Anthropic Claude weaponizes vulnerabilities

Anthropic’s April 7 disclosure about Claude Mythos Preview landed because it described more than faster bug-hunting. In a technical post, the company said the model could identify and exploit zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. (red.anthropic.com) Anthropic also said Mythos had shown it could reverse-engineer exploits on closed-source software and turn N-day vulnerabilities — known flaws that are not yet widely patched — into exploits. That matters because the step from finding a flaw to producing exploit steps is where offensive capability becomes operational. Anthropic said more than 99% of the vulnerabilities it found had not yet been patched, which is why it withheld technical detail under a coordinated disclosure process. (money.usnews.com) The company paired the release with Project Glasswing, a restricted program meant to put the model in the hands of selected defenders rather than release it broadly. ### How far did Anthropic say the model could go? Anthropic said Mythos Preview was “strikingly capable” at computer security tasks and described it as capable of both finding and exploiting zero-days. The company’s research post said the oldest patched bug it had found so far was a 27-year-old flaw in OpenBSD. (red.anthropic.com) It also said the model could write privilege-escalation exploits for vulnerabilities it identified during testing. The company’s own framing was unusually direct for a model launch. Anthropic wrote that the disclosed results showed “a substantial leap” in cybersecurity capability and said the industry should take “urgent action” in response. That language came in the same document that outlined why the company was limiting disclosure of specific bugs. (red.anthropic.com) ### Did anyone outside Anthropic test the cyber claims? The U.K. AI Security Institute said on April 13 that it had evaluated Claude Mythos Preview and found “significant improvement” on multi-step cyber-attack simulations. In its write-up, the institute said the model could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously when explicitly directed and given network access in controlled tests. (red.anthropic.com) The institute also gave a benchmark that helps explain the concern. It said Mythos succeeded 73% of the time on expert-level capture-the-flag tasks and tested the model on a 32-step corporate network attack simulation that it estimated would take humans about 20 hours to complete. (red.anthropic.com) ### Why are security teams focused on “weaponization”? The distinction is that vulnerability discovery alone does not automatically produce an attack path. Anthropic’s post said Mythos could chain vulnerabilities, write privilege-escalation exploits, and convert known-but-unpatched bugs into usable exploits. Those are the steps that security practitioners usually associate with turning research into offensive tradecraft. (aisi.gov.uk) Industry reaction has centered on speed. Anthropic’s launch of Project Glasswing said it was giving defenders “a head start” with the model, and Reuters reported on May 18 that the company changed its policy to let Mythos users share cyber threat information with others exposed to similar vulnerabilities. (aisi.gov.uk) That shift suggested Anthropic wanted defensive findings to move faster beyond the initial partner group. ### Who has access, and what happens next? Project Glasswing launched with named partners including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, according to Anthropic’s project page. Anthropic said the initiative was aimed at securing critical software for the AI era. (red.anthropic.com) On May 18, Reuters reported that Anthropic was revising its earlier position so Mythos users could share threat information with other organizations facing similar risks. That means the next phase is likely to involve broader disclosure of defensive findings to vendors, operators and other exposed parties, even while access to the model itself remains restricted. (anthropic.com) (money.usnews.com)