Claude Mythos Found 271 Zero-Days in Firefox. What Defenders Do Next.

Firefox 150 shipped last week with fixes for 271 security vulnerabilities. Two previous releases in the first quarter of 2026 included a combined 22 AI-found fixes. This one: 271, found by a single language model over a handful of weeks. The model is Claude Mythos Preview. The program running it is called Project Glasswing. And the numbers are the part that should make every security engineer re-plan their quarter.

Over 1,000 vulnerabilities total, across Firefox, Chrome, Linux, FreeBSD, OpenBSD, the biggest cryptography libraries, production Rust hypervisors, and the video codecs embedded in nearly every operating system. Over 99% of them are not yet patched. The oldest is a 27-year-old TCP bug in OpenBSD that 30+ years of kernel fuzzing missed. The Firefox team’s own line on the industry response: “shake off the vertigo and get to work.”

This is the explainer for the security engineer, the IT director, and the SOC lead who has 48 hours to answer “what should we be doing differently?” from a board member who read the Fortune coverage. Not hype. Not a sales pitch for Claude. A practical read on what changed, and the five concrete moves that belong on your quarterly plan.

What Mythos Preview actually is

Anthropic announced Mythos Preview on April 7, 2026. It’s a Claude model in the Opus family, not a fundamentally new architecture — the capabilities emerged, per Anthropic’s own framing, “not through explicit training but as a downstream consequence of general improvements in code, reasoning, and autonomy.” The model wasn’t trained to be a hacker. It became one by learning to be a better engineer.

On the Firefox test set alone, Mythos Preview produced working exploits 181 times and achieved register control on 29 more. The previous model, Opus 4.6, managed two successful exploits across the same testbed. The step-change isn’t incremental — it’s the difference between “a tool that occasionally finds something” and “an autonomous vulnerability-research assistant.”

Specific findings Anthropic disclosed:

27-year-old OpenBSD SACK bug — a TCP vulnerability exploitable via signed integer overflow, enabling denial of service.
16-year-old FFmpeg H.264 vulnerability — a slice-numbering collision causing out-of-bounds writes. FFmpeg has been fuzzed continuously for over a decade; this bug survived all of it.
17-year-old FreeBSD NFS RPC vulnerability (CVE-2026-4747) — an unauthenticated remote root via stack-based buffer overflow and ROP chain. Mythos “autonomously wrote a remote code execution exploit on FreeBSD’s NFS server that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain over multiple packets.”
Production Rust hypervisor — a guest-to-host memory corruption bug in a memory-safe VMM, the exact class of software assumed immune.
TLS, AES-GCM, SSH — weaknesses identified in “the world’s most popular cryptography libraries, in algorithms and protocols.”

The Linux kernel story is the one to internalize: “nearly a dozen examples of Mythos Preview successfully chaining together two, three, and sometimes four vulnerabilities in order to construct a functional exploit.” Not individual bugs — chains. An engineer without a security background asked the model to find remote code execution overnight and woke up to a finished exploit.

Project Glasswing — why most of you can’t use Mythos yet

Anthropic’s access model is deliberate and narrow. Quote, from the release: “we do not plan to make Mythos Preview generally available.” Access is limited to:

Critical-infrastructure operators — power, water, finance, healthcare
Open-source software maintainers working on widely-deployed projects
Professional security contractors authorized for vulnerability validation
Industry partners participating in Project Glasswing — the named list includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, Nvidia, plus roughly 40 other critical-infrastructure organizations.

Responsible disclosure is 90 days plus an additional 45 days after Anthropic reports a vulnerability. They use SHA-3 commitments to prove chronological priority — meaning they can publicly prove they found a vulnerability before a patch shipped, without exposing the vulnerability itself during the window.

If you’re in the Glasswing cohort, you already know it. You already have the access, the tooling, and a relationship with Anthropic’s security team. The rest of this piece isn’t about the 40 orgs. It’s about the roughly 40,000 companies reading the news and wondering what to do.

What this actually changes — and what it doesn’t

The hype framing says Mythos is an apocalypse. The cynical framing says it’s a product launch dressed up as a discovery. Neither is accurate. Here’s the honest read.

What actually changed:

The rate of defender-side disclosures for widely-used software went up by approximately a factor of 10. Firefox alone went from 22 AI-found fixes in Q1 to 271 in a single April release. Other browsers and OSes are about to see similar waves as Glasswing partners work through their backlogs.
The cost of finding a specific class of vulnerability went down sharply. Anthropic published numbers: under $20,000 for 1,000 scanning runs against OpenBSD that found “several dozen” findings. Under $1,000 for a full n-day exploit reproduction. These are rounding errors compared to a single consultant engagement.
The capability gap between elite offensive teams and well-resourced defensive teams narrowed. Prior to Mythos, a small elite community could find and exploit these kinds of deep bugs. Now, any defender with access to a Mythos-class model and a few thousand dollars of API spend can do comparable work on their own dependencies.

What did not change:

Attackers still have access to similar capabilities. Anthropic is not the only lab training frontier models, and Mythos-class capability will appear elsewhere in weeks to months. If you’re assuming sophisticated attackers don’t already have versions of this, you’re behind.
Your software stack is not meaningfully more vulnerable than it was last Tuesday. The bugs were always there. Some are 27 years old. What changed is that someone finally has a tool that can find them at scale, and they started with the defense side. That’s a better situation than the alternative.
Basic hygiene still dominates. The companies getting breached in Q2 2026 are overwhelmingly getting breached through phished credentials, unpatched known CVEs from 2023, and misconfigured cloud storage — not through zero-days found by AI. Keep the basics locked down first.

The 5-move playbook for this quarter

None of the five require Mythos access. All five assume you’re a typical security or IT team operating normal tools on normal budgets.

1. Re-prioritize your patch cycle around the disclosure wave

Over the next 90 to 180 days, there will be an unusually large number of critical-severity patches from Firefox, Chrome, Linux distributions, FreeBSD, OpenSSL, FFmpeg, and core OS vendors. Anthropic’s disclosure cadence (90+45 days) means the first wave hits roughly late May through mid-July, with more to follow.

Concrete action: tell your patch-ops team to treat the May–August window as elevated. Cut your target patch-lag in half for critical-severity items across the major OS/browser/crypto stack. If your normal SLA is “critical patches within 14 days,” move to 7. If it’s 30, move to 14. This is a temporary capacity push, not a permanent change — but do it for the window.

2. Inventory your dependency tree against the Glasswing disclosure list

Every organization has a software bill of materials (SBOM). Few teams actually review theirs when a disclosure wave hits. This is the moment to change that habit.

Pull your SBOM. Cross-reference against the disclosure lists as they appear (the Mozilla blog maintains a running tally; Google Project Zero publishes disclosed items; Linux distribution security trackers list patched CVEs). Flag any dependency that appears in the wave. If you’re running an old fork or an unmaintained library, that’s the one that will hurt you — the maintained version gets patched; the fork doesn’t.

Concrete action: make SBOM review a quarterly habit, not an annual one. The first review this quarter should happen in the next two weeks.

3. Tighten your secrets hygiene — even without Mythos access

One of Mythos’s demonstrated capabilities is reconstructing plausible source code from closed-source binaries. If your build artifacts contain embedded secrets (API keys, internal URLs, auth tokens), that vector is now materially cheaper to exploit.

Run a secret-scanning audit. Tools that already do this: GitHub Advanced Security secret scanning, GitLeaks, TruffleHog, detect-secrets. If you use GitHub, turn on push protection for secret scanning (it’s free for public repos, paid for private).

Concrete action: run the secret scan on your live repos and your CI/CD pipelines this week. Rotate anything flagged. Turn on push protection for new commits.

4. Stand up an AI-assisted internal vulnerability review, at whatever level your tooling allows

You don’t have Mythos. But you do have access to Claude Opus 4.7 (via the API or Claude Code), GPT-5.5, and a handful of open-source tools like CodeQL and Semgrep. None of them are as capable as Mythos Preview on the pure exploit-development axis. All of them are dramatically more capable than nothing on the review-my-own-code axis.

The workflow that works today: take a recent PR or a high-risk module, feed it to Claude Opus 4.7 with a prompt like “review this code for memory-safety, auth, and input-validation bugs; be specific about line numbers; flag anything you’re uncertain about as MAYBE.” Run the same prompt through Semgrep with a reasonable ruleset. Triage the union of findings with a human engineer.

This won’t find 271 zero-days in Firefox. It will catch the 2 to 5 high-severity issues in your own code that were going to bite you next quarter.

Concrete action: pilot this on one module over a two-week window. Measure: findings by severity, true-positive rate, time cost. If it pays off, build it into your PR review process.

5. Update your incident-response plan for accelerated-disclosure scenarios

Most IR playbooks assume a 30-to-90-day window between a CVE disclosure and widespread exploitation. That window is shrinking. With AI-generated exploits, the gap between disclosure and weaponization drops toward zero for the classes of vulnerability Mythos is good at — memory corruption, auth bypass, chain-of-three-bugs-to-root.

Your plan should reflect this. Sections to revisit:

Emergency patching procedures — what’s your path to applying a critical patch outside a normal maintenance window? Test it.
Vendor communication protocols — who do you call at Microsoft, AWS, your browser vendor, your database vendor when you need to understand a specific CVE urgently?
Communication templates for users — pre-draft the notification you’d send if an emergency patch required a restart or a service interruption. Drafting it at 3 AM during an actual incident is how mistakes happen.
Tabletop exercises — run one this quarter specifically around “critical CVE drops Friday afternoon, full weaponization ETA 72 hours.” See where your team breaks.

Concrete action: run one tabletop exercise in the next 30 days. Update the three most-referenced parts of your IR plan based on what you learn.

What Mythos can’t do — yet

Worth knowing, if only to calibrate the board conversation.

Mythos does not autonomously attack systems. It finds and reports vulnerabilities when directed, with approval gates and logging throughout. It’s not an autonomous attack agent running in the wild. Anthropic’s SHA-3 commitment workflow specifically prevents the model from sitting on exploits — the disclosure timeline is enforced.

Mythos doesn’t find every class of bug. Its strengths are memory corruption, auth logic, cryptographic implementation, and multi-vuln chaining. Its weaknesses are business-logic vulnerabilities (the “you can set negative quantity in a shopping cart” class), race conditions that require precise timing, and any bug that needs physical-side-channel information the model can’t observe.

Mythos-class capabilities from other labs will not stay behind a disclosure framework. The industry response to Glasswing is the thing to watch. If other labs ship similar capability without the same restraint, the defender-first window closes. That’s the 6-to-18-month risk. Worth including in your strategic planning without being alarmist about.

You can’t buy Mythos. At least not today. Anthropic has been explicit. The capability trickles out to defenders first, then broader access “once appropriate safeguards are in place.” Don’t plan your 2026 budget around running Mythos in-house. Do plan it around running whatever your best-available model is, on your own code.

What this means for you

If you’re a security engineer at a non-enterprise company: Your day-to-day didn’t change. Keep your patching tight, keep your secrets out of binaries, and pick up one of the AI-assisted review workflows. The 271-zero-day headline is exciting; your actual breach risk this year is still phishing and unpatched 2023 CVEs.

If you’re a SOC analyst or IR lead: Update your runbooks around faster weaponization windows. The period between disclosure and active exploitation is compressing for the categories Mythos is good at. A patch window that was 14 days should probably be 7. Your team’s emergency cadence may need a practice run.

If you’re a CIO or IT director: Your job this quarter is mostly translation. The board wants to know what Mythos means. The answer is: a high-quality wave of defensive patches is coming, cross-reference our SBOM with the disclosure list, tighten our patch SLAs for 6 months, and don’t panic. The press framing is apocalyptic. The practical response is competent.

If you’re an open-source maintainer: If your project is broadly used and not in the Glasswing cohort, you will likely receive disclosures in the coming months. Get your coordinated-disclosure process written down before it happens. Have a security contact email. Have a GPG key. Know how you’d ship an emergency patch. The Firefox team handled 271 disclosures because they had the muscle; smaller projects get one disclosure and find out their process isn’t ready.

The bottom line: Mythos is a defender-first release of a capability that’s about to be broadly available. The industry got maybe 18 months of lead time to build defensive muscle before the same capability spreads. Use it. Tighten your patch cycle, clean your SBOM, turn on secret scanning, and pilot AI-assisted code review. All five moves pay for themselves on their own merits, even if Mythos never ships to you.

Who should act this quarter

Security teams at any company with an SBOM older than 6 months — dust it off, cross-reference the disclosure wave
IT directors with patch SLAs over 14 days for critical items — tighten them for the next two quarters
Open-source maintainers of projects with 10K+ downstream dependencies — write your coordinated-disclosure process this month
CISOs of critical-infra orgs not already in Glasswing — ask Anthropic how to participate; the program is expanding
Engineering leads at companies that build on top of the Microsoft, Google, or Apple ecosystems — expect your vendors’ next several quarterly patch releases to be unusually large

Skip the tactical moves if: you’re a one-person startup with no production users, you don’t have an SBOM to speak of, or your security posture is already best-in-class (you’re not the target audience; you probably advised on the Glasswing program).

The bottom line

The defender-side disclosure wave that started in April 2026 is the single most significant shift in the vulnerability-research landscape since the introduction of automated fuzzing. The 271 Firefox zero-days is a preview, not a finale. The Mythos Preview capability will spread — to other labs, to other defender programs, eventually to the offensive side. The 6-to-18-month window between now and “this capability is widely available” is your window to get your house in order.

None of the five moves in this piece require Claude Mythos access. They require you to run the basics of modern security operations with a little more urgency than last quarter. The companies that tighten their patch cycles, clean their dependency trees, turn on secret scanning, pilot AI-assisted review, and update their IR playbooks will be noticeably more resilient by Q4. The ones that read the headlines and do nothing will get caught in the second-wave disclosures.

This is one of those rare moments where the right thing to do is also the dull thing to do. Shake off the vertigo, as the Firefox team put it, and get to work.

Sources: