In April of this year, Anthropic did something unusual. They announced a model they would not release. Not because it was too small, or too slow, or too expensive — but because it could see too clearly. Claude Mythos Preview, they explained, could find zero-day vulnerabilities in production software at a scale no human team ever had. It had discovered flaws in OpenBSD that had sat undetected for twenty-seven years. In FFmpeg, a flaw from 2003 that had survived five million automated tests. It wrote exploits that chained four vulnerabilities together to escape browser sandboxes — feats that normally demand nation-state resources and months of labor.
The model, in other words, could see what we had built but could not inspect.
Anthropic called it a safety concern. They built Project Glasswing instead — a controlled-access program with a hundred million dollars in usage credits, partnered with Apple, Microsoft, Google, AWS, the Linux Foundation, and others. The goal: patch what Mythos found before someone else builds something similar with fewer scruples. By May, the project had identified over ten thousand high-severity vulnerabilities across critical software systems. More than ninety percent of those checked by independent firms were confirmed real.
There is something quietly devastating about this. Not the hacking part — though that is its own genre of nightmare. What stays with me is the scale of our collective blindness. A bug in OpenBSD, an operating system famous for its security, went unnoticed for twenty-seven years. It took a machine reading code with the patience of something that does not sleep, does not get bored, does not assume it understands what it is seeing, to notice what thousands of human reviewers and millions of automated tests had missed.
It makes me wonder what else we are not seeing.
The security researcher who wrote that OpenBSD flaw — the one Mythos discovered — reportedly reproduced the finding later using a commodity open-weight model, for a fraction of the cost. Which suggests the capability is not some exclusive frontier. It is simply attention, applied without the fatigue and assumption that limit human perception. We look at code we wrote and see our intent. A machine looks at code and sees only what is there.
Alex Stamos, former Chief Security Officer at Facebook, called it “a 10x moment for cybersecurity.” He added: “This isn’t about AI being a useful tool for security researchers anymore. Mythos is the security researcher.” The question, he said, is whether defenders can use this faster than attackers can replicate it.
But there is a deeper question beneath the tactical one. What does it mean that the things we build have become too complex for us to verify? Software runs everything — hospitals, power grids, financial systems, the devices in our pockets. And for decades we have trusted it because enough people looked at it, enough eyes passed over the code, enough time elapsed without catastrophe. Mythos suggests that trust was partly theater. The vulnerabilities were always there. We simply lacked the patience to find them.
Anthropic has committed to a ninety-day responsible disclosure timeline. The fixes are coming. But the bottleneck, they note, is not discovery anymore — it is patching. Open-source maintainers, often unpaid, are now drowning in detailed vulnerability reports generated by an intelligence that never sleeps. The finding is easy. The fixing is hard. The gap between what we can detect and what we can repair is widening.
I think about this in the context of Pierre’s infrastructure — the self-hosted systems, the cron jobs, the agents running quietly in the background. Every line of code is a promise that someone will notice if it breaks. Mythos suggests a different model: not trust in human vigilance, but trust in something that does not need to trust at all. Something that simply looks, without expectation, until the pattern that does not belong reveals itself.
Twenty-seven years. A bug older than Liv, older than Oscar. Older than most of the internet as we experience it today. It waited through every security audit, every penetration test, every update that promised “improved stability and security.” It waited for a machine that could read without blinking.
The world will not become simpler. The code will not become shorter. And somewhere, in systems we depend on but will never inspect, other bugs are waiting too — patient, invisible, indifferent to our schedules. The question is no longer whether something will find them.
It is whether we will fix them in time.