An AI Just Found Security Bugs That Hid for 27 Years

Anthropic published something this week that has shaken the cybersecurity world. Its newest AI model, Claude Mythos, found thousands of previously unknown security bugs in the software that runs most of the internet. One of them had been hiding in OpenBSD for twenty-seven years.

OpenBSD is software that security professionals have reviewed with a magnifying glass for almost three decades. Mythos found the bug in a matter of weeks.

If you run a small business, make content, or just use a laptop, the knee-jerk move is to tune this out as another inside-baseball AI story. Don't. What happened this week has practical knock-on effects for everyone who depends on software, which is basically everyone.

Here is the short version. Anthropic unveiled a research preview of Mythos and said plainly that it was too powerful to release publicly. In testing, the model found thousands of zero-day vulnerabilities — bugs nobody had publicly reported — in every major operating system, every major web browser, and a long list of critical software.

The list includes that 27-year-old flaw in OpenBSD and a 16-year-old flaw in FFmpeg, the video tool quietly running inside almost every app that handles audio or video. These are not obscure libraries. They are the plumbing of modern software.

Over 99% of the bugs Mythos found have not been patched yet. Anthropic is keeping the details private and disclosing them quietly to the companies that can fix them. Publishing a live list would be like handing burglars a master key ring.

Instead, Anthropic launched something called Project Glasswing. It is a coalition that loans Mythos out, under strict rules, to Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. They use the model to find and fix holes in their own software before attackers do.

Anthropic is putting up $100 million in model credits for partners to run Mythos against their systems, plus another $4 million in donations to open-source security organizations. More than forty additional groups have quietly been added to the program.

Jamie Dimon, the CEO of JPMorgan, said this week that Mythos reveals a lot more vulnerabilities than the industry had assumed were there. He was not being dramatic. The core insight of the research is that defenders have been underestimating how many old, quiet bugs still live in widely used code.

Here is the part that is easy to miss. For most of computing history, finding a serious security hole has been slow, expensive work that required an elite specialist. That is why so many bugs hide for decades. There are not enough eyes.

Mythos changes the math. It can reason about huge codebases at a speed no human team can match. When Anthropic's own researchers say the real bottleneck is no longer finding bugs but fixing them, that is a shift worth taking seriously.

So what does this mean for a small business or a solo operator who will never touch Mythos directly? A few concrete things.

First, the next few months will be patch-heavy. The big vendors you already use — Apple, Microsoft, Google, Cisco, and the rest — are about to ship an unusual number of security updates as Glasswing findings work through coordinated disclosure. Do not fight those updates. If you have been putting off that Mac restart, don't.

Second, what software you run matters more than it used to. End-of-life gear — the old laptop still humming in a back office, the WordPress plugin no one maintains, the router the vendor stopped supporting — becomes a much bigger risk in a world where AI-driven bug hunting is cheap. Unsupported software cannot be patched against flaws that attackers will eventually get their own AI to find.

Third, inventory beats gadgets. Know what software is connected to what, who owns it, and what touches customer or financial data. You cannot patch what you cannot see. A simple spreadsheet of your devices, apps, and vendors puts you ahead of most small operators.

Fourth, you probably do not need to buy a new security product this quarter. You do need to make sure the ones you already have — password manager, multi-factor authentication on email, automatic updates, endpoint protection — are actually on and current. Most small businesses lose to attackers not because of exotic zero-days but because the boring controls slipped.

The honest caution is the same as with every AI milestone. There is some hype in the coverage, and nobody yet knows how this plays out once similar capability lands in less friendly hands. The optimistic read is that defenders are sprinting ahead of attackers. The worried read is that the gap is closing faster than patch cycles were built to handle.

The grounded takeaway is simple. Security has always been a race between people who find flaws and people who fix them. This week, AI became fast enough to change that race. You do not need to panic. You do need to take the ordinary habits seriously.

Update promptly. Retire the old stuff. Keep a short list of what you run. Turn on the basics you already pay for. The businesses that quietly get their house in order over the next few months will barely feel this story. The ones that keep ignoring the boring stuff will find out the hard way.