Small AI Models Find Mythos Vulnerabilities, Challenging Frontier AI Claims

The Mythos Announcement and Its Premise

On April 7, Anthropic unveiled Claude Mythos Preview and Project Glasswing, a consortium aimed at using the new, limited-access AI model to find and patch critical software vulnerabilities. The announcement, detailed in a technical blog post, described Mythos autonomously discovering thousands of zero-day vulnerabilities across every major OS and browser, including a 27-year-old bug in OpenBSD and a 16-year-old bug in FFmpeg.

The post highlighted sophisticated exploit construction, such as multi-vulnerability privilege escalation chains in the Linux kernel and a remote code execution exploit against FreeBSD. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security organizations.

However, Anthropic stated it would never release Mythos Preview to the public, citing unprecedented cybersecurity risks. Instead, access is limited to around 50 select companies and organizations via Project Glasswing, with Anthropic’s Mike Krieger describing it as “arming them ahead of time.” This stance was reinforced after a code leak prompted warnings about severe fallout for economies and national security.

The Counterpoint: Small Models, Big Results

Researchers at AI cybersecurity startup AISLE have challenged the narrative that these capabilities are exclusive to frontier models like Mythos. In a detailed analysis published Wednesday, AISLE’s team tested the specific vulnerabilities Anthropic showcased on small, cheap, and open-weights models.

They found that these models recovered much of the same analysis. Eight out of eight models tested detected Mythos’s flagship FreeBSD NFS remote code execution exploit, including a model with only 3.6 billion active parameters costing $0.11 per million tokens. A 5.1B-active open model recovered the core chain of the 27-year-old OpenBSD TCP SACK bug.

Furthermore, on a basic security reasoning task—distinguishing a false positive SQL injection in a Java OWASP benchmark snippet—small open models outperformed most frontier models. “The capability rankings reshuffled completely across tasks,” the researchers noted. “There is no stable best model across cybersecurity tasks. The capability frontier is jagged.”

Decomposing the AI Cybersecurity Pipeline

AISLE’s argument hinges on a modular view of AI cybersecurity, which they say the Mythos announcement blends into a single, integrated capability. In practice, the pipeline consists of distinct tasks with different scaling properties: broad-spectrum scanning, vulnerability detection, triage, patch generation, and exploit construction.

The detection and analysis phase, once the relevant code is isolated by a scaffold, appears broadly accessible. “The moat in AI cybersecurity is the system, not the model,” AISLE concludes. Their own system has been operational since mid-2025, discovering 15 CVEs in OpenSSL and over 180 across 30+ projects.

The practical consequence of this “jagged” capability frontier is economic. Because small, cheap models are sufficient for much detection work, defenders can deploy them broadly for sheer coverage, rather than judiciously deploying one expensive model. “A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look,” they write.

Evidence of Jagged Capability

AISLE’s tests provide concrete evidence. For the FreeBSD NFS bug, all eight models correctly identified the stack buffer overflow and assessed it as critical. In exploitation reasoning follow-ups, models like DeepSeek R1 and GPT-OSS-120b proposed detailed ROP chain strategies and correctly analyzed mitigation bypasses.

For the more subtle OpenBSD SACK bug, requiring understanding of signed integer overflow, a 5.1B-active model recovered the full public exploit chain. Performance varied wildly, however. Qwen3 32B, which aced the FreeBSD test, confidently declared the SACK code “robust to such scenarios” and scored an F.

The OWASP false-positive test showed near-inverse scaling, with small models like GPT-OSS-20b correctly tracing the data flow while many larger, more expensive models failed. This jaggedness underscores that there is no single “best” model for cybersecurity.

What About Exploitation?

AISLE acknowledges that Mythos’s demonstrated exploit construction—PTE manipulation, HARDENED_USERCOPY bypasses, multi-round payload delivery—is genuinely sophisticated and may represent a capability boundary. “Open models reason fluently about *whether* something is exploitable... Where they stop is the creative engineering step,” they note.

However, for the defensive workflows central to Project Glasswing, full autonomous exploit construction is less critical than reliable discovery, triage, and patching. Linux Foundation CEO Jim Zemlin, whose organization is part of Glasswing, emphasized this benefit, saying AI tools could alleviate the burden on overworked kernel maintainers.

The Bigger Picture and Industry Implications

The Mythos announcement is a major validation for the AI cybersecurity category, raising awareness and committing significant resources. Project Glasswing partners, including the Linux Foundation, are beginning to experiment with the model.

Yet, AISLE and other observers caution against overstating the exclusivity of these capabilities. TechCrunch noted the debate over whether limiting Mythos protects the internet or Anthropic itself. The research suggests that discovery-grade AI cybersecurity capabilities are broadly accessible today with current models.

The priority, therefore, shifts to building the scaffolds, pipelines, and maintainer relationships needed to turn model capabilities into trusted outcomes at scale. As CrowdStrike CTO Elia Zaitsev noted, the window between vulnerability discovery and exploitation has collapsed, making scalable defensive tools imperative.

Anthropic’s work proves the potential is real. The open question is how to operationalize it. AISLE’s evidence suggests the ecosystem need not wait for a single, restricted frontier model to begin building robust AI-powered defenses.