Small models also found the vulnerabilities that Mythos found

April 11, 2026
aisecuritybusinesslaw
A woman hugging herself in a shadowy setting, conveying fear and introspection.
Photo by Ron Lach on Pexels

What happened

It has been reported that Anthropic unveiled Claude Mythos Preview and Project Glasswing, a push to use a limited-access model to find and patch critical vulnerabilities, and allegedly claimed the model autonomously discovered and even wrote exploits for long-standing bugs across major OSes and browsers. The company also pledged substantial resources — reportedly up to $100M in usage credits and $4M in donations — to open-source security work. Bold claims. Big dollar signs. Skepticism followed, naturally.

The new test

AISLE says it took Anthropic’s showcased bugs, isolated the code, and ran the cases through small, inexpensive open-weight models — and recovered much of the same analysis. According to their report, eight out of eight models flagged Mythos’s FreeBSD exploit; one model with just 3.6 billion active parameters (costing about $0.11 per million tokens) reproduced the core reasoning, and a 5.1B-active open model recovered the central chain in the 27-year-old OpenBSD bug. On basic security-reasoning tasks, AISLE reports small models even outperformed many frontier models from major labs. Surprise? A little. Comforting? Not quite.

Why it matters

The takeaway: capability is jagged, not smooth. The moat may be the system that embeds deep security expertise, not a single giant model. No single model wins every task; rankings reshuffle by problem. That undercuts a simple narrative — “bigger = better” — and points to a more complex, arms-race-like landscape where tooling, data, pipelines, and red-team know-how matter as much as raw scale. Where do we go from here? Patch the code, yes. But also build the processes that make those patches real and reliable.

This isn’t settled. AISLE has its own track record — they report running a live discovery-and-remediation system since mid‑2025 with dozens of validated CVEs — but independent verification and replication will be key. For defenders and policymakers, the emotional punch is clear: technology can surprise you, but so can hubris. Want a safer future? Don’t bet everything on a single model. Build the system.

Sources: aisle.com, Hacker News