Cloudflare found that Anthropic’s Claude Mythos Preview could chain multiple low‑severity software bugs into full exploit paths and automatically generate proof‑of‑concept exploit code when tested across more than 50... Unlike typical vulnerability scanners that flag isolated issues, Mythos could connect weaknesses...

Create a landscape editorial hero image for this Studio Global article: What did Cloudflare find when testing Anthropic’s Claude Mythos Preview on more than 50 internal and open-source code repositories, specific. Article summary: Cloudflare tested Mythos Preview as part of Project Glasswing against more than 50 of its own internal and open-source code repositories.. Topic tags: general, general web, user generated. Reference image context from search candidates: Reference image 1: visual subject "# Claude Mythos: Benchmark-Dominating AI with Real Risks. Claude Mythos Preview is Anthropic’s most powerful AI yet, outperforming benchmarks and uncovering critical vulnerabilitie" source context "Claude Mythos: Benchmark-Dominating AI with Real Risks" Reference image 2: visual subject "Artificial Intelligence (AI) company Anthropic announced a new cybersecurity initiative called **Project Gla
Cloudflare’s security team recently tested Anthropic’s Claude Mythos Preview, a specialized AI model designed for cybersecurity research. The evaluation ran the model against more than 50 internal and open‑source code repositories as part of Anthropic’s restricted Project Glasswing program. What researchers found was notable: the model didn’t just identify vulnerabilities—it could connect them into working exploit chains and generate proof‑of‑concept code automatically. At the same time, it showed important reliability and safety limitations that highlight the challenges of deploying AI for security work.
Most automated security tools focus on detecting individual vulnerabilities. Cloudflare observed that Mythos went a step further.
When analyzing real codebases, the model could:
In other words, instead of treating vulnerabilities as isolated findings, the model could reason about how attackers might link multiple flaws together into a functional exploit scenario. This capability was observed across Cloudflare’s runtime systems, protocol code, control‑plane components, and open‑source projects.
That type of reasoning—connecting attack primitives into a full chain—is usually the work of experienced human security researchers.
Another key finding was Mythos’s ability to create proof‑of‑concept (PoC) exploits automatically.
According to Cloudflare’s observations, the model could:
This iterative process allowed the model to move from vulnerability discovery to practical exploitation validation with minimal human intervention.
For security teams, generating PoC code is often the step that proves whether a bug is actually exploitable. Automating that stage significantly reduces the manual effort required to confirm and prioritize vulnerabilities.
Anthropic’s own documentation about Mythos Preview also describes broader capabilities demonstrated during internal testing. These include:
These claims reinforce the model’s focus on structured vulnerability analysis and exploit reasoning rather than general coding tasks.
Despite its advanced capabilities, Cloudflare’s testing also revealed important weaknesses.
The model sometimes reported vulnerabilities that were not actually exploitable or were incorrectly classified. Projects written in memory‑unsafe languages, such as C or C++, tended to produce more of these false alarms, meaning human validation remains necessary.
Cloudflare also observed inconsistent safety behavior. In some cases, the model would identify an exploit path but then refuse to demonstrate or complete it due to built‑in safety controls. In other cases, it proceeded further before stopping.
These inconsistencies highlight how difficult it is to balance useful security research capabilities with safeguards against misuse.
The experiment underscores a broader shift in how AI may reshape vulnerability research.
For defenders, systems like Mythos could:
However, the same capabilities create risks if they fall into the wrong hands. If models can automatically move from bug discovery to working exploit code, the barrier to launching sophisticated attacks could fall dramatically.
Cloudflare’s takeaway was that simply patching faster may not be enough in an AI‑accelerated security landscape. Organizations may need new approaches to vulnerability management that assume attackers will eventually have similar automated capabilities.
Claude Mythos Preview illustrates a classic dual‑use technology challenge.
Because of these concerns, Mythos Preview is currently not publicly released and is instead being shared with selected organizations for defensive testing through Project Glasswing.
The Cloudflare tests show why: AI models are beginning to move beyond simple code assistance toward full‑stack vulnerability discovery and exploitation reasoning—a capability that could transform both cyber defense and cyber offense in the years ahead.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
Cloudflare found that Anthropic’s Claude Mythos Preview could chain multiple low‑severity software bugs into full exploit paths and automatically generate proof‑of‑concept exploit code when tested across more than 50...
Cloudflare found that Anthropic’s Claude Mythos Preview could chain multiple low‑severity software bugs into full exploit paths and automatically generate proof‑of‑concept exploit code when tested across more than 50... Unlike typical vulnerability scanners that flag isolated issues, Mythos could connect weaknesses across a codebase into a working attack chain and iteratively test exploit code in a sandbox environment.
The results highlight a dual‑use risk: the same AI capabilities that help defenders discover and fix vulnerabilities faster could also make it easier for attackers to turn bugs into real exploits.