Anthropic's Mythos and the Shifting Baseline of AI-Driven Vuln Hunting

Anthropic’s Claude Mythos Preview can reportedly find vulnerabilities in operating systems and internet infrastructure and turn them into working exploits without human guidance. The company has restricted access to a small set of partners rather than releasing it broadly, citing safety. Schneier and Barath Raghavan frame this not as a sudden break but as another incremental step in a trajectory that has been visible for years — one easy to underestimate thanks to shifting baseline syndrome.

The more interesting question is how the offense/defense balance shifts. The authors argue it will be uneven rather than universally bad. Vulnerabilities split along two axes: easy versus hard to verify, and easy versus hard to patch. Cloud apps and browsers sit in the favorable quadrant where defenders can auto-patch quickly. IoT, industrial control systems, cars, transformers, and legacy banking and airline stacks sit in the worst quadrant — easy to find bugs, impossible to fix at speed. Those systems need to be wrapped in tighter network controls and least-privilege boundaries, not exposed to the open internet.

For software teams, the practical implication is what the authors call VulnOps: defensive AI agents running continuous exploit testing against real stacks to weed out false positives and confirm fixes. Documentation, standard libraries, and conventional patterns become more valuable because both AI agents and humans rely on them to reason about code. The authors expect defenders to win eventually on patchable systems, after a rough few years where unpatchable infrastructure absorbs most of the damage.