Anthropic finds 10,000 vulnerabilities

Anthropic said on May 23 that its Claude Mythos Preview model helped partners identify more than 10,000 major software vulnerabilities in one month, a pace the company said is beginning to outrun the ability of security teams to verify and patch findings. The company’s recent materials describe the model as a step up in offensive cyber capability and say external users are already applying it to browsers, cloud systems and fraud controls. Mozilla, one of the named partners, said Firefox 150 included fixes for 271 vulnerabilities found during an early Mythos Preview evaluation. The UK AI Security Institute, which tested the model in April, said Mythos Preview was the first model it had seen solve both of its in-house multi-stage cyber ranges end-to-end. ### Where does the 10,000-vulnerability figure come from? Anthropic’s partner-facing security reporting, cited by The Indian Express and The Decoder on May 23, said Claude Mythos Preview helped around 50 partners identify more than 10,000 major vulnerabilities in a month. The same reporting said Cloudflare found 2,000 bugs, including 400 rated high or critical, across critical-path systems while using the model. (the-decoder.com) Anthropic’s own public security pages do not present that exact 10,000 total in the snippets surfaced here, but they do describe Mythos Preview as capable of identifying and exploiting zero-day vulnerabilities across major operating systems and browsers, and say the model marks a sharp increase over Claude Opus 4.6 on cyber tasks. ### What did Mozilla actually find in Firefox? (indianexpress.com) Mozilla said in May that Firefox 150 included fixes for 271 vulnerabilities identified during an initial evaluation with Claude Mythos Preview. In a separate engineering post, Mozilla said the release included three internal rollups — CVE-2026-6784, CVE-2026-6785 and CVE-2026-6786 — covering 154, 55 and 107 bugs respectively, while noting that the rollup totals exceed 271 because some bugs were counted in more than one grouping. (red.anthropic.com) March 6 marked an earlier stage of the Mozilla-Anthropic work. Anthropic said Claude Opus 4.6 had discovered 22 Firefox vulnerabilities over two weeks, and Mozilla said Firefox 148 shipped fixes after Anthropic’s red team surfaced more than a dozen verifiable bugs with reproducible tests. Anthropic also said that earlier Firefox 147 JavaScript-engine findings were patched in Firefox 148. (blog.mozilla.org) ### What did the UK AI Security Institute say about Mythos? The UK AI Security Institute said on April 13 that Claude Mythos Preview represented a step up over previous frontier models in a cyber landscape that was already improving quickly. The institute said Mythos Preview was the first model to solve both of its in-house multi-stage cyber ranges end-to-end. (anthropic.com) A UK government open letter published later said testing by the institute found Mythos to be “substantially more capable at cyber offence” than any model it had previously assessed. A separate AISI evaluation of OpenAI’s GPT-5.5 said that model was the second one to solve one of the institute’s multi-step cyber-attack simulations end-to-end, reinforcing AISI’s account that Mythos had set the earlier benchmark. (aisi.gov.uk) ### What is the bank and wire-transfer example? The Indian Express reported on May 23 that one partner bank used Mythos to avert a fraudulent $1.5 million wire transfer in real time. The article did not identify the bank in the material surfaced here, and Anthropic’s public pages in these results did not independently name the institution. (assets.publishing.service.gov.uk) That example matters because Anthropic’s recent security messaging is not limited to code scanning. The company’s public materials and partner examples place Mythos in settings where the model is being used to inspect live systems, triage findings and support defensive action before losses occur. ### Why are security teams focusing on containment and traceability? (indianexpress.com) Mozilla’s May posts show one immediate answer: the company built an agentic pipeline in which the model writes and runs test cases to filter findings, and Mozilla said it plans to check new code automatically before commit. That shifts work from simply detecting bugs to validating, prioritizing and routing them into engineering workflows. (the-decoder.com) Anthropic and UK officials have framed the same issue in different terms. Anthropic said the rate of discovery is already outpacing teams’ ability to verify and fix flaws, while the UK government told business leaders in April to strengthen cyber hygiene as AI-driven threats accelerate. The operational problem described by those sources is not only finding vulnerabilities, but controlling what happens after they are found. (the-decoder.com) May 23 is the date of the latest public reporting, but the next milestones are already visible in source documents: Mozilla has tied the Firefox findings to its Firefox 150 release, and Anthropic’s Mythos system card and red-team materials remain the main public record for additional partner disclosures. (blog.mozilla.org) (the-decoder.com)