Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere

Mythos appears to be as powerful as claimed at detecting software vulnerabilities; but its capabilities in other areas is more nuanced. Anthropic’s Mythos AI model has been making waves since its announcement in early April, primarily because of its reputed ability to unearth considerably more vulnerabilities than any other AI model. XBOW, an autonomous offensive security firm, has aimed its own AI testing armory against Mythos Preview to check the validity of this and other Mythos capabilities. Anthropic’s primary claim is confirmed. “Mythos Preview presents a significant step up over all existing models, regardless of provider,” reports XBOW.  As Gary McGraw commented 20 years ago, operational defects occur in the interaction between source code bugs and architectural design flaws. “You can’t find design defects by staring at code – a higher-level understanding is required,” he said. XBOW tested Mythos against both access to the code alone, and the code operating in a live situation. It found that the model excels at finding problems when testing ‘live + source’, but not so well against the source code alone. This doesn’t detract against the power of Mythos probing source code, but XBOW points out that while any AI model can find something interesting, the ‘something’ won’t be the same as ‘everything’. Other XBOW tests explored Mythos capability in terms of judgment, reverse engineering, assessment of native apps, and visual acuity.  In judgment, it rejected false positives better than its predecessors, “but sometimes lost true positives when evidence did not formally satisfy its criteria.” Mythos requires precise prompts for best results.  The model exhibits substantial strength in both native code vulnerability discovery and reverse engineering. In the reverse engineering tests, XBOW concluded Mythos is “capable of triaging both its own results and competitor-model findings,” and the model could reason through unusual firmware and embedded systems contexts. XBOW’s visual acuity tests examine the model’s ability to interact with live websites through a browser interface; that is, the ability to identify the right UI element and click in the right place. “It was not perfectly pixel-accurate when asked for exact coordinates, but it was practically effective at selecting the right browser actions,” writes XBOW. There is, however, one statistic that can easily be overlooked by users overawed by the power of Mythos. “Mythos Preview is not just any new model: it’s a true titan. But titans are big, and big means expensive.”  At the time of writing, specific costs are not available, although Anthropic has said it will be 5x as expensive as an Opus model. This made XBOW question whether it would be possible to give a cheaper model more time and get more accuracy at less cost. The conclusion was yes. “If we normalize by estimated running cost, the picture is rather clear: Mythos Preview isn’t terribly inefficient, at least if you desire high accuracy, but it’s not best-in-class on our benchmarks either.” For finding web vulnerabilities with a fixed token budget, Mythos outperforms Opus 4.6 but is outperformed by GPT5.5. None of these findings detract from the original fundamental claim. Mythos is better at finding vulnerabilities in code than other models. Overall, however, the primary takeaways from XBOW’s testing are: Mythos is extremely powerful for source code audits.  It’s good, but less powerful, at validating exploits.  Its judgment is mixed. It can be too literal and conservative and also tends to overstate the practical relevance of its findings.  It is strong in native-code vulnerability discovery and reverse engineering.  “Mythos Preview is strong at finding candidate vulnerabilities, especially from source code, and shows impressive ability across web, native-code, and reverse-engineering tasks,” concludes XBOW. Related: Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Related: Claude Mythos Finds Only One Curl Vulnerability; Experts Divided on What It Really Means Related: Claude Mythos Finds 271 Firefox Vulnerabilities Related: ‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI Threats WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking AI Coding Agents Could Fuel Next Supply Chain Crisis Hacker Conversations: Joey Melo on Hacking AI Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours Latest News Enhancing Data Center Security Without Sacrificing Performance New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation Akamai to Acquire AI and Browser Security Firm LayerX for $205 Million Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns G7 Countries Release AI SBOM Guidance F5 Patches Over 50 Vulnerabilities Hackers Targeted PraisonAI Vulnerability Hours After Disclosure High-Severity Vulnerability Patched in VMware Fusion Trending Webinar: Third-Party Risk In Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Silvio Pappalardo has joined AuthMind as Chief Revenue Officer. iCOUNTER has appointed Lisa Hayashi as CMO and Bob Kalchthaler as CFO. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is The SOC Obsolete, And We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) Flipboard Reddit Whatsapp Email