Anthropic's Mythos found 2,000 zero-days in 7 weeks. One was 27 years old. The White House just told them to stop.

Anthropic's Mythos Preview model has now found over 2,000 unknown zero-day vulnerabilities in seven weeks of testing — in every major operating system and every major web browser. One of the bugs had survived 27 years of human review, fuzzers, and red-team exercises inside OpenBSD's TCP stack — and two packets can crash any server running it. The single model run that surfaced that bug cost under fifty dollars. The whole campaign that found it cost roughly twenty thousand. A second example: a sixteen-year-old vulnerability in FFmpeg, the video library used inside almost every modern application that touches video, in a line of code automated testing tools had hit five million times without ever catching the problem. As of this week, fewer than one percent of the vulnerabilities Mythos found have been patched.

Why this matters has nothing to do with the model. The model is a fact. What matters is the institutional response. On April 7 Anthropic announced Project Glasswing — a coalition of eleven named partners (Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks) and roughly forty more. Anthropic committed one hundred million dollars in Mythos usage credits across these partners, plus four million dollars in direct donations to open-source security organizations — two and a half million split between Alpha-Omega and OpenSSF, one and a half million to the Apache Software Foundation. Anthropic chose to gate the model. Mythos has not been generally released. The thesis: get the defenders patched before models with similar capabilities become broadly available.

The numbers underneath that decision are the most uncomfortable part of the story. CyberGym benchmark: 83.1 percent for Mythos, against 66.6 percent for Opus 4.6. SWE-bench Verified: 93.9 percent. Firefox JavaScript shell autonomous exploit development: 72.4 percent success rate. Mythos chained four independent bugs into a single exploit sequence in one demonstration. It built twenty-gadget return-oriented programming chains targeting FreeBSD's NFS server in another. Independent security researchers at Vidoc Security Lab have already reproduced parts of these findings using publicly available models — meaning the capability is harder to gatekeep than the Glasswing rollout assumes.

The backstory is short and useful. Less than a month before the Mythos announcement, Anthropic refused contractual language that would have permitted the Pentagon to use Claude for "all lawful purposes" — read: autonomous-weapons targeting and domestic mass surveillance. The Pentagon designated Anthropic a "supply chain risk." A federal judge ruled the designation was "pretextual" and motivated by "unlawful retaliation." Two days ago, the Pentagon announced classified-network AI deals with eight other vendors and Anthropic was not on the list. Pentagon CTO Emil Michael told CNBC on May 1 that the procurement blacklist is one issue and Mythos is a different one. Read that statement carefully. The Pentagon does not want Anthropic building weapons. The White House does not want Anthropic gatekeeping defenses. The same week.

The countervailing angle nobody is saying out loud is the asymmetry. The fewer-than-one-percent patch rate means the defenders were not ready for what Mythos produced. The reproducibility of the findings by independent labs means the offensive side is not exclusively in Anthropic's hands. The White House decision to block expansion to seventy more entities — on grounds of "security concerns and compute availability" — is policy by hesitation. It is not a coordinated patch program. It is not a CISA-led disclosure cadence. It is a moratorium on a single private company's plan to share a defensive capability that already exists in some form elsewhere.

Three things to watch over the next thirty days. First, whether Anthropic publishes a CVE-coordinated disclosure timeline so the patch rate moves above one percent. Second, whether CISA or the White House proposes a formal program to license or coordinate access to Mythos-class capabilities, instead of relying on case-by-case denials. Third, whether one of the eleven partners — most likely Microsoft or Google, given the OS coverage — publicly cites a specific Mythos-found bug as the basis for an out-of-band patch. Any of these moves the story from headline into policy. None of them changes the underlying fact: a privately-controlled AI model has just demonstrated that it can find bugs that have been there for almost three decades, in less time than a quarterly security audit takes to schedule.

The takeaway is clean. The single most consequential AI capability of 2026 so far is not a chatbot, not an agent, not a benchmark on a leaderboard. It is a model that has now discovered enough zero-days to keep the entire patching apparatus of every major technology company busy for years — and the institutions that need to coordinate the response have spent the same week debating who is allowed to use it. The window between vulnerability discovery and exploitation, in CrowdStrike's CTO's phrase, has collapsed. The window between policy decision and policy execution has not.