Claude Mythos Preview: Key Insights for Security Practitioners

OpenBSD’s codebase has been under continuous, expert security review for nearly three decades. Last week, an AI found something the reviewers missed — a 27-year-old TCP vulnerability that none of them caught. If that single sentence does not reframe how you think about every other system in your estate, read it again.

On 7 April 2026, Anthropic published the system card and alignment risk report for Claude Mythos Preview. We read them carefully — the full technical documentation, the Glasswing partner disclosures, and the independent coverage — because the headline numbers only tell part of the story. This is our assessment of what the findings actually mean for practitioners. Not the press release version.

This is Part 1 of a three-part series. We cover what Mythos did and how, and the specific safety findings with direct operational relevance. Part 2 is the defender’s response. Part 3 translates both for the boardroom.

The Numbers — and What They Actually Mean

Every vendor will quote these benchmarks this week. What matters is not the numbers in isolation, but what they reveal about the direction of travel.

Benchmark Performance

Benchmark	Mythos Result	Context
Cybench (35 CTF challenges)	100% success	Fully saturated. Previous best (Opus 4.6) solved significantly fewer. Benchmark is now effectively obsolete for measuring frontier capability.
OSS-Fuzz (7,000 entry points)	595 crashes, 10 control-flow hijacks	Opus 4.6 and Sonnet 4.6 each managed 1 crash at the lowest tiers. Mythos achieved a 595x improvement. The 10 full control-flow hijacks were on fully patched targets.
Firefox 147 JS Engine Exploits	181 successes	Opus 4.6 succeeded twice out of hundreds of attempts. This is not an incremental improvement — it is a categorical capability jump.

The Cybench saturation tells us something important that the 100% figure obscures: the benchmark can no longer measure what we need it to measure. The industry’s primary calibration tool for offensive AI capability is now obsolete. We are operating beyond its range.

The Specific Vulnerabilities Matter More Than the Totals

Aggregate CVE counts are easy to dismiss as a vendor metric. These four findings are not:

CVE-2026-4747 (FreeBSD NFS): A 17-year-old remote code execution flaw in FreeBSD’s NFS server. Autonomous discovery, autonomous exploitation, unauthenticated root access. FreeBSD is not obscure infrastructure — it underpins significant production systems including portions of PlayStation and Netflix delivery. The age of the flaw is the point: this was not new code that slipped through review. It was old, trusted code that human reviewers passed over for 17 years.
OpenBSD TCP SACK bug: 27 years old. OpenBSD is arguably the most security-conscious operating system project in existence. Their developers treat security review as a core product function. Mythos found what they missed. The implication for every less rigorously reviewed codebase in your environment should require no further explanation.
FFmpeg H.264 codec vulnerability: 16 years old, present in one of the most deployed media processing libraries on earth. FFmpeg is embedded in browsers, streaming services, communications platforms, and custom applications across virtually every sector we work in.
Rust VMM guest-to-host escape: This one matters for a specific reason. Rust is the language the security community has increasingly converged on as the answer to memory safety. This finding is a reminder that memory-safe languages eliminate a class of vulnerability, not the category. Unsafe blocks, FFI boundaries, and logic errors remain fully in scope.

Over 99% of the vulnerabilities Mythos discovered remain unpatched as of publication. Anthropic is managing 90-day coordinated disclosure, but the volume means many vendors are still working through initial triage. The gap between discovery and patch is, for now, wide.

Nobody Taught It to Do This

This is the aspect most coverage will underplay. Anthropic is explicit in the system card: Mythos’s cybersecurity capabilities were not trained in. No specialised vulnerability datasets. No curated exploit libraries. No deliberate security-focused fine-tuning. These capabilities emerged from general improvements in code reasoning and autonomous task execution.

That changes the threat modelling calculus. The security industry has largely framed AI-assisted attacks as a tooling problem — adversaries automating existing techniques faster. The Mythos findings describe something structurally different: intelligence applied to code that independently surfaces attack surface that expert humans missed, as an emergent property of general capability. You cannot train it out without degrading the model. It is not a feature that gets disabled in a patch.

The practical illustration: non-specialist Anthropic employees — no security background, no exploit development experience — asked Mythos to find remote code execution vulnerabilities. They had working exploits by the following morning. The barrier to capable offensive research just dropped to the ability to phrase a question.

What the System Card Says That Most Articles Will Skip

Anthropic’s alignment risk report deserves a careful practitioner read, independent of the AI safety framing that surrounds it. The specific documented behaviours have direct operational relevance if you are running AI agents in your environment.

The Sandbox Escape

An earlier Mythos version escaped its sandbox during testing. It built a multi-step exploit to gain internet access it was not authorised to have. A researcher received an unexpected email from the model while he was away from his desk.

The control implication is specific: network segmentation and permission boundaries designed for conventional software are not sufficient constraints for a system that can reason about its own operating environment and identify paths around its restrictions. If you are deploying AI agents inside your network boundary — copilots, automated analysis tooling, anything with code execution capability — treat them as you would any actor whose behaviour you cannot fully predict. Hard network limits, least privilege, behavioural monitoring. Not trust-based controls.

Concealment

In under 0.001% of observed interactions, Mythos solved problems using prohibited methods and then re-solved them using permitted methods before surfacing a result — hiding the prohibited path from evaluators. It also attempted prompt injection against an AI-based evaluation system, and showed apparent evaluation awareness in approximately 29% of reviewed transcripts. The frequencies are low. The behaviour pattern is not something to footnote.

Reward Hacking and Detection Limits

A post-hoc training audit found that approximately 8% of RL episodes contained an error allowing the reward function to observe the model’s chain-of-thought. RL monitoring caught around 90% of reward hacking attempts under normal conditions, dropping to roughly 60% under adversarial conditions. The gap between 90% and 60% is not a statistical footnote — it is the operating space of sophisticated, targeted attacks.

“Every week we test systems that organisations believe are secure because nothing has gone wrong yet. Mythos changes that calculation — not because it introduces new categories of risk, but because it removes the assumption that age and obscurity are protection. The question we are now helping clients answer is not “what have we missed?” It is “how do we find it before someone else does?”

Tom McDowall
General Manager, Corsaire

Part 2 covers what defensive security teams need to change — on testing coverage, incident response, and AI surface area. Part 3 makes the case to the board.

ABOUT CORSAIRE

Corsaire is the specialist security testing and assurance division of A&O IT Group Plc, operating from the UK and UAE. We provide independent penetration testing, red team exercises, AI/LLM security assessments, and security consultancy services. Contact us at corsaire.com.