Zero-Day Discovery Speed Just Collapsed: Claude Mythos Preview Finds Vulnerabilities in Hours, Not Years
Anthropic's Claude Mythos Preview discovers thousands of zero-days across OS and browsers, collapsing exploit timelines from months to hours and forcing urgent security rethinking.
The Vulnerability Timeline Just Collapsed
Anthropichas identified thousands of zero-day vulnerabilities across every major operating system and web browser using its Claude Mythos Preview model—some of which have survived decades of human review and millions of automated security tests. More critically: the time required to discover, develop, and exploit these vulnerabilities has compressed dramatically.
Firefox’s rapid deployment of 271 fixes identified during initial Claude Mythos evaluation demonstrates the new reality: what took human researchers months or years to uncover now takes AI systems hours.
Why This Changes Everything
Vulnerability discovery has always been a race between defenders and attackers. Defenders relied on time—the assumption that vulnerability research would take long enough for patches to be developed, tested, and deployed. That assumption is now broken.
The cost, effort, and expertise barriers that once protected enterprises have all collapsed simultaneously. An attacker no longer needs a team of PhD-level security researchers. They need access to a frontier AI model and patience measured in hours, not months.
China, Russia, and organised cybercriminal groups aren’t waiting for ethical guidelines. They’re weaponising these tools right now.
The Dual-Edged Problem
There’s a genuine defensive benefit: Firefox fixed 271 vulnerabilities before they could be weaponised. Other browsers and OS vendors are likely doing the same. But this creates a false sense of control.
The asymmetry is brutal: vendors discover vulnerabilities faster, yes—but so do adversaries. And adversaries don’t publish patches; they exploit them. The window where only defenders know about a vulnerability has shrunk to hours or days.
The broader concern is that infrastructure powering LLM systems has “abandoned decades of hard-won security best practices in favour of shipping fast.” AI security infrastructure itself is becoming a vulnerability vector.
What This Means for Security Teams
Patch cycles are now existential. The 90-day vulnerability disclosure timeline is already outdated. Organisations need to move toward 24-48 hour patch deployment for critical zero-days identified by AI systems.
Assume compromise. With zero-days being discovered and exploited in parallel timelines, defenders must shift from “prevent all breaches” to “detect and contain rapidly.”
AI-driven threat modelling is no longer optional. Security teams need their own Claude Mythos-equivalent access to identify vulnerabilities before attackers do. This is becoming a defensive necessity, not a luxury.
Supply chain risk exploded. Every dependency, library, and third-party component is now a potential zero-day vector. Enterprises need real-time SCA (Software Composition Analysis) with AI-powered vulnerability detection.
Open Questions
How will vendors coordinate zero-day disclosure and patching at scale? Will we see coordinated “N-day” release schedules? Can patch management tools keep pace with vulnerability discovery rates measured in hours?
And perhaps most critically: if frontier AI can find vulnerabilities in operating systems that have had millions of eyes on them, what’s the actual security ceiling for enterprise applications?
The vulnerability discovery arms race just accelerated. Defenders who don’t move fast will lose.
Source: Anthropic Project Glasswing