Anthropic updated the public status of Mythos, its AI model built to automatically find security vulnerabilities in software. The short version: the model is capable, and no one outside Anthropic is getting access to it yet.
Mythos is designed to do what security researchers and penetration testers do manually - scan code and systems for exploitable weaknesses before attackers find them. A reliable AI that can do this would compress security audits that currently take teams of experts days or weeks into a fraction of that time. That would be a meaningful shift in how organizations approach software defense.
The reason Anthropic is holding back is not hard to follow. A model that finds security flaws is also a model that helps someone exploit them. This is the defining tension in cybersecurity AI, and Anthropic's internal responsible scaling policy - which requires safety evaluations before releasing models with dangerous capabilities - puts automated vulnerability discovery firmly in the hold-for-now category.
Who Loses While the Research Sits
The delay creates a real gap for the people who would benefit most: security teams trying to find their own weaknesses before attackers do. Those teams currently rely on expensive manual audits, bug bounty programs, and static analysis tools that miss a meaningful share of real vulnerabilities. The tools they can actually buy today are nowhere near as capable as what Mythos is reported to do.
The groups best positioned to develop similar capabilities without waiting - nation-state hacking units, well-funded criminal organizations - are not submitting safety evaluations before deploying their research. Anthropic's caution is defensible. Releasing a powerful vulnerability-finding model too early carries real risks, and the company has more reason than most to think carefully about it. But the calculus cuts both ways: every month Mythos stays in the lab is another month defenders work at a disadvantage that attackers don't share.