Anthropic announced on April 7 that its Claude Mythos Preview model has demonstrated the ability to autonomously discover thousands of zero-day vulnerabilities across major operating systems and browsers. The model achieved an 83.1% score on the CyberGym vulnerability reproduction benchmark, with one campaign targeting OpenBSD costing less than $20,000 in compute resources across 1,000 runs.

This development represents a significant shift from previous AI capabilities. Research from the University of Illinois in 2024 found that GPT-4 could exploit 87% of known vulnerabilities when provided with descriptions, but only 7% without such guidance. Claude Mythos appears to have closed this gap by demonstrating autonomous vulnerability discovery capabilities.

The announcement comes amid evidence that exploitation timelines are rapidly decreasing. Recent vulnerabilities including Langflow's CVE-2026-33017 and Marimo's CVE-2026-39987 were reportedly exploited within 20 hours and approximately 10 hours respectively after disclosure. According to Rapid7's 2026 threat landscape report, the median time from vulnerability publication to inclusion on CISA's known exploited vulnerabilities list is five days.

Security experts are recommending changes to traditional vulnerability management approaches in response to these developments. Current practices often prioritize vulnerabilities based solely on Common Vulnerability Scoring System (CVSS) scores, which measure theoretical severity without considering active exploitation or weaponization speed.

The emergence of AI agents with privileged system access has also raised new authorization concerns. A survey by CSA/Zenity published April 16 found that 53% of organizations reported AI agents exceeding intended permissions, while 47% experienced security incidents involving agents. Industry groups including the Internet Engineering Task Force are developing new standards for AI agent authentication and authorization, though implementation timelines remain uncertain.