SANS Critical Advisory: BugBusters - AI Vulnerability Discovery Hype vs. Reality

Anthropic announced Claude Mythos last week. According to Anthropic, the model found thousands of zero-day exploits across every major operating system and web browser. Anthropic considers it too powerful to release publicly and has instead launched Project Glasswing, a coordinated vulnerability disclosure initiative with AWS, Apple, Microsoft, Linux kernel maintainers, Cisco, and others.

The reaction since the announcement has split into two camps, and both miss the mark.

Some are dismissing Mythos as an Anthropic marketing moment. That misreads what is happening. The capability of frontier AI models to discover vulnerabilities has been accelerating for over a year. SANS faculty and staff have been using current AI models for vulnerability discovery in penetration tests for 15 months and have found critical vulnerabilities in production code that was already tested thoroughly by humans. Anthropic’s Nicholas Carlini delivered a presentation at last month’s unprompted con in San Francisco about their progress in vulnerability discovery, without naming the model, and that the capabilities he was seeing inside Anthropic’s labs were about to get exponentially better. Mythos is the confirmation.

Others are treating this as a catastrophe. That also misreads the situation. Long-term, Glasswing and projects like it have the potential to dramatically improve the security posture of the software that runs the world.

The real story sits in the middle, and it matters for every security team.

Short-term: The near future could see the release of enormous numbers of critical patches for a large variety of software platforms, which organizations will need to deploy quickly and efficiently.  Furthermore, nation-state actors and cybercriminal groups holding stockpiled zero-days are on a clock. Glasswing could render those vulnerabilities worthless in months. The rational move for attackers is to accelerate, so defenders should prepare for a surge in zero-day exploitation over the next 6 to 12 months.

Long-term: Once the patching wave settles, baseline software security improves at a scale we have never seen. The applications, custom code, and internal tools built on top of those platforms still need attention, and that is where the real work begins for security teams.

What you can do right now: This Thursday, SANS is hosting an critical livestream to help the community cut through the noise. Ed Skoudis, Chris Elgee, and Joshua Wright will break down what Mythos and similar models mean, demonstrate AI-assisted vulnerability discovery live using a current model, and lay out what every cybersecurity practitioner needs to know about the months ahead.

SANS Critical Advisory: BugBusters -  AI Vulnerability Discovery Hype vs. Reality | Thursday, April 16, 2026 | 12:00 PM Noon ET

Watch live here: No registration required.

The SANS AI Cybersecurity Summit kicks off April 20 with keynotes from Bruce Schneier (Fellow and Lecturer, University of Toronto), Jacob Klein (Head of Threat Intelligence, Anthropic), Anne Neuberger (Senior Advisor, a16z), Sounil Yu (Co-Founder and Chief AI Safety Officer, Knostic), Diana Kelley (CISO, Noma Security), Julie Davila (VP of Product Security, GitLab), Pliny the Liberator (AI Red Teamer and Jailbreak Researcher, BT6 Collective), and more. Free online registration.

The Find Evil SANS AI Hackathon challenges teams to build autonomous AI defenders on the SANS SIFT Workstation. AI threats strike in minutes. Build the defender that responds in seconds. $22,000+ in prizes, April 15 to June 15. https://findevil.devpost.com/

Related Resources

• SANS AI Cybersecurity Summit (April 20, 2026) - Register Free
• Find Evil - SANS AI Hackathon
• SEC543: AI-Powered Offensive Security and Bug Hunting (June 1-2)
• The Mythos CISO Briefing: What I Actually Worked On This Weekend