In April 2026, Firefox shipped version 150 with fixes for 271 vulnerabilities, all found by Anthropic’s Claude Mythos Preview in a single evaluation run. The previous release, evaluated with Opus 4.6, turned up 22. Twelve times more vulnerabilities in one of the most hardened codebases on the internet.
Anthropic’s Claude Mythos grabbed the world’s attention when Anthropic disclosed that the model had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser, including a 27-year-old flaw in OpenBSD.
They followed shortly after with the announcement of Project Glasswing, an initiative to harden critical national security infrastructure. Further evidence was supplied by an independent evaluation from the UK AI Security Institute (AISI) that confirmed a real step: Mythos was the first model to complete a 32-step corporate network attack simulation end-to-end, and hit 73% on expert-level capture-the-flag tasks (no model before April 2025 could finish one).
This paper covers:
- Why Mythos is a signpost, not an inflection point
- Why "reachable, exploitable, unfixed" is the only risk metric that still works
- The operating model shift: from AppSec-as-ticketing-function to AppSec-as-product-team
- A board-ready scorecard for the post-Mythos era
What's next?
When you're ready to take the next step in securing your software supply chain, here are 3 ways Endor Labs can help:
