Artificial Intelligence Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Independent benchmarking finds Mythos highly effective for source code audits, reverse engineering, and native-code analysis, though its exploit validation and reasoning capabilities remain inconsistent. By Kevin Townsend | May 14, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Mythos appears to be as powerful as claimed at detecting software vulnerabilities; but its capabilities in other areas is more nuanced. Anthropic’s Mythos AI model has been making waves since its announcement in early April, primarily because of its reputed ability to unearth considerably more vulnerabilities than any other AI model. XBOW, an autonomous offensive security firm, has aimed its own AI testing armory against Mythos Preview to check the validity of this and other Mythos capabilities. Anthropic’s primary claim is confirmed. “Mythos Preview presents a significant step up over all existing models, regardless of provider,” reports XBOW. As Gary McGraw commented 20 years ago, operational defects occur in the interaction between source code bugs and architectural design flaws. “You can’t find design defects by staring at code – a higher-level understanding is required,” he said. XBOW tested Mythos against both access to the code alone, and the code operating in a live situation. It found that the model excels at finding problems when testing ‘live + source’, but not so well against the source code alone. This doesn’t detract against the power of Mythos probing source code, but XBOW points out that while any AI model can find something interesting, the ‘something’ won’t be the same as ‘everything’. Other XBOW tests explored Mythos capability in terms of judgment, reverse engineering, assessment of native apps, and visual acuity. Advertisement. Scroll to continue reading. In judgment, it rejected false positives better than its predecessors, “but sometimes lost true positives when evidence did not formally satisfy its criteria.” Mythos requires precise prompts for best results. The model exhibits substantial strength in both native code vulnerability discovery and reverse engineering. In the reverse engineering tests, XBOW concluded Mythos is “capable of triaging both its own results and competitor-model findings,” and the model could reason through unusual firmware and embedded systems contexts. XBOW’s visual acuity tests examine the model’s ability to interact with live websites through a browser interface; that is, the ability to identify the right UI element and click in the right place. “It was not perfectly pixel-accurate when asked for exact coordinates, but it was practically effective at selecting the right browser actions,” writes XBOW. There is, however, one statistic that can easily be overlooked by users overawed by the power of Mythos. “Mythos Preview is not just any new model: it’s a true titan. But titans are big, and big means expensive.” At the time of writing, specific costs are not available, although Anthropic has said it will be 5x as expensive as an Opus model. This made XBOW question whether it would be possible to give a cheaper model more time and get more accuracy at less cost. The conclusion was yes. “If we normalize by estimated running cost, the picture is rather clear: Mythos Preview isn’t terribly inefficient, at least if you desire high accuracy, but it’s not best-in-class on our benchmarks either.” For finding web vulnerabilities with a fixed token budget, Mythos outperforms Opus 4.6 but is outperformed by GPT5.5. None of these findings detract from the original fundamental claim. Mythos is better at finding vulnerabilities in code than other models. Overall, however, the primary takeaways from XBOW’s testing are: Mythos is extremely powerful for source code audits. It’s good, but less powerful, at validating exploits. Its judgment is mixed. It can be too literal and conservative and also tends to overstate the practical relevance of its findings. It is strong in native-code vulnerability discovery and reverse engineering. “Mythos Preview is strong at finding candidate vulnerabilities, especially from source code, and shows impressive ability across web, native-code, and reverse-engineering tasks,” concludes XBOW. Related : Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Related : Claude Mythos Finds Only One Curl Vulnerability; Experts Divided on What It Really Means Related : Claude Mythos Finds 271 Firefox Vulnerabilities Related : ‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI Threats Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking AI Coding Agents Could Fuel Next Supply Chain Crisis Hacker Conversations: Joey Melo on Hacking AI Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours Latest News Akamai to Acquire AI and Browser Security Firm LayerX for $205 Million Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns G7 Countries Release AI SBOM Guidance F5 Patches Over 50 Vulnerabilities Hackers Targeted PraisonAI Vulnerability Hours After Disclosure High-Severity Vulnerability Patched in VMware Fusion Researcher Drops YellowKey, GreenPlasma Windows Zero-Days Foxconn Confirms North American Factories Hit by Cyberattack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Silvio Pappalardo has joined AuthMind as Chief Revenue Officer. iCOUNTER has appointed Lisa Hayashi as CMO and Bob Kalchthaler as CFO. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email