- Anthropic’s Mythos AI found a 27-year-old undetected vulnerability in the OpenBSD operating system — along with thousands of other bugs — spending just $20,000 of compute over two days
- Bug submissions to HackerOne are up 76% year-over-year; the average time to fix a bug has ballooned from 160 days to 230 days as AI-generated reports overwhelm patching teams
- The window between bug disclosure and active exploitation has collapsed from 847 days (eight years ago) to 23 days last year — and in 2026, most bugs are being weaponized within 24 hours
- The White House, OpenAI, and Google are all racing to build coordinated responses; Anthropic is working with ~50 companies to find and fix bugs before Mythos is released publicly
What Happened?
Anthropic’s Mythos — the AI model that alarmed White House officials and bank CEOs last month — has demonstrated a new and alarming capability: finding software vulnerabilities at machine speed and scale. In two days, burning roughly $20,000 of compute, Mythos uncovered thousands of bugs including a flaw in the OpenBSD operating system that had gone undetected for 27 years. Earlier this year, Anthropic’s software found more than 100 bugs in the Firefox browser and wrote working exploit code for one of them. Anthropic is currently working with approximately 50 technology companies to find and fix vulnerabilities before the model is released publicly — and has no firm timeline for that release. OpenAI and Google are developing similar restricted-access security programs.
Why It Matters?
AI has fundamentally broken the economics of cybersecurity in favor of attackers. For decades, finding a deeply buried software vulnerability required rare expertise and hundreds of hours of work — a natural bottleneck that constrained the hacker population. Mythos eliminates that bottleneck. The average time between a bug’s public disclosure and its first exploitation in the wild has fallen from 847 days eight years ago, to 23 days last year, to under one day in 2026. Bug submission volumes are up 76%, but patching speeds have gotten slower, not faster — the average fix now takes 230 days, up from 160. The result is an expanding universe of known, unfixed vulnerabilities being weaponized faster than ever. Critically, the greatest risk may be in obscure open-source infrastructure that undergirds the modern internet — maintained by volunteers with no capacity to absorb an AI-generated deluge of bug reports.
What’s Next?
The White House’s National Cyber Director is coordinating a government-wide response, and comparisons to Y2K are circulating among cybersecurity professionals — a massive, coordinated global patching effort may be the only path through. But unlike Y2K, where the threat was known and the deadline was fixed, the AI bug armageddon is open-ended and accelerating. Companies face a stark choice: invest now in dramatically faster patching pipelines and AI-assisted remediation, or accept that their legacy code is permanently exposed. The cybersecurity software industry — whose stocks fell sharply last week on Mythos fears — faces both an existential threat and its greatest-ever commercial opportunity, depending on how quickly it adapts.
Source: The Wall Street Journal
