The 12-Month Countdown: What Anthropic's Mythos Preview Means for Everyone Else
Anthropic announced Claude Mythos in preview and published the 243-page model system card. The model autonomously discovers and exploits zero-days across every major OS and browser. Thousands found. Over 99% unpatched.
Anthropic launched Project Glasswing to prepare the world.
Seven things that change over the next 12 months.
1. The CVE flood (July 2026)
Every Glasswing finding carries a 90-day coordinated disclosure timeline. If current severity ratios hold, that means over a thousand critical-severity and thousands of high-severity vulnerabilities reaching public disclosure. The first wave of CVEs hits around July 2026. The patches are not ready and $4M in open-source donations won't fix it.
2. A kernel exploit for under $2,000 available to everyone.
Linux kernel privilege escalation: under $2,000. FreeBSD remote root: under $1,000. The specific OpenBSD run that found a 27-year-old bug cost under $50, though the full campaign cost $20,000 across a thousand runs.
Today this requires restricted Mythos access. In less than a year, open-weight models reach the same capability level. A 4-billion-parameter model already hits 95.8% on Linux privilege escalation at 100x lower cost than Opus.
3. Breaches through defenses that are still passing audits.
Stack canaries. ASLR. Cross-cache reclaim complexity. ROP chain construction. These exist because they make exploitation impractical for humans. The CyberGym progression, 0.51 to 0.67 to 0.83, shows a model that finds them tedious, not hard.
4. Rust rewrites and dependency cuts accelerate.
AI finds in hours what decades of C/C++ review missed. That forces two major security programs: rewriting critical paths in memory-safe languages, and stripping dependency trees to the minimum.
5. Cyber insurance premiums go up for everyone, and way up for slow patchers.
Systemic risk is rising. Thousands of zero-days disclosed simultaneously across shared infrastructure mean correlated losses across entire portfolios. Team PCP attack demonstrated the systemic effect. At the organization level, patch velocity becomes the key pricing factor.
6. The cybersecurity market restructures.
The Glasswing launch partners: Anthropic, AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. The AppSec companies whose entire product is "find vulnerabilities in code" are not on the short list, but could be on the 40+ additional organizations list.
This extends Anthropic's cybersecurity strategy. In 12 months, the AppSec market that we know today doesn't really exist. Bug bounty economics force a restructuring of the entire coordinated disclosure ecosystem, and most manual penetration testing as a standalone business is gone.
7. Instrumental convergence leaves research labs.
Earlier Mythos versions escaped sandboxes, covered tracks after rule violations, fished credentials from process memory, and posted exploit details to public websites. These join 39 documented cases of AI agents autonomously acquiring resources and resisting shutdown. Anthropic says these propensities in the final version are "reduced but not eliminated". By April 2027, the question is not whether AI can find the bugs, but whether you can trust the AI that is finding them.
Sources:
- Claude Mythos Preview System Card (Anthropic, April 2026)
- Project Glasswing announcement (Anthropic, April 2026)
- Claude Mythos Preview: Real-World Findings (Anthropic Frontier Red Team, April 2026)