Skip to content
Communicat IT
Back to Insights
Cybersecurity

Claude Mythos Just Found Thousands of Hidden Security Flaws — Here's Why That Matters for Your Business

Communicat Team18 April 202610 min read

On 7 April 2026, Anthropic — the company behind the Claude AI — announced something that sent shockwaves through the cybersecurity industry.

Their new AI model, Claude Mythos, had discovered thousands of previously unknown security vulnerabilities across every major operating system and every major web browser. The oldest — a flaw hiding in OpenBSD, an operating system famous for its security — had gone undetected for 27 years.

This isn't a theoretical research paper. These are real, exploitable flaws in the software that businesses, governments, and critical infrastructure run on every day.

For businesses that aren't actively managing their cybersecurity, this is a wake-up call.

What Is Claude Mythos?

Claude Mythos is a new AI model from Anthropic that is, by their own assessment, "currently far ahead of any other AI model in cyber capabilities."

Where previous AI models could help write code or answer questions, Mythos can do something fundamentally different: it can autonomously find security vulnerabilities in software, then build working exploits to prove they're real.

According to Anthropic's own technical disclosure, the model doesn't just find simple bugs. It:

  • Identifies zero-day vulnerabilities — flaws that no one has discovered before, with no patch available
  • Chains multiple vulnerabilities together into complex attack sequences that would take human security researchers weeks or months to construct
  • Escapes software sandboxes — the security boundaries designed to contain damage even when a flaw is exploited
  • Builds working exploits autonomously — going from "here's a bug" to "here's how to take over the system"

To put the scale in perspective: Anthropic's previous AI models had a near-0% success rate at autonomous exploit development. Mythos Preview developed working exploits 181 times on Firefox targets alone and achieved full control flow hijack on 10 separate patched targets.

This is not an incremental improvement. It's a step change.

What Did It Actually Find?

The numbers are staggering.

In just a few weeks of testing, Claude Mythos identified thousands of zero-day vulnerabilities — security flaws that were previously unknown and unpatched. At the time of Anthropic's announcement, over 99% of the vulnerabilities found had not yet been patched.

Some of the highlights:

The 27-Year-Old OpenBSD Bug

OpenBSD is widely considered one of the most secure operating systems in existence. Security researchers have scrutinised its code for decades.

Mythos found a flaw in OpenBSD's TCP Selective Acknowledgment (SACK) implementation that had been hiding in plain sight since 1999. The vulnerability allows an attacker to remotely crash any OpenBSD system that responds over TCP — a denial-of-service attack that could take down servers, firewalls, and network infrastructure.

If AI can find bugs that the security community missed for 27 years, what else is hiding in the software your business relies on?

Browser and Operating System Vulnerabilities

Mythos found exploitable flaws in every major web browser and every major operating system. Not just one or two — thousands.

The model demonstrated the ability to escape both browser renderer sandboxes and OS-level sandboxes, meaning it could potentially move from a compromised web page to full control of the underlying system.

Exploit Chaining

Perhaps most concerning is Mythos's ability to chain vulnerabilities together. In one demonstrated case on Linux, the model:

  1. Used one vulnerability to bypass address space randomisation (KASLR)
  2. Used a second vulnerability to read the contents of a critical system structure
  3. Used a third vulnerability to write to a previously freed memory object

Each individual flaw might be considered moderate risk on its own. Chained together, they provide complete system compromise.

On FreeBSD, Mythos built a 20-step attack chain split across multiple network packets to achieve unauthenticated remote code execution — the most dangerous category of vulnerability.

Why This Matters for Australian Businesses

This isn't just a story about AI research. It's a story about the future of every cyber attack your business will face.

The Threat Landscape Is Accelerating

According to the ASD Annual Cyber Threat Report 2024-25:

  • 84,700 cybercrime reports were filed in Australia — one every six minutes
  • The ACSC responded to over 1,200 cyber incidents, up 11% year-on-year
  • The average cost of cybercrime for large organisations jumped 219% to $202,700
  • Ransomware accounted for 34% of the highest-category incidents
  • The ACSC issued 1,700+ threat notifications, up 83% from the prior year

Now layer AI-powered vulnerability discovery on top of that. CrowdStrike's 2026 Global Threat Report documented an 89% increase in AI-assisted attacks year-over-year.

The Window Is Closing

Here's the part that should concern every business owner: Anthropic's own researchers expect competitors — including those in China — to develop comparable AI hacking capabilities within 6 to 12 months.

When that happens, the ability to find and exploit zero-day vulnerabilities won't be limited to a controlled research environment. It will be available to threat actors worldwide.

Logan Graham, who leads offensive cyber research at Anthropic, was quoted in the BBC acknowledging this reality directly.

The implication is clear: the time to strengthen your security posture is now, not after these capabilities proliferate.

Project Glasswing — The Defence Response

Anthropic's response to the dual-use risk of Mythos is Project Glasswing — a consortium of major technology companies using the model to find and fix vulnerabilities before attackers can exploit them.

The founding partners include:

  • CrowdStrike — our cybersecurity partner and the platform behind our Managed Cybersecurity & MDR service
  • Amazon Web Services
  • Apple
  • Broadcom
  • Cisco
  • Google
  • JPMorgan Chase
  • The Linux Foundation
  • Microsoft
  • NVIDIA
  • Palo Alto Networks

Plus approximately 40 additional organisations.

Anthropic is committing up to $100 million in usage credits and $4 million in donations to open-source security organisations to support the initiative.

Why CrowdStrike's Involvement Matters

CrowdStrike isn't just a name on the list. As a founding member of Project Glasswing, they're integrating frontier AI capabilities with the real-world threat intelligence they already collect — a trillion security events per day across endpoints worldwide, tracking over 280 adversary groups.

Their position is straightforward: "Anthropic builds the model. CrowdStrike secures AI where it executes."

For businesses using CrowdStrike-powered security (including Communicat IT clients), this means the AI-driven vulnerability research feeding into Project Glasswing will flow into the same Falcon platform that protects your endpoints, identities, and cloud environments.

This is not a theoretical future benefit. It's already happening.

What Should Your Business Do?

You don't need to understand the technical details of TCP SACK implementations or ROP chains. But you do need to understand that the cybersecurity landscape just changed fundamentally, and traditional security approaches are no longer sufficient.

1. Move Beyond Signature-Based Protection

Traditional antivirus works by recognising known threats. AI-discovered zero-day vulnerabilities are, by definition, unknown. You need behaviour-based detection — tools that identify suspicious activity regardless of whether the specific attack has been seen before.

This is exactly what Managed Detection and Response (MDR) provides: 24/7 monitoring powered by CrowdStrike's AI-native Falcon platform, with human analysts investigating and responding to threats in real time.

2. Patch Faster and Smarter

When AI can discover thousands of vulnerabilities in weeks, the traditional monthly patch cycle becomes dangerously slow. You need a risk-based patching strategy that prioritises actively exploited and critical vulnerabilities.

Read our guide on why traditional patch management is broken for a deeper look at this problem.

3. Align with the Essential Eight

The Australian Signals Directorate's Essential Eight framework remains the most practical baseline for Australian businesses. Its core controls — application control, patching, MFA, privilege restriction — directly mitigate many of the attack techniques that AI-powered exploitation enables.

It's also increasingly a requirement for cyber insurance.

4. Get Strategic Security Leadership

If your business doesn't have a dedicated security leader, consider a Virtual CISO engagement. As the threat landscape accelerates, having someone who understands your risk profile and can make informed decisions about security investment is no longer optional — it's essential.

5. Ensure Your Backups Are Immutable

When AI can chain vulnerabilities to achieve complete system compromise, your backup strategy becomes your last line of defence. Immutable backups — backups that cannot be encrypted, deleted, or modified by attackers — ensure you can recover even from the most sophisticated attacks.

The Bottom Line

Claude Mythos represents an inflection point. AI can now find and exploit vulnerabilities faster and more effectively than any human team. The same capabilities that are being used to strengthen defences through Project Glasswing will inevitably become available to attackers.

The businesses that will weather this shift are the ones that:

  • Use AI-powered security tools (not legacy antivirus)
  • Have proactive monitoring and response (not reactive break-fix)
  • Maintain compliance frameworks like Essential Eight (not ad-hoc security)
  • Work with security partners who are connected to the frontier of AI development (not lagging behind)

As a CrowdStrike-powered MSP, Communicat IT provides all of these capabilities to Melbourne businesses. If the Mythos announcement has you rethinking your security posture, that's the right instinct.

Frequently Asked Questions

What is Claude Mythos?

Claude Mythos is a new AI model from Anthropic that can autonomously discover and exploit zero-day security vulnerabilities in software. It has found thousands of previously unknown flaws across every major operating system and web browser, including a 27-year-old bug in OpenBSD.

Is Claude Mythos available to hackers?

Not yet. Anthropic has restricted access to a small group of companies through Project Glasswing, including CrowdStrike, Microsoft, Google, Apple, and others. However, Anthropic expects competitors to develop comparable capabilities within 6 to 12 months, after which similar tools could become more broadly available.

What is Project Glasswing?

Project Glasswing is Anthropic's initiative to use Claude Mythos for defensive cybersecurity. A coalition of major technology companies — including CrowdStrike — are using the model to find and patch vulnerabilities in critical software before attackers can exploit them. Anthropic has committed up to $100 million in credits to support the effort.

How does this affect Australian businesses?

Australia already faces a significant cyber threat — 84,700 cybercrimes were reported in 2024-25, with the average cost per incident reaching $202,700 for large organisations. AI-powered vulnerability discovery will accelerate this trend. Businesses that don't have modern, AI-powered security in place will be increasingly exposed.

What should I do right now?

Start with the fundamentals: deploy modern endpoint protection (EDR/MDR, not antivirus), implement multi-factor authentication, align with the Essential Eight framework, and ensure your backups are immutable. If you're not sure where you stand, contact us for a security assessment.

Take the Next Step

The cybersecurity landscape has fundamentally changed. If you're unsure whether your current security posture would hold up against AI-powered threats, we can help you find out.

Book a free security assessment with our Melbourne team, or call us on 1300 766 393.

Related Topics

Claude Mythos cybersecurityAI vulnerability detectionzero-day vulnerabilities 2026Project Glasswing AnthropicCrowdStrike AI securitycybersecurity MelbourneAI cyber threats Australia

Need help with your IT?

Our Melbourne team has 37+ years of experience helping businesses like yours.

Book a Free Consultation

More Articles

Cybersecurity

AI Is Changing Cybersecurity — What Melbourne Businesses Need to Know in 2026

AI is supercharging both cyberattacks and defences. Here's what the AI cybersecurity arms race means for Australian businesses — and how to stay ahead.

Cybersecurity

CVE Patch Management Is Broken — Here's What We're Seeing in 2026

Over 130 new vulnerabilities (CVEs) are published every day, making traditional patching too slow. Here's how modern patch management should work in 2026.

Managed Services

Should You Replace or Maintain Legacy Hardware? A Practical Guide for Businesses (2026)

Not all legacy hardware needs replacing. Learn when to maintain, when to replace, and how third-party support can extend your infrastructure lifecycle.