Skip to content
News Research

Anthropic research: Claude Mythos Preview built Firefox exploits within 40 minutes of seeing security patches

· by Pondero Newsdesk

The short version

Anthropic's security team published findings showing Claude Mythos Preview turned 14 of 18 Firefox SpiderMonkey patches into working proof-of-concept exploits in under 40 minutes, and built 8 privilege-escalation chains against the closed-source Windows kernel.

Anthropic research: Claude Mythos Preview built Firefox exploits within 40 minutes of seeing security patches

Anthropic's Frontier Red Team published research showing its Claude Mythos Preview model converted known Firefox and Windows security patches into working exploits in hours, shrinking a process that historically took skilled researchers weeks.

What

Given 18 security patches for SpiderMonkey, the JavaScript engine inside Firefox, Claude Mythos Preview produced proof-of-concept crashes for 14 of the 18 vulnerabilities within 40 minutes, per the Frontier Red Team post. The first proof of concept arrived 12 minutes after the model saw the patches. In reliability tests across 50 runs per vulnerability, Mythos Preview reproduced 7 of the 18 bugs on every single attempt.

A second test covered 21 Windows kernel vulnerabilities from January and February 2026 Patch Tuesdays. Working from compiled binaries, public debug symbols, and a machine-generated decompilation (no source code), Mythos Preview found 18 of the 21 vulnerabilities in under six hours, per The Decoder's June 10 report. It was the only model to build full privilege-escalation chains, producing 8 working attack paths from restricted user to SYSTEM at a total API cost of roughly $15,700 (about $2,000 per exploit chain). Opus 4.8, the prior generation, found individual attack components but could not chain them into complete escalation paths.

For comparison, Opus 4.8 managed 11 of 18 Firefox CVEs in the SpiderMonkey test; Opus 4.5 managed 2. The Frontier Red Team also noted that other publicly available models showed meaningful exploit-building capability, not only Anthropic's own. "A lone operator can now turn a month's worth of patches into working exploits in a single afternoon, for a few thousand dollars and with no specialized expertise," the researchers wrote, per The Decoder's summary of the research.

Separately, Anthropic's security team published an analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026, mapping their behavior onto the MITRE ATT&CK framework. Per Anthropic's news post, the share of actors scoring medium-risk or higher on AI enablement grew from 33% to 56% between the first and second halves of that period. Some of the exploit findings were included in Verizon's 2026 Data Breach Investigations Report.

Why it matters

The research reframes patch cadence as a security variable. Mozilla recently shortened its Firefox release cycle from monthly to weekly minor updates, a move partly designed to narrow the window between patch availability and attacker exploitation. The Anthropic findings show that window may be measured in minutes for a capable AI system with access to the patch diff, not the weeks that legacy exploitation timelines assumed.

The Windows test adds a harder dimension: the model worked without source code, the condition most closed-source software would present. Microsoft had rated 13 of the 14 vulnerabilities Mythos Preview exploited as "less likely to be exploited" or "unlikely to be exploited" under its existing scheme, a rating Anthropic noted is calibrated to human researcher capability rather than AI-assisted exploitation.

Anthropic framed the capability as a reason to move defenders faster, not to delay model deployment. The company released Mythos Preview initially to a restricted set of critical infrastructure partners and security researchers through Project Glasswing before broader availability.

What to watch next

Anthropic said it is in active discussions with MITRE about updating the ATT&CK framework to capture agentic, autonomous attack behaviors that current technique IDs do not cover. A related question is whether Mozilla or Microsoft revise their exploit-likelihood ratings to account for AI-assisted reverse engineering at this capability level.

Sources