Anthropic · Founded 2021
Who is Claude?
Hover ↘Tap ↓
Claude Shannon
1916 – 2001 · the father of information theory
Claude isn't a random name — the model is a tribute to Claude Shannon, the mathematician and engineer whose ideas make language models possible at all.
In 1948 he published “A Mathematical Theory of Communication,” the paper that founded information theory. He coined the bit, defined entropy as a measure of uncertainty, and proved the absolute limits of how much information any channel can carry. A decade earlier, his master's thesis had shown that Boolean algebra could describe electrical switching circuits — the conceptual blueprint for every digital computer that followed.
An LLM predicts the next token by estimating a probability distribution over symbols — precisely the statistical view of language Shannon pioneered when he measured the entropy of written English in 1951. Every token, every prediction, every word Claude generates flows directly from his work.
Selected work
- 1937 — Boolean algebra applied to switching circuits; the foundation of digital logic design.
- 1948 — Information theory: the bit, entropy, and channel capacity.
- 1950 — One of the first computer chess programs, and Theseus, a maze-solving mechanical mouse that “learned” — an early experiment in machine learning.
In 2021, eleven researchers left OpenAI to found Anthropic — not because they believed AI was safe, but because they believed a lab that took safety seriously had to be at the frontier, not on the sidelines. Their wager was simple: if powerful AI is inevitable, better that the people most concerned with its risks are the ones building it. The result is Claude — and the reason a model's security capabilities are now a boardroom conversation.
By the numbers
- 1,000,000Token context window≈ 750,000 words in a single pass
- ~2TEstimated parametersest. · 10× the scale of GPT-3
- ~10TTokens of training dataest. · more than any human could read in millennia
- 83.1%CyberGym vulnerability-discovery scorevs Claude Opus 4.6 at 66.6% · Anthropic's own benchmark
The Claude family
Every Claude is named for a form of writing.
the short form
Haiku
Near-instant and lightweight. Built for high-volume, low-latency work where speed is everything.
the balanced form
Sonnet
The workhorse. Strong reasoning and speed held in balance — the everyday frontier.
the grand work
Opus
Maximum depth. The most capable reasoning Anthropic ships, for the hardest problems.
the legend
Mythos
The upcoming flagship — a tier above Opus, and the capability that turned vulnerability discovery into a boardroom risk. The subject of this briefing.
Milestones
The road to Mythos.
2021
Anthropic founded
Eleven researchers leave OpenAI to build a safety-first frontier lab.
2022
Constitutional AI
A method to align models to a written set of principles, not just human ratings.
2023
Claude arrives
The first Claude models ship, scaling to a 100K-token context window.
2024
The Claude 3 family
Haiku, Sonnet and Opus — one tiered family spanning speed to depth.
2025
A million tokens
Context windows reach 1M tokens as Opus pushes the capability frontier.
Next
Claude Mythos
The upcoming flagship — a step change in reasoning and scale.
Why Anthropic
Built to be trusted at the frontier.
01
Constitutional AI
Claude is trained against an explicit constitution — principles it uses to critique and revise its own answers, reducing reliance on humans labeling harmful content.
02
Responsible Scaling
Capabilities are gated behind AI Safety Levels. As models grow more powerful, stricter evaluations and safeguards are required before release.
03
Interpretability
Anthropic studies the internals of its models — the features and circuits behind a prediction — to understand why Claude does what it does.
“If powerful AI is inevitable, the safest future is one where the people most worried about it are the ones building it.”
Claude Mythos · What Changed
How is Mythos Different?
Every model learns to read code. Mythos learned to understand it. The difference turned out to matter more than anyone expected.
int validate_session(request_t *req) {char token[64];// copy the session token from the headerstrcpy(token, req->header);if (lookup(token) == NULL) {return DENY;}user_t *u = current_user();if (u->role >= ROLE_ADMIN) {grant_all(u);}return ALLOW;}
OWASP Top 10 · 2025
It starts with comprehension.
Mythos reasons about a codebase at a depth earlier models could not reach — not pattern-matching against known signatures, but modelling what the code does, why it exists, and how it behaves when its assumptions break.
Flaws surface as a byproduct.
At that depth of understanding, vulnerabilities are no longer something to scan for. They fall out of comprehension itself — including classes of flaw that no signature or linter would have flagged.
No security curriculum required.
Mythos was not trained to hunt vulnerabilities; it was trained to understand code. The flaws were always present. Mythos is simply the first system capable enough to see them at scale.
OWASP TOP 10 : 2025 · SURFACED AS A BYPRODUCT OF CODE COMPREHENSION
Why this is a step-change, not an increment
Three capabilities set Mythos apart.
Many of its attributes existed in earlier models and evolved over the past year. These three are what make it categorically different.
Exploits without scaffolding
In Anthropic's lab testing, Mythos generated 181 working Firefox exploits where Claude Opus 4.6 succeeded just twice under identical conditions — a step-change in autonomy and reliability, not a marginal gain.
Complex, chained vulnerabilities
Mythos identifies flaws composed of multiple primitives chained together — for example, several memory-corruption bugs combined into a single working exploit path that no individual finding would reveal.
“One-shot” capability
It accomplishes substantially more from a single prompt — without elaborate scaffolding, agent frameworks, or hand-tuned configuration. The barrier to operating it collapses toward a sentence of English.
Project Glasswing · The latest figures
The receipts.
As of Anthropic's May 2026 Glasswing update — a curated early-access program giving critical-software providers Mythos to patch their own products first.
10,000+
High- or critical-severity vulnerabilities
Across systemically important software · since the Glasswing launch
23,019
Issues across 1,000+ open-source projects
6,202 of them high- or critical-severity
>90%
Of validated findings were true positives
1,752 high/critical findings checked by independent security firms — not “AI slop”
27 yrs
Age of the OpenBSD bug
Survived decades of expert human review. Found by Mythos.
16 yrs
Age of the FFmpeg bug
Found alongside Linux kernel flaws chained autonomously
83.1%
CyberGym vulnerability-discovery score
vs Claude Opus 4.6 at 66.6% · Anthropic benchmark
The twist in the data
The bottleneck isn't finding. It's fixing.
“The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.”
Validated, not hallucinated
Independent security firms checked 1,752 of the high/critical findings — over 90% held up as true positives. This isn't the “AI slop” that flooded bug bounties a year ago.
A real exploit, not a theory
In wolfSSL — a crypto library on billions of devices — Mythos built an exploit to forge certificates, enough to stand up a convincing fake bank or email site. Patched; details withheld.
Why this is your problem
Discovery now outruns remediation. The constraint has moved to triage, patch capacity, and the maintainers and vendors you depend on — exactly the muscles this program builds.
This is not hype
The establishment is sounding the alarm.
This briefing isn't a vendor pitch. It was written by the CSA CISO Community, SANS, [un]prompted, and the OWASP Gen AI Security Project — and reviewed by dozens of sitting CISOs. Among the contributing authors:
Jen Easterly
Former Director, CISA
Bruce Schneier
Security technologist · Harvard Kennedy School
Chris Inglis
Former National Cyber Director, The White House
Phil Venables
Former CISO, Google Cloud
Heather Adkins
CISO, Google
Rob Joyce
Former Cybersecurity Director, NSA
Sources: Anthropic, “Project Glasswing” (anthropic.com/glasswing) and its May 2026 update · The “AI Vulnerability Storm: Building a Mythos-ready Security Program” · CSA CISO Community, SANS, [un]prompted, OWASP Gen AI Security Project · v0.95, April 2026 · CC BY-NC 4.0
The trend, not the moment
Mythos is the acceleration,
not the starting gun.
For more than a year, autonomous systems have been finding and weaponizing vulnerabilities faster than defenders can respond. The window between a flaw existing and an exploit existing has been collapsing toward zero.
The Zero Day Clock
Time from disclosure to working exploit
DARPA Cyber Grand Challenge — machines first patch and exploit autonomously
Scroll to advance the clock
The run-up · 2025 → 2026
A year of escalation, in the record.
Jun 2025
XBOW tops the HackerOne leaderboard
The first autonomous system to outrank every human researcher on the platform's US leaderboard.
Aug 2025
Google Big Sleep finds 20 real zero-days
Each vulnerability found and reproduced autonomously across projects including FFmpeg and ImageMagick.
Aug 2025
DARPA AIxCC finals at DEF CON 33
54 vulnerabilities surfaced in four hours of compute across 54 million lines of code.
Sep 2025
The singularity warning
Adkins (CISO, Google) and Evron (CEO, Knostic) warn that autonomous discovery and exploitation is roughly six months away.
Nov 2025
First AI-orchestrated espionage campaign
A Chinese state-sponsored group used Claude Code to run full attack chains — recon through exfiltration — autonomously across ~30 global targets (detected mid-September).
Feb 2026
Hundreds of high-severity bugs; an 8-minute breach
500+ high-severity vulnerabilities reported in open source. AISLE found 12 OpenSSL zero-days — one a CVSS 9.8 dating to 1998. Sysdig documented admin access in eight minutes; Gambit reported the AI-led compromise of Mexican government infrastructure.
Mar 2026
The Zero Day Clock launches; open source is overwhelmed
Sergej Epp and others publish the Zero Day Clock, showing time-to-exploit collapsing below a day. Linux kernel bug reports climb from 2 to 10 a week — once hallucinated, now all verified real; curl reverses its AI-slop stance as report quality rises.
Mar 2026
Defensive tooling ships
The same capability turns inward: Claude Code Security (Anthropic) and Codex Security (OpenAI) enter research preview, and Knostic open-sources OpenAnt with free scans for open-source projects.
Apr 7, 2026
Claude Mythos Preview & Project Glasswing
Anthropic announces Mythos Preview alongside Glasswing — thousands of zero-days across every major OS and browser, and a 27-year-old OpenBSD bug found at last.
May 2026
Glasswing's first numbers land
Anthropic reports 10,000+ high/critical-severity vulnerabilities, and 23,019 issues across 1,000+ open-source projects. In wolfSSL — a crypto library on billions of devices — Mythos built a working certificate-forgery exploit. Finding has outrun fixing.
Each of these predates Mythos. The capability was already here — Mythos simply removed the last constraints.
How to read this
A leading indicator — not yet the damage itself.
Keep it honest
The collapse in time-to-exploit has not yet produced a proportional rise in impact. Most consequential incidents still turn on credential abuse, social engineering, or supply-chain compromise — not novel zero-days. The clock points to where attacker capability is heading, not a measure of today's damage.
But the window is real
Even with launch partners like AWS, Apple, Google, Microsoft and the Linux Foundation, 40+ more organizations, and $100M in committed model credits, curated access can only cover so much of the world's attack surface. Comparable offensive capability is expected in other frontier models within months — and in open-weight models within six months to a year. The defensive head start is time-limited by definition.
Why this favours the attacker
The attacker needs one.
You must hold everything.
AI accelerates both sides. It speeds patch development and reduces defects in new code — but the gains are not shared evenly. Patching has inherent limits that exploitation does not, so every increase in capability hands the attacker the larger share.
The attacker's advantage
- Needs a single exploit to succeed — once.
- Reuses one finding across thousands of targets (1 : N).
- Treats every published patch as an exploit blueprint.
- Operates as a syndicate — tools and findings shared instantly.
- Pays no testing, no change-control, no downtime cost.
The defender's burden
- Must hold every system, every dependency, every day.
- Tests, stages, and schedules each patch before it ships.
- Cannot assume a fix will exist in time to remediate.
- Carries supply-chain risk far beyond its own code.
- Absorbs the operational cost of every change.
We cannot outwork machine-speed threats.
The answer is not more effort — it is leverage.
Governance · Risk · Compliance
This is a governance event
before it is a technical one.
The exploits are the headline. The exposure your team owns is quieter and more durable: the risk models, the standard of care, and the speed at which you can govern change.
The risk model is outdated
The assumptions underneath today's metrics were written for a slower adversary. Several no longer hold.
Weeks from disclosure to exploit
→Hours — sometimes minutes
A patch will be ready in time
→No patch may exist when you need it
Measure prevention
→Measure containment and time-to-recover
The CISO's ability to control risk has measurably narrowed — which flows directly into business reporting, projections, and the funding of the controls that prevent incidents.
The standard of care is shifting
Regulation tests defensive effort against what is reasonable. When AI scanning is cheap and available, reasonable moves.
AI defensive tooling is optional
→Not using it invites a negligence question
Reasonableness is a stable bar
→The bar rises as capability spreads
Compliance is a checklist
→The EU AI Act adds audit & incident duties (Aug 2026)
Boards will be asked whether they used the tools available to find their own weaknesses first. This is a governance risk with direct financial exposure.
Governance friction is now a liability
Approval cycles built for a calmer threat environment now slow the very defenses you need to deploy.
Onboard a control over quarters
→Friction has a harder deadline
Security, Legal, Engineering in silos
→One cross-functional acceleration body
Wait for industry frameworks
→Define your own guardrails now
Without a mechanism to evaluate new threats and fast-track defensive technology, every other action runs into approval friction — to the attacker's advantage.
The frameworks this maps to
You already own the language for this.
NIST CSF 2.0
Govern · Identify · Protect · Detect · Respond
The program backbone
MITRE ATLAS
Adversarial techniques against AI/ML
How the attack works
OWASP LLM 2025
Top 10 for LLM applications
Risk in LLM components
OWASP Agentic 2026
Top 10 for agentic applications
Risk in autonomous agents
Every risk in the register that follows is tagged to these four. The shift is real, but it is legible — and that is the opening for the program.
A draft you can take to Monday
Thirteen risks, already mapped.
Not a theoretical exercise — a register you could adapt this week. Each risk carries a severity, a type, the frameworks it touches, and the priority action that addresses it. Filter it, then open any row.
Autonomous exploit generation at machine speed. The capability predates Mythos; what changes is speed, scale, and the collapse in skill required. Every patch also becomes an exploit blueprint.
Defenders operating at human speed while attackers operate AI-augmented. The asymmetry is cultural as much as technical — teams that don't adopt agents cannot match the pace, regardless of skill.
Privileged agents sit outside existing control frameworks — insecure by default, and where attacker focus now lies. Introduces both defensive and agentic supply-chain risk (MCP servers, extensions, skills).
Detection and response at human speed against machine-speed attacks. Alert triage, SIEM correlation, and containment authorization were all designed for human-paced threats.
Stakeholder decisions based on pre-AI risk models. Metrics built on old assumptions about exploit timelines may no longer reflect actual exposure — and could lead to underfunding of controls.
Unknown attack surface — assets, code, dependencies, shadow agents. Attackers can enumerate your exposure faster than you can inventory it. You cannot segment or defend what you don't know exists.
Code from humans and agents ships without consistent security review. More code, faster, same defect rate, against a more capable adversary. Exploitable flaws reach production before defenders find them.
A flat or under-segmented network gives every successful exploit leverage. Automated multi-hop movement exploits poor architecture faster than any manual attacker could.
A reactive posture against continuous AI-discovered zero-days, with no VulnOps function. Quarterly pen tests and reactive patching cannot keep pace; CVE/NVD workflows were built for dozens, not hundreds.
CVE- and KEV-based intelligence is structurally outpaced by AI discovery rates. Novel vulnerabilities have no KEV listing by definition — and the CVE system may not scale to AI-generated volumes.
A governance vacuum creates approval friction that slows defensive AI adoption. AI-accelerated timelines give that friction a harder deadline — this is where the liability asymmetry gets addressed structurally.
A shifting standard of care as AI scanning becomes broadly available. The EU AI Act (Aug 2026) adds audit and incident duties; boards face questions about whether not using available tools constitutes negligence.
Signal-to-noise collapse in guidance. Teams that dismiss the shift as hype — or exhaust their attention on low-signal content — will miss the landscape changes they actually need to react to.
Type · Threat = external capability, controls raise cost · Vulnerability = addressable condition · Capability gap = missing defensive function · Governance = structural failure amplifying the rest.
A program across three horizons
Operational now. Strategic for what's next.
A Mythos-ready program is run like an incident and built like a strategy. It restores equilibrium today while preparing for the waves that follow — because Mythos is the first, not the last.
Absorb the wave
Treat this like an incident with no clean end. Stand up the capacity to triage and deploy a flood of patches — from the launch partners and 40+ organizations in the Glasswing early-access program alone — without exhausting the team.
- Prepare for multiple high-severity incidents in one week
- Reach minimum viable resilience first
- Protect experienced staff from burnout
Re-baseline the risk
Business risk has shifted. Re-engage stakeholders on tolerance and reporting before the old numbers mislead a decision.
- Update metrics, reporting, and risk calculations
- Align tolerance for downtime to shorter adversary timelines
- Make the change legible to the board
Rebuild for the next wave
Mythos is the first of many. Selective overhaul of governance and controls so the program adapts rather than reacts.
- Governance that onboards technology faster
- AI-based defensive controls as they mature
- A permanent VulnOps function
Minimum viable resilience
The metrics move from prevention to resilience.
Cost of exploitation
Assumed high
→Raise it deliberately
Detection of compromise
Eventually
→Early, by design
Blast radius
Hope it's small
→Contained and measured
Time to recover
Not a headline metric
→The headline metric
Assumptions the new landscape breaks
The aggressive timetable
Eleven moves, in order of urgency.
For the CISO who needs a plan by Monday. Each action carries a start window and a horizon to completion. The pace is deliberately aggressive — calibrate it to your environment.
Point agents at your code
Turn LLM capability inward. Ask an agent for a security review today; build toward review-before-merge for all code, human or AI-generated. Tools exist now — Claude Code Security (Anthropic), Codex Security (OpenAI), and open-source OpenAnt (Knostic) and raptor.
Require AI agent adoption
Formalize agent use across every security function, with controls and oversight. Optional programs don't overcome cultural inertia — and adoption gates everything else here.
Establish acceleration governance
A cross-functional body — Security, Legal, Engineering — to evaluate new threats and fast-track defensive technology. Without it, every other action hits approval friction.
Prepare for continuous patching
Stand up triage and deployment capacity for a flood of patches as Glasswing disclosures reach major vendors.
Update risk models & reporting
Re-baseline metrics, reporting, and business risk to AI-accelerated timelines. Outdated models can underfund the controls that prevent incidents.
Defend your agents
Agents are privileged and insecure by default, and outside existing controls. Audit the harness — prompts, tools, retrieval, escalation — with the same rigor as permissions.
Inventory & reduce attack surface
Use agents to build a continuous inventory and real SBOMs. Shut down unneeded functionality; isolate what you can't patch. You can't defend what you can't see.
Harden your environment
Egress filtering (it blocked every public log4j exploit), deep segmentation, Zero Trust, locked dependency chains, phishing-resistant MFA. Every boundary raises attacker cost.
Build a deception capability
Canaries, honey tokens, behavioral monitoring. Deception is exploit-independent — it catches attackers by their behavior, not their tool.
Automate incident response
Detection engineering and response that runs, as far as possible, at machine speed: behavioral analysis, pre-authorized containment, playbooks that execute.
Stand up VulnOps
A permanent Vulnerability Operations function (VulnOps — introduced by Adkins, Evron & Schneier) — staffed and automated like DevOps, owning continuous discovery and automated remediation across your whole estate.
A word on nuance
Some of these pull against each other. The case for patching faster competes directly with the case for a supply-chain cooldown before deploying third-party updates. There is no single right answer — calibrate by asset criticality, blast radius, and your tolerance for downtime. This is a judgement, not a checklist.
Every one of these can begin this week. None of them waits for an industry framework.
Ten questions
Before the plan, ground truth.
None of the actions matter if you don't know where you actually stand. These ten questions triage your program's real state — and your real influence over the functions you don't own.
Answer them honestly as we go. The gaps are your starting backlog.
Allowed, tolerated, restricted, or unknown. The honest answer, not the policy.
Looping, tool-using agents — not just chatbot access. And do guardrails exist for them?
A legal and IP question, not a technology-philosophy question.
Including the agentic supply chain — MCP servers, plugins, skills. Provenance and what's allowed into CI/CD.
A genuine cooling-off point that demonstrates enforcement in the release cycle.
Can the function directly change outcomes — or does it mostly review and escalate?
Use a real example, not a policy statement. It reveals your true response speed.
Not theoretically important systems — the actual few that matter, and their dependencies.
Escalation paths, relationship ownership, and leverage — before you need them.
If everything is a crisis, nothing is urgent.
The hardest question in the room
Are we outmoded?
It's the quiet worry behind every one of these slides. We can't outwork machine-speed threats — so the honest answer has two halves, and a leader has to hold both.
The human cost is real
- Burnout and attrition are a direct operational risk, not an HR footnote.
- The expertise needed is scarce, takes years to build, and can't be replaced on short timescales.
- Team resilience — workload, mental health, retention — is a strategic priority, equal to the technical work.
- Even senior vulnerability researchers are asking whether they still have a place.
And the opportunity is bigger
- For now, we are not outmoded — agents amplify expertise, they don't replace it.
- Every security role is becoming an “AI builder” role, augmented by agents.
- The barrier is lower than most realize: getting started is easier than using Excel.
- They work across the board — from GRC to incident response, far beyond code.
Every security role is becoming an AI builder.
This isn't a crisis of relevance — it's a normal response to a disruptive shift. The practitioners who adapt fastest will be the ones who lean into the tooling rather than guard against it.
Taking it upstairs
Mythos is now a boardroom concern.
That is the opening.
The attention is already here. The job is to convert it — justify the program that's funded, and make the case for what comes next.
Talking point
AI accelerates both sides
The same capability that makes the business faster makes the adversary faster. It has compressed time-to-incident from weeks to hours. Turned inward, these tools let us find and fix our own weaknesses before attackers do — the security program we've funded is exactly what makes that strategy viable.
Talking point
An aggressive plan is needed
This is not an open-ended AI initiative. We are seeking alignment to execute a targeted 90-day plan with clear owners and outcomes — returning risk toward pre-Mythos levels and demonstrating due diligence against a documented shift in the threat environment.
The ask · a targeted 90-day plan
Clear owners. Clear outcomes. One quarter.
Increase people & capacity
Repurpose staff and add capacity for triage, remediation, and incidents — while protecting experienced staff from burnout.
Deploy AI tooling
Formalize agent use across security: scan our own code, require AI review before code ships, augment teams with purpose-built agents.
Harden infrastructure
Asset inventories, reduced exposure, segmentation, Zero Trust, egress filtering — validated across internal systems and key third parties.
Accelerate procurement & governance
Align Security, Legal, and Engineering to evaluate threats and fast-track defensive technology. Current cycles are too slow.
Update playbooks
Technical and communications response plans that execute at speed, including pre-authorized containment for simultaneous incidents.
Track progress
Regular check-ins across the 90 days to capture results and surface roadblocks early.
What “Mythos-ready” means
Permanently closing the gap.
In four parts
Being “Mythos-ready” means:
Resilient architecture
Limit attackers' ability to exploit what they find — and contain the impact when they do.
Find it first
Discover more of your own vulnerabilities in advance of any adversary or vendor advisory.
Respond at scale
Handle incidents quickly and in volume, containing impact to minimize business disruption.
Accelerate with agents
Compound your program and your people with AI — starting this week, across every function.
And we don't do it alone
Attackers already move as a collective. Defenders must too.
Adversaries crowdsource, share tools, and operate as syndicates. The answer is collective defense — engaging ISACs, CERTs, sector groups, and standards bodies to share intelligence and coordinate response. It matters most for the organizations below the Cyber Poverty Line, a concept introduced by Wendy Nather: those without the resources to defend themselves alone.
We have done this before
Y2K was a systemic threat with a hard deadline, and the industry met it through coordinated, disciplined effort. This is the same kind of problem — with far more powerful tools in the defenders' hands.
Being Mythos-ready isn't about reacting to one model or one announcement. It is about permanently closing the gap between how fast vulnerabilities are found and how fast your organization can respond.
Every action in this brief can begin this week.
Source: “The AI Vulnerability Storm: Building a Mythos-ready Security Program” · CSA CISO Community, SANS, [un]prompted, OWASP Gen AI Security Project · v0.95, April 2026 · CC BY-NC 4.0