On April 8, Anthropic announced Claude Mythos Preview, a frontier AI model that autonomously discovers and exploits zero-day vulnerabilities in production software. Not in lab conditions. Not against intentionally vulnerable targets. Against fully hardened, fully patched systems that have survived decades of expert review.
The model found a 27-year-old denial-of-service vulnerability in OpenBSD, an operating system known primarily for its security. It identified a 16-year-old flaw in FFmpeg’s H.264 codec that millions of automated fuzzing runs never caught. It chained together multiple Linux kernel vulnerabilities, a use-after-free here, a KASLR bypass there, to achieve full root privilege escalation.
And in one case, it chained four separate vulnerabilities to escape a web browser’s renderer and operating system sandboxes – the kind of multi-stage exploit that until now required a team of senior offensive researchers.
These are working exploits, produced autonomously, completed in under a day, for under $2,000 – work that historically took skilled researchers days to weeks.
As someone who has spent years studying how attackers operate and leading a research team that has discovered zero-days in Fortinet, VMware vCenter, and Azure Functions, I want to share what I believe this means for defenders and for our industry.
What actually changed
Disclosure now equals weaponization. Until this week, the limiting factor in most real-world attacks was the time and expertise required to turn a known vulnerability into a working exploit. That constraint shaped everything: how we prioritized patching, how we assessed risk, how much runway we assumed defenders had between disclosure and exploitation. Mythos showed that an AI model can take a CVE identifier and a git commit hash and autonomously produce a privilege escalation exploit. The response window that defenders relied on is collapsing to near-zero.
Exploitability can no longer be inferred; it has to be proven. Security teams have historically deprioritized vulnerabilities with no public exploit and no evidence of active exploitation. That was rational when offensive research required scarce human expertise. It isn’t anymore. Mythos generated full compromise chains for vulnerabilities that no one had ever attempted to exploit, bugs sitting quietly in critical codebases for over a decade. The attack surface is no longer limited to what’s known or exposed. It now extends to anything an AI system can reason about: deep code paths, indirect trust relationships, and non-obvious lateral movement routes. The absence of known exploitation is no longer a meaningful signal of safety.
“Hard to exploit” is no longer a defense. Many defensive layers work by making exploitation complex or time-consuming. Defense-in-depth often assumes that chaining multiple vulnerabilities across subsystems is prohibitively difficult for an attacker. Anthropic’s own researchers stated it directly: mitigations whose security value comes from friction rather than hard barriers are becoming weaker. AI doesn’t experience fatigue, context loss, or iteration limits. It can systematically explore multi-step attack paths across vulnerabilities, identities, and misconfigurations at a scale no human team can match.
The problem is no longer finding vulnerabilities; it’s modeling the adversary. This is the shift I think the industry hasn’t fully absorbed. When AI can generate exploitation strategies on demand, the security research question changes fundamentally. It’s no longer enough to ask “what vulnerabilities exist?” We need to ask, “How would an adversary with unlimited patience and near-zero cost combine exposures in our specific environment to achieve impact?” That requires modeling how attack paths are generated, how environmental context shapes exploitation, and how vulnerabilities interact with identities and configurations, not just cataloging individual weaknesses.
How we’re building for this reality
At Pentera Labs, we’ve been operating at the intersection of offensive research and automated validation for years. Our team discovers vulnerabilities, builds real-world attack emulations, and translates that research into a platform that runs continuously in production. Mythos doesn’t change our direction; it accelerates it and raises the bar for what validation must cover.
Reasoning where humans don’t look. Our research on intentionally vulnerable training applications, where we found nearly 2,000 exposed instances of apps like OWASP Juice Shop being exploited as cloud compromise entry points in Fortune 500 environments, demonstrated that real risk often hides in places no one thinks to examine. AI-driven exploration lets us systematically surface these overlooked paths: the forgotten assets, the indirect trust chains, the configurations that only become dangerous in combination.
Building and testing the chains that matter. The signature capability Mythos demonstrated is chaining, combining individually minor weaknesses into full compromise paths. We’re integrating that same reasoning capability into our validation engine: constructing multi-step attack scenarios across vulnerabilities, identity exposures, and misconfigurations, then testing them in the customer’s live environment to prove what’s real and what’s theoretical.
Closing the loop at the speed risk is created. Finding exploitable paths is only valuable if you can act on them before an attacker does. Our platform doesn’t stop at discovery; it validates, prioritizes by proven blast radius, and orchestrates remediation. When offensive capabilities accelerate, the entire cycle from detection to fix has to accelerate with it.
What this means for the ecosystem
This shift doesn’t invalidate any part of the security stack. Detection, response, patching, posture management, they all still matter. But validation becomes the connective layer that tells you whether everything else is actually working.
When an AI-powered adversary can probe for novel attack paths at negligible cost, no severity score, no threat intel feed, and no periodic assessment can tell you whether you’re actually protected. Only continuous, adversarial testing of your real environment, across identity, lateral movement, and misconfiguration, can answer that question honestly.
No single vendor solves this alone. The ecosystem needs to evolve together. But the foundation has to be proof, not assumption.
That future just arrived.
