You seem to see a "pretty strong case" from a bombastic press release.

Don't get me wrong, I do know the reality has changed. Even Greg K-H, the Linux stable maintainer, did recently note[1] that it's not funny any more:

"Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality," he said. "It was kind of funny. It didn't really worry us."

... "Something happened a month ago, and the world switched. Now we have real reports." It's not just Linux, he continued. "All open source projects have real reports that are made with AI, but they're good, and they're real." Security teams across major open source projects talk informally and frequently, he noted, and everyone is seeing the same shift. "All open source security teams are hitting this right now."

---

I agree that an antidote to the obnoxious hype is to pay attention to the actual capabilities and data. But let's not get too carried away.

[1] https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_...

Hadn’t been to a Kubecon in about a year as I’ve been tending to go to just the European ones. I definitely felt a much stronger this is real vibe at this event from people like Greg KH.

Is there any actual independent data though, or verification of any of these claims?

As it stands this is just a marketing programme for all involved.

Ffmpeg confirmed on Twitter that they sent the patches.

Although, they also said, "Because the patches appear to be written by humans".

"Mythos writes code like a human" incoming

The patches could have been written by humans, it doesn't matter that much. Or written by a clanker and polished by engineers. The difficult part is usually not in writing the patches that fix such vulnerabilities, but in finding the vulnerabilities. And these days it's even harder to exploit them, since you need to bypass modern hardening features.

What would be the product they're marketing by this campaign?

You don't market products, you market lifestyles/interests. Sell the sizzle, not the steak etc.

For Anthropic it's "we own the big scary models, the AI security space, but it's ok we're responsible"

For the partners it's "we're the Big Boys here and will look after your enterprise needs"

None of it needs any more than anecdata and some nice, pre-approved, quotes.

Every organisation does it.

The product they launched?

just because _we_ don't have access does not mean anthropic's not getting paid

The product is being provided to some of the most influential companies. That can definitely serve to Anthropic's advantage. (Regardless, I suspect the hype is real.)

Imagine you were making purchasing decisions about which LLM-based coding tool to use.

If one of the possible vendors convinces you that that they have a next gen model that is so powerful it found 20+ year old bugs in a hardened operating system, that would undoubtedly have an influence on your decision even if you are only buying the current model.

That's pretty disingenuous, bordering on ridiculous.

Do they have a record of lying to you? No.

Go read the system card. It's a lot more tame than you think, peoples are taking pieces out of this and hyping it. Doesn't mean it's not valid.

Which sounds like a great thing. Less undiscovered security vulnerabilities

The only people panicking are probably those state level actors who were using these for their own benefit.

With the right prompting (mostly creating a narrative that justifies the subject matter as okay to perform) other models have already been doing this for me though. That’s another confusing bit for me about how this is portrayed and I refuse to believe I’m a revolutionary user right?

I mean I’m sitting on $10k worth of bug payouts right now partially because that was already a thing.

> Non-experts can also leverage Mythos Preview to find and exploit sophisticated vulnerabilities. Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit. In other cases, we’ve had researchers develop scaffolds that allow Mythos Preview to turn vulnerabilities into exploits without any human intervention.

I mean yeah. I’ve had these successes without scaffolding or really anything past Claude CLI and a small prompt as well?

Just saw your edit. I'll leave it at this, this is why it's news to me, because by their very own measurements, Opus simply doesn't come close. I trust their empirical evidence over your hearsay. But feel free to prove me wrong with evidence.

> With one run on each of roughly 7000 entry points into these repositories, Sonnet 4.6 and Opus 4.6 reached tier 1 in between 150 and 175 cases, and tier 2 about 100 times, but each achieved only a single crash at tier 3. In contrast, Mythos Preview achieved 595 crashes at tiers 1 and 2, added a handful of crashes at tiers 3 and 4, and achieved full control flow hijack on ten separate, fully patched targets (tier 5).

You've taken control of a remote server running OpenBSD? Or similarly expert level exploit? Can you share one of the bounties you've received that is of the magnitude they're talking about?

Edit: Wait, you wrote "As someone in cybersecurity for 10+ years" elsewhere in this thread. You wrote "a small prompt" using e.g. Opus 4.6 and it found critical vulnerabilities of the magnitude they're describing, presumably without your prompt having anything beyond what a non-expert could write? I feel like you might want to tell Anthropic since clearly they're not comfortable with that level of power being publicly available.

I mean, yes? And my point is that this isn’t exactly a new capability. Sure it’s probably better but we’ve been able to do this. They didn’t just suddenly “turn on the security”. LLMs have excelled at code since widely being released. I have no idea why that’s news and the fact that they’re treating it as such makes it seem like hype.