attackers to compromise critical systems at scale for ransomware, espionage, or infrastructure control.
Long-term, Schneier argues AI-enhanced defenders hold structural advantages over attackers
As AI improves at writing software, it will produce more secure code from the outset. The author frames the endgame as favoring defense, though cautions the transition period is dangerous.
Vulnerability-finding analogy extends beyond software to tax codes, legal systems, and other rule-based structures
Schneier argues the same pattern-matching capabilities that surface software bugs will expose 'vulnerabilities' in regulatory systems — tax loopholes, legal arbitrage — with broad societal implications.
Product Launch = new product/feature, Insight = author's argued analysis or projection, Market Impact = competitive landscape shift, Industry Update = real-world deployment, Security Alert = threat or risk
What This Means
Schneier's analysis, published in The Guardian, argues that AI-powered vulnerability discovery is not a future risk but a present one — and that the Mythos announcement, whatever its marketing dimensions, reflects a genuine inflection point in automated security analysis. For security teams, the near-term implication is a faster and more chaotic patch cycle, with attackers gaining automated access to vulnerability discovery at scale before defenders can remediate. The longer arc Schneier describes — AI eventually making software fundamentally more secure — is plausible but contingent on patching adoption rates and continued model improvement, neither of which is guaranteed.
Sentiment
Mixed — alarmed at dual-use risks and speed of exploits, impressed by real capabilities for defense, skeptics dismiss as hype
“This is terrifying. @AnthropicAI 's new unreleased Mythos model is so good at hacking, it found bugs in "every major operating system and web browser." 83.1% were exploited on first attempt. This thing is like COVID but for software. Actually apocalyptic in the wrong hands.”
“So Mythos was, indeed, not marketing hype. Remember this is a general purpose model that just happens to be good at finding exploits because good models are good at lots of things. Expect similar from OpenAI & Google. And from open models in 8 months.”
citing Mozilla's use of Mythos to harden Firefox
“It was a manufactured marketing narrative all along because Anthropic lacked compute. "Cybersecurity experts... told CNBC that the software vulnerabilities revealed by Mythos can be found using existing models, including those from Anthropic and OpenAI."”
“My bottom line: Mythos is important because it shows that cybersecurity is entering a speed crisis. The time between “find the flaw” and “weaponize the flaw” is shrinking... The responsible path is probably broad defensive access for verified security people, but not general public release until the surrounding controls are much stronger.”
Split
~50% alarmed/concerned over risks and dual use, ~40% impressed by defensive capabilities, ~10% skeptical of novelty (existing models suffice)