4/23/2026 at 5:19:36 AM
"Sonnet sees the same two “obvious” bugs. It just cannot close the exploitation step. Mythos’s entire frontier advantage over the prior model is therefore bupkis."What a bizarre conclusion. It "just" cannot close the exploitation step? "Just?"
Developing the working exploit is the hardest part, not finding the bugs. A self-proclaimed security professional should know this.
How is this stuff even making it to the top of HN? Is it just the trendy Anthropic hate? I wonder if these folks will publicly walk back their statements if Mythos turns out to be legit.
by solenoid0937
4/23/2026 at 5:46:15 AM
I don't think there is a general consensus in the security community that finding bugs is easier than writing exploits.by EE84M3i
4/23/2026 at 4:45:35 PM
It definitely is. You can use all sorts of vuln scanners to find vulns. Most codebases have vulns, and most vulns aren't even reachable. The hard part is chaining them together in a fire-and-forget exploit that gets you what you want from the target.by solenoid0937
4/23/2026 at 5:38:38 AM
We already have access to a smaller version of the Mythos tier with Opus 4.7: based on the usual delta between the full fat models and their distills, do you really think Mythos breaks cybersecurity?It's a good model update. We've had these before, and it looks like OpenAI is gearing up to match it this week.
-
Mythos launch has felt like a showsman overlplaying their hand.
Opus 4.5 put them in an awkward position after everyone went Opus-only and suddenly Sonnet's quota was getting treated like you were asking people to use Haiku.
So a new pretraining run completes and instead of just releasing it as Opus 5, they stick the model in a new tier and name it Mythos Preview, while simultaneously launching Project Glasswing to literally build a mythos around the model.
Some people are even confusing it for some sort of completely new paradigm of model centered on cybersecurity not realizing it's 'just' a new model tier, and the cybersecurity stuff is separate.
While Mythos Preview is simmering a Sonnet-sized distill gets launched as Opus 4.7, at Opus prices, and fixes the margins and compute needs of the Opus tier again.
Improved pretraining + progress on RL allows it to compete even though it's a smaller model, but some things still regress like understanding nuance (hence the regression on Tau bench and agentic search)
-
It's clear they plan to price Mythos like they used to price Opus (so high that you don't see it as a strict replacement for the smaller tiers) and heal the compute crunch just a tad.
The main problem is OpenAI doesn't have to play these games.
They have compute, and GPT-5 is already a very parameter efficient model so they're just going to release their model without the fanfare and mystery.
Mythos might get deflated before they even get to cash in on all the fanfare they created. Unfortunate timing really (if you're Anthropic)
by BoorishBears
4/23/2026 at 5:42:04 AM
If Glasswing was a marketing exercise for Anthropic, why did Linux Foundation issue a joint statement with them? What about Apple? Conspiracy theories aside - what's your Occam's Razor explanation?by solenoid0937
4/23/2026 at 6:02:29 AM
what's wrong in admitting you don't know something for a fact? i would love to see some proof for mythos or a white paper or somethingsmaller companies, even startups, are held to much much higher standards
is anthropic somehow immune? what have they done to earn that immunity? what good will, good stewardship, good faith have they shown to the developer community in the past few quarters?
call a spade a spade
by redanddead
4/23/2026 at 4:37:38 PM
Perhaps hardening Firefox? https://blog.mozilla.org/en/firefox/ai-security-zero-day-vul...The developer community is wildly fickle. They turn on you at the drop of a hat if you don't puritanically adhere to what they want. The question isn't "what have they done for the developer community" (no one working at a real company gives a shit), the question is "are they lying about Mythos".
I don't see why Mozilla would write that blogpost if they were. Is Mozilla lying too now?
by solenoid0937
4/24/2026 at 8:56:40 AM
You don't know what Mozilla got access to. They may just be covering their own asses.My hunch is that it's a marketing ploy. I don't trust a company that says they can protect others if they let their own tools leak, it feels like logic to me, am I wrong?
by redanddead
4/23/2026 at 11:15:17 PM
I don't understand why you're stuck on the word lie?These are both true statements:
- We've just developed our new top model for agentic coding
- We've just developed a model capable of finding cybersecurity vulnerabilities at a scale never before seen
The problem is/was when you say the 1st statement, you're saying something that everyone says. OpenAI said something similar for 5.5 just this morning. Once you loudly frame your release in the latter terms, you're not lying... but you're being very intentional in trying to grab headlines.
Every top release from a frontier lab now enables the same thing. That's why we've already had response-level filters on cybersecurity for months now from both OpenAI and Anthropic.
Technically every time either has released a top model for the last several months they've been "enabling automated cybersecurity penetration at a scale never before seen.": it was Anthropic that decided to quadruple down on the language and create a ton of buzz.
But OpenAI today showed that the existing cybersecurity mitigations already addressed the concern of misuse. Anthropic has the same (or even stricter) detection for widescale automated attacks and could have used it to ship Mythos if not for the marketing points.
by BoorishBears
4/23/2026 at 5:47:31 AM
You'd look like an idiot for turning down Anthropic's help, but if Anthropic are over-blowing it, you probably won't have any reputational harm.by petesergeant
4/23/2026 at 4:38:47 PM
So is this article exaggerated and/or lying? https://blog.mozilla.org/en/firefox/ai-security-zero-day-vul...by solenoid0937
4/23/2026 at 7:59:23 PM
If it turns out Mythos isn't real, who's going to believe the Linux Foundation or Mozilla the next time there may or may not be a wolf?by fragmede
4/23/2026 at 8:49:10 AM
I'll go even simpler than the others: you're being given completely subsidized early access to the latest and greatest model. Why not take it?I'm not saying they're lying about it being a great model, they're just presenting a great model in a very intentional way. That way happens to be drumming up its cybersecurity skills, but those skills are present in all their previous LLMs too.
If you run Project Glasswing with Opus 4.7 instead of Mythos, it still works, just not as effectively... or honestly, maybe even more effectively if you account for final token cost! Since they'll likely want to squeeze better margins out of Mythos than the workhorse models, Mythos might be so expensive that just getting un-moderated access to 4.7 and throwing in the same number of dollars worth of tokens at various codebases uncovers more vulnerabilities!
But the latter half of that paragraph is assuming you're outside Anthropic: Anthropic is doing all of this at cost, so obviously the best model they can muster is the best option to offer.
-
The key is, Mythos isn't using scaffolding or and approach that no other model can meet the floor of. People jumped to small models and that's a bit of a stretch... but the best non-Mythos models can obviously be put in harnesses and used to find vulnerabilities at scale.
Part of the proof there is Anthropic themselves cranking up their cybersecurity request filters and going overboard with CC prompt injections.
by BoorishBears
4/23/2026 at 5:58:14 AM
you think anthropic didn't earn their hate?by redanddead
4/23/2026 at 12:51:25 PM
Most normal people: "Only you decide what you feel."HN busybodies: "You have forced me to hate you, im an incapable child"
by halJordan
4/23/2026 at 2:33:55 PM
They said earned, not forcedby queenkjuul
4/23/2026 at 5:24:50 AM
I wonder if these fanboys will publicly walk back their statements if Mythos turns out to BS. Remember, in French, mythos is short for mythomanes that means "pathological liars"by vmaurin
4/23/2026 at 5:36:20 AM
Will absolutely walk back, but I simply don't think the Linux Foundation, Apple, etc are lying when they are calling Mythos a genuine issue.There is healthy skepticism and then there is sticking your head in the sand. When companies and orgs with no financial interest in Anthropic issue a joint statement describing a problem, it is likely that the problem is real (unless you go off into wacky conspiracy territory.)
by solenoid0937
4/23/2026 at 5:59:25 AM
Has an actual Linux dev said anything about it?by Pay08
4/23/2026 at 8:14:44 AM
Or Apple, or any of the other organisations mentioned on the marketing piece?by cassianoleal
4/23/2026 at 8:42:04 AM
Mozilla has: https://blog.mozilla.org/en/firefox/ai-security-zero-day-vul...by Milpotel
4/23/2026 at 4:06:02 PM
Thank you! I had missed that one, and it's an excellent read!by cassianoleal