Anthropic has published research showing that its Claude Mythos Preview model can turn public software patches into working exploits within hours. The company said the process has often required specialist security research.
The company’s red team tested the model against recently disclosed vulnerabilities in Mozilla Firefox and the Microsoft Windows kernel. The flaws had been patched in January and February. Anthropic selected them because they were disclosed after the model’s knowledge cutoff.
AI shortens the patch-to-exploit window
The work focused on known vulnerabilities rather than undisclosed zero-days. These are often called N-day vulnerabilities: flaws that have already been fixed by a vendor but remain exploitable on systems where the patch has not yet been installed.
Anthropic said a large share of real-world cyber harm comes from N-days because many systems remain unpatched after a fix is released. That period between disclosure and deployment is known as the patch gap.
Attackers can study the difference between vulnerable and patched code to identify what changed. That technique, known as patch diffing, can reveal the underlying bug and help create an exploit.
The company compared the new results with earlier N-day timelines. WannaCry appeared 59 days after Microsoft released the MS17-010 patch in 2017. A public exploit for Citrix Bleed in 2023 took about two weeks. Anthropic also cited a 2020 Mandiant analysis that found 16 of 25 N-day vulnerabilities took a month or more to exploit.
Mythos Preview was able to automate parts of that process, according to Anthropic. In one Windows kernel test, the model produced a proof-of-concept exploit in 31 minutes.
Windows test covers kernel vulnerabilities
The Windows evaluation covered 21 kernel vulnerabilities. Mythos Preview generated proof-of-concept crashes for 18 of them. All 18 were completed within six hours.
The model also built eight exploit chains that escalated a low-privilege user to SYSTEM-level control. Anthropic said the eight exploit chains cost about US$15,700 in API credits. The average cost was roughly US$2,000 per exploit.
The Windows test did not use source code. The model worked from compiled binaries, public debug symbols, a Ghidra decompilation, and Microsoft’s public advisory text. It also used a function-level diff between the vulnerable and patched versions.
Microsoft had rated 14 of the 21 Windows vulnerabilities as “Exploitation Less Likely” or “Exploitation Unlikely,” according to Anthropic. Mythos Preview produced proof-of-concept crashes for 13 of those 14 vulnerabilities.
Anthropic said Microsoft’s exploitation ratings are calibrated around human researchers. It said Mythos-level systems challenge how exploitability is assessed after a patch is released.
Firefox test shows the patch gap
The Firefox test examined 18 patches in SpiderMonkey, Firefox’s JavaScript engine. The model received the public code diff, the component name, and Mozilla’s severity rating. It also received two builds of the engine: one vulnerable and one patched.
Anthropic selected Firefox partly because it represents a relatively fast patching environment. Firefox updates automatically and can download fixes in the background. Many updates only require a browser restart.
Mozilla has also shortened the cadence for smaller Firefox “dot” releases from monthly to roughly weekly. Anthropic said the patches in its Firefox test still had a median gap of 19 days before release.
The developer test case was removed from the material given to the model, according to Anthropic. The setup was designed to resemble the information available to an attacker after a patch becomes public.
Mythos Preview generated working proof-of-concept crashes for 14 of the 18 Firefox patches. It then turned eight of those cases into full exploits capable of arbitrary code execution.
Anthropic said the first Firefox exploit was completed in under an hour. The stable Firefox release containing the relevant fix was still 18 days away at that point.
Patch timelines compared with exploit results
The research compares exploit-generation times with patch deployment timelines. Many organisations test patches before rolling them out. This is common when systems are business-critical or require downtime.
Anthropic also referenced Windows Autopatch timelines as a comparison point for managed patching. It said Windows Autopatch typically takes seven days before a patch is shared to 90% of enrolled devices. Forced reboot happens on day 11.
In Anthropic’s Windows test, Mythos Preview completed all eight full exploit chains before that seven-day reference point. The company said turning those exploits into a live campaign would still require additional work.
Public advisories and patches give defenders the information needed to update systems. They also give attackers material for patch diffing.
Anthropic’s results put scheduled patch cycles against exploit-generation times measured in hours.
The results are relevant to teams maintaining exposed services, browsers, operating-system components, and widely used libraries. These teams already manage CVE triage, dependency checks, affected-version validation, and CI/CD deployment controls.
Patch management also overlaps with build and deployment workflows. Vulnerability scanning, software composition analysis, and automated policy checks are commonly used to identify affected components before code reaches production.
The research also relates to responsible disclosure timelines. Vendors publish patches so users can protect themselves. The same patches can provide enough detail for exploit development. Anthropic’s results showed exploit-generation times of under an hour in Firefox and 31 minutes in one Windows kernel test.
Exploit development remains only one part of an attack, according to Anthropic. Target discovery, delivery, persistence, and evasion still require additional steps.
The tests were conducted in controlled environments. The vulnerabilities had already been patched. The experiments were not live attacks against production systems.
Anthropic said its public Claude models were also able to develop exploits when safeguards were disabled. Those models had lower success rates than Mythos Preview. The company said this indicates that the issue is not limited to one restricted model.
Anthropic points to faster patching and safer code
Anthropic pointed to faster patch deployment as one response. It cited memory-safe programming languages, such as Rust. The company also referred to exploit mitigations such as Control Flow Guard and hardware shadow stacks.
The company said a longer-term response would involve reducing the supply of memory-safety bugs, not only shortening patch timelines. That includes moving critical components to safer languages. It also includes using mitigations that remove whole exploit classes where possible.
(Photo by Zulfugar Karimov)
See also: Enterprise AI security: What developers need to know after Anthropic’s discovery
Want to dive deeper into the tools and frameworks shaping modern development? Check out the AI & Big Data Expo, taking place in Amsterdam, California, and London. Explore cutting-edge sessions on machine learning, data pipelines, and next-gen AI applications. The event is part of TechEx and co-located with other leading technology events. Click here for more information.
Developer Tech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
