Mythos Preview turns out to be extraordinarily capable at finding security vulnerabilities in software, in a way nothing before it has been. Anthropic’s own testing found that it could identify zero-day vulnerabilities (bugs that nobody had previously found) in every major operating system and every major web browser. It found a 27-year-old bug in OpenBSD, an operating system known specifically for its security rigor. It found a 16-year-old vulnerability in FFmpeg, a media library that’s been pored over by security researchers for years (and one that I use regularly). It did things that expert human security researchers said would have taken them weeks, in a matter of hours.

Because of this, Anthropic isn’t releasing it to the general public. Instead, through something they’re calling Project Glasswing, they’re giving software companies and open source developers a window to use Mythos Preview to find and fix vulnerabilities before those same capabilities fall into other hands. I believe that’s a genuinely responsible decision, and it’s consistent with what I’ve come to expect from them. Anthropic is more transparent than other major AI labs about the concerns they have with the technology they’re building. They’re promotional too, and I have significant concerns about their business model, but there’s a philosophy behind their public-facing work that I find credible.

There’s a catch, though: Anthropic isn’t the only one building these tools.

They may be the first to reach this level of capability, or among the first. Leads in this industry are typically measured in months before others catch up. The same tools that allow Anthropic to hand Mythos Preview to software companies for defensive purposes will eventually be available to people with less responsible intentions. That’s not speculation. It’s the history of this field.

To understand why this matters, it helps to understand how exploit-finding has worked historically. Finding serious vulnerabilities in software has been genuinely difficult, labor-intensive work. It required deep expertise, time, and patience. Skilled attackers could do it, but the difficulty acted as a natural throttle on how often it happened. Major vulnerabilities surfaced a handful of times a year. Lately that cadence has been accelerating; significant vulnerabilities feel like a weekly occurrence now. What Anthropic found with Mythos Preview suggests we’re about to see another jump in that pace. Finding and exploiting vulnerabilities that used to take skilled researchers weeks is now something that can happen in hours, at low cost, without human intervention after the initial prompt.

The deeper problem is that the software ecosystem they’re trying to help isn’t in great shape.

For a lot of software, especially from large companies with substantial resources, quality and security have been treated as secondary concerns. What matters is shipping, gaining market share, and getting to the next version. Microsoft’s Windows releases are the perennial example: despite the resources available to them, new versions arrive with known problems that feel less like oversight and more like a business decision about acceptable quality thresholds. We, the users, end up as the final test environment. That’s negligence, and I think it’s worth naming it as such.

I want to be careful here, though, because not all software is like this. A lot of the software I rely on and love most was built by independent developers or small teams, often as a craft project or an open source effort run by volunteers. For those developers, finding and fixing every vulnerability isn’t a matter of will. It’s a matter of bandwidth. When a security bug surfaces in software built by someone genuinely trying to do right by their users, I extend real grace. It’s the corporations with dedicated security teams that have less excuse.

Regardless of the reason, the result is the same: a lot of software running on a lot of computers has vulnerabilities in it. Those vulnerabilities have historically been protected, to some degree, by the sheer difficulty of finding them. That protection is diminishing.

So what does this actually mean for the rest of us?

I’ve been someone who’s cautious about software updates. New versions often introduce their own problems. Sometimes there’s no going back once you’ve updated. I’ve watched people get burned by rushing to the latest version. When I help friends or family with their computers, I’ll check whether their browser or operating system needs updating (browser updates in particular are usually just a restart away), but I’ve held back from being too insistent about it.

I’m changing my approach.

The calculus has shifted. The risk of keeping software with a known vulnerability, especially when that vulnerability can now be found and exploited faster and more cheaply than ever, outweighs the risk of dealing with whatever minor annoyances a new version might introduce. The downside of a buggy update is inconvenience. The downside of an unpatched vulnerability, in a world where exploit-finding is becoming increasingly accessible, is something much worse: potential access to your files, your accounts, your financial information, and your medical records. Think about how much of your life your software touches. Even if you wanted to opt out of all of it, you couldn’t.

My advice is simple, and this applies to your operating system, your web browser, your apps, everything:

• When a software update includes security fixes, update promptly.
• If you’re not sure whether a given update includes security fixes, seriously consider updating anyway.
• Enable automatic updates where you’re comfortable doing so.

If you help anyone else with their devices, this is worth a gentle push. Every time I sit down with someone to help them with something and I notice Chrome is running three versions behind, I ask if I can update it right then. I used to see it as a nice-to-do. Now it feels more urgent than that.

Where this goes from here is uncertain. We’re in a period where the tools to find and exploit vulnerabilities are advancing faster than most software can be patched. Anthropic’s Project Glasswing is an acknowledgment of that gap, and a genuine effort to use the same capability defensively before the offensive version spreads further. Whether the rest of the industry coordinates around this responsibly is an open question. Right now, the competitive dynamics of the AI space don’t exactly reward slowdowns for collective safety.

What makes me cautiously hopeful, however, is that the capability cuts both ways. If AI tools for finding and fixing vulnerabilities become accessible to developers at every scale, the long-term outcome could actually be more secure software than we’ve ever had. The care that independent developers bring to their work, combined with tools that can help them find what they’d otherwise miss, is a genuinely promising combination. Anthropic’s own write-up on this ends with a call to action for the security community, framing it as a moment like the launch of post-quantum cryptography work in 2016 (preparing for the day quantum computers could break today’s encryption, years before that was an immediate threat), preparing for what’s coming rather than reacting to it.

We just need to get there first. In the meantime: update your damn software.