Mythos: Myth or Menace?

Anthropic’s Mythos model was supposed to be so dangerous at finding security vulnerabilities that they couldn’t release it to the public. That was the headline in April.

The first independent verdict is in. Daniel Stenberg, the creator of cURL, one of the most widely deployed and battle-tested open source projects in existence, ran Mythos against his codebase through Project Glasswing. Mythos claimed five confirmed security vulnerabilities. After Stenberg’s team reviewed them: one low-severity confirmed bug. Three were false positives already documented in the API docs. One was a plain bug, not a security issue.

Stenberg’s conclusion: “The big hype around this model so far was primarily marketing.”

But here is mine: this is one data point. One codebase. One scan. cURL has 30 years of continuous security scrutiny from some of the best engineers in open source. It may be the hardest possible target Mythos could have faced.

One cURL scan doesn’t settle it. The verdict requires more data, more codebases, more independent results from Project Glasswing partners.

In April I wrote that whether Mythos represents a qualitative leap or extraordinary marketing would take months to settle. One cURL scan is one data point. The question is still open.