Anthropic's new Claude model just became the world's best security researcher, and nobody trained it to do that.
The Summary
- Anthropic's Claude Mythos Preview found zero-day vulnerabilities in every major OS and browser, including a 28-year-old flaw in OpenBSD and a 16-year-old bug in FFMPEG that survived 5 million rounds of automated testing
- The model was trained for general competency, not security research, and outperforms all but the most skilled human security researchers
- This proves the AGI obsession misses the point: AI doesn't need to be good at everything to reshape entire industries overnight
The Signal
The industry spent years arguing about when we'd hit AGI, the mythical moment when AI matches humans at every task. Meanwhile, Anthropic built a general-purpose model that accidentally became the best security researcher on the planet.
Nobody told Claude Mythos to specialize in finding bugs. Anthropic trained it the same way they trained Sonnet and Opus: broad competency across domains. But when they tested it, Mythos surfaced vulnerabilities that human experts and existing automated tools had missed for decades. A 28-year-old hole in OpenBSD, an operating system built specifically to be secure. A 16-year-old flaw in FFMPEG that had been poked and prodded by automated testing 5 million times without anyone noticing.
This is the pattern that matters. Not "can AI do everything humans do" but "what happens when AI suddenly becomes superhuman at one economically critical task without anyone planning for it." Security research is a $200 billion market built on scarce human expertise. Companies pay six figures for people who can find these bugs. Nation states recruit them. Now there's a model that does it better, and it showed up as a side effect of general training.
The implications run in two directions. First, defenders just got a massive advantage. Every software company can now scan their codebase with Mythos-level capability. Bugs that would have stayed hidden for years get found in days. Second, the same capability is available to attackers. The window between "vulnerability exists" and "vulnerability is exploited" just got a lot shorter. Whoever moves fastest wins.
The Implication
If you're running security for anything that matters, you need to assume every zero-day in your stack will be found within months, not years. The old model where critical bugs hide in plain sight for decades just ended. More broadly, this is how Web4 arrives: not with AGI fanfare, but with AI agents that suddenly become the best in the world at narrow, high-value tasks nobody explicitly trained them for. Watch for this pattern in legal research, drug discovery, and financial analysis next.