Mythos Hunts Vulnerabilities Faster Than Anyone Can Fix Them—Experts Say That’s the Problem
In just seven weeks, the model identified over 2,000 previously unknown software vulnerabilities, flaws that human cybersecurity experts had missed for decades.
When Anthropic introduced its latest AI model, Claude Mythos Preview, the focus was on how powerful the technology had become. But during the introduction, the company also did something unusual — it released a warning. Anthropic itself cautioned that Claude Mythos Preview does not just write better code, it finds the cracks in existing code with a speed and precision that no human security expert can match. And once it finds them, it can exploit them.
That discovery is now worrying cybersecurity experts, banks, regulators and technology companies. The concern is simple. The same AI tools that help developers write software faster may also help attackers break into systems faster.
The implications, security experts say, stretch far beyond Silicon Valley. From India’s banking infrastructure to the safety of the UPI payments platform used by over 800 million people, the arrival of Mythos has set off alarm bells that are growing harder to ignore.
A Machine That Moves Faster Than Any Defence
In just seven weeks of limited testing, Claude Mythos Preview identified over 2,000 previously unknown software vulnerabilities — flaws that human security experts had missed for years or even decades. These included critical weaknesses in widely used operating systems and web browsers.
What makes this significant is not just the number of vulnerabilities found, but the speed. Traditional security audits can take weeks or months. Mythos compressed that timeline to hours. It does not just spot a problem. It works out how to exploit it.
Ashish Tandon, Founder and CEO of Indusface, an application security company, put it plainly: “Mythos doesn’t just find what is broken. It understands how systems fail under pressure. That’s a different class of capability.”
For security teams, this creates a fundamental imbalance. Attackers using tools like Mythos can move at machine speed. Defenders, bound by internal processes, vendor dependencies and regulatory requirements, often cannot.
Why Patching Cannot Keep Up
Finding a vulnerability is only the first step. Fixing it is another challenge entirely, and it is one that organisations are already struggling with.
When a flaw is discovered in third-party software, the organisation using it cannot simply fix it on their own. They must wait for the original vendor to release a patch, test it for compatibility, schedule a maintenance window, and then deploy it — often across hundreds or thousands of systems.
Tandon highlighted the specific tension this creates for regulated industries: “The RBI mandates fast patching. It also mandates uptime. Those two requirements are often in direct conflict. A patch deployed too quickly can break a system. A patch deployed too slowly creates a compliance violation.”
This is not a new problem. But Mythos makes it more urgent. If AI can discover and exploit vulnerabilities faster than organisations can respond, the gap between discovery and exploitation — a window that security teams depend on — effectively closes.
“Mythos doesn’t give you more time to fix things. It takes away the time you thought you had,” Tandon said.
The Scale of India’s Exposure
India’s digital financial infrastructure has grown rapidly. UPI now processes over 800 million transactions per month. Aadhaar-based authentication underpins a wide range of services. Core banking systems, many of them built on legacy architecture, connect hundreds of millions of accounts.
This scale creates exposure. Any vulnerability in a widely used component — a database engine, an authentication library, a payment processing middleware — could potentially affect millions of users simultaneously.
Tandon noted that Indian banks face a particular challenge: “Most core banking platforms were built before modern security practices existed. They were not designed with the assumption that an AI system could read every line of their code and find every weakness in hours.”
The Reserve Bank of India and SEBI have both signalled awareness of the risk. The RBI has reportedly held internal discussions on AI-driven threat scenarios. SEBI has begun reviewing cybersecurity requirements for market infrastructure institutions. But regulatory frameworks, by their nature, move more slowly than the technology they are trying to govern.
Business Logic: The Vulnerability Mythos Understands Best
Most traditional security tools focus on known vulnerability types — SQL injection, cross-site scripting, buffer overflows. They look for patterns that match a library of previously identified attacks.
Mythos operates differently. It can understand what a system is supposed to do and identify ways to make it do something else.
“Business logic vulnerabilities are the hardest to catch because they require understanding intent, not just code,” Tandon explained. “A scanner can tell you a field isn’t sanitised. It takes much deeper analysis to recognise that a legitimate transaction flow can be manipulated to authorise something it shouldn’t.”
This matters because business logic flaws are often the most consequential. They are the kind of vulnerability that allows an attacker to transfer funds without triggering fraud alerts, or to escalate privileges inside a system without breaking any technical rules.
The Path Forward
Security experts are broadly aligned on what needs to happen, even if the details remain contested.
Organisations need to move away from periodic security reviews toward continuous monitoring. They need to build and maintain accurate inventories of every software component they depend on — including open-source libraries and third-party services. They need to establish clear processes for prioritising and deploying patches, including the ability to apply temporary mitigations while permanent fixes are prepared.
Tandon framed the challenge in terms of institutional readiness: “The question is not whether Mythos can find vulnerabilities in your systems. It probably can. The question is whether your organisation is structured to respond faster than an attacker can act on what it finds.”
That is, ultimately, a question about governance as much as technology. How decisions are made, how quickly they can be executed, and how well different teams — security, engineering, compliance, operations — can coordinate under pressure.
“AI doesn’t make security harder in theory. It makes slowness fatal in practice,” Tandon said.