GoKawiilBy Sila Ozeren Hacioglu, Security Research Engineer at Picus Security.
In April 2026, Anthropic released its newest frontier model, codename Mythos, to twelve partners under a gated preview. Not general availability; the company explicitly held it back as it was (correctly) deemed too dangerous for open release.
In its first 14 days inside that sandbox, it wrote 181 working Firefox exploits. The previous state-of-the-art model managed two. Uh oh.
It surfaced thousands of zero-days across every major OS and browser, including a 27-year-old bug in OpenBSD, an operating system whose entire reputation is built on not having bugs like this.
Over 99% of what Mythos found is still unpatched in production today.
That's not a forecast. That happened.
Now pair it with what's already in the wild.
Let’s back up a bit. In February, AWS Threat Intelligence published a postmortem on a FortiGate campaign run by a single operator. One person, low skill, no hands on keyboard.
The AI did the work, and it hit 2,516 devices across 106 countries in parallel, taking just minutes per target. Zero days weren't required. Known CVEs and misconfigurations were enough; the AI simply operated faster than anyone could respond.
Figure 1. AWS Threat Intelligence FortiGate campaign hits 2,516 devices in 106 countries
... continue reading