Anthropic's Mythos Discovers Critical macOS Vulnerabilities, Raising Questions About AI in Cybersecurity
Key Takeaways
- ▸Mythos discovered critical macOS vulnerabilities capable of bypassing Apple's memory integrity enforcement—core security protections designed to prevent unauthorized access
- ▸Anthropic deliberately restricts Mythos access through Project Glasswing (40 organizations) because the model is consistently effective at finding production security flaws in heavily audited systems
- ▸Mythos has uncovered multiple decades-old vulnerabilities (27-year OpenBSD bug, Linux exploits) that human security researchers had missed, demonstrating a pattern of exceptional vulnerability discovery
Summary
Anthropic's Mythos AI model has demonstrated its remarkable capability to uncover deeply hidden security vulnerabilities by helping identify two previously undocumented macOS flaws that bypass Apple's memory integrity enforcement. Working through Project Glasswing, Anthropic's controlled-access initiative, researchers at Palo Alto cybersecurity firm Calif used techniques derived from Mythos to discover the vulnerabilities and chain them into a privilege escalation exploit, then delivered a 55-page technical report to Apple in person.
The discovery adds to Mythos's already impressive track record: the model has previously surfaced a 27-year-old vulnerability in OpenBSD that evaded detection for decades and identified exploitable weaknesses in Linux that human researchers had overlooked for years. However, Anthropic has deliberately kept Mythos private, recognizing the model is too effective at finding critical flaws to safely release to the public. To extract defensive value from this capability, Anthropic committed $100 million in usage credits to Project Glasswing, providing around 40 organizations—including Apple, Google, and Microsoft—with controlled access.
California CEO Thai Dong emphasized that while Mythos was crucial to the discovery, the exploit required serious human cybersecurity expertise layered on top of what the model produced. The combination succeeded where Apple's extensive engineering resources had failed, highlighting both the collaborative potential of AI-assisted security research and the ongoing human element that remains essential.
- The macOS exploit required human expertise combined with Mythos insights—the model narrowed the search space and surfaced vulnerabilities, but could not replace the specialized knowledge of professional security researchers
- The research raises critical questions about the security landscape if similar AI capabilities become more widely available beyond the current controlled access model
Editorial Opinion
Mythos represents a genuine inflection point in cybersecurity: an AI model so effective at finding critical vulnerabilities that its creators consider public release genuinely dangerous. The Calif-Apple discovery validates this concern while also revealing the partnership potential when AI and human expertise work together. As similar capabilities inevitably proliferate—whether through Anthropic loosening controls, competitors building comparable models, or less scrupulous actors pursuing the same technology—the security industry faces a fundamental transition. The question isn't whether AI will transform vulnerability discovery; it's how quickly defenders can adapt when offense becomes democratized.
