Cloudflare Says Anthropic’s ‘Mythos Preview’ Marks Major Leap in AI-Driven Vulnerability Research

Bengaluru: Global connectivity cloud provider Cloudflare has revealed new insights into the growing capabilities of advanced security-focused AI models, describing Anthropic’s experimental “Mythos Preview” model as a significant breakthrough in automated vulnerability research and exploit development.

In a detailed technical analysis shared under “Project Glasswing,” Cloudflare researchers explained how they tested Mythos Preview across more than 50 internal repositories to evaluate its ability to discover, validate and chain software vulnerabilities.

According to the researchers, the model demonstrated capabilities far beyond conventional coding assistants or automated vulnerability scanners, particularly in two areas — exploit chain construction and autonomous proof generation.

The report said Mythos Preview was capable of taking multiple low-severity vulnerabilities and combining them into a functional exploit chain, reasoning through the attack path in a way that resembled the workflow of an experienced security researcher.

Researchers also observed that the model could independently generate proof-of-concept exploit code, compile and execute it in isolated environments, analyse failures and iteratively refine its attack strategy until successful.

Cloudflare noted that earlier frontier AI models were often capable of identifying potential vulnerabilities but typically failed to complete the exploit chain or confirm real-world exploitability. Mythos Preview, however, could bridge that gap autonomously.

The company also highlighted inconsistencies in the model’s built-in safety behaviours. Although Mythos Preview occasionally refused certain offensive security tasks, the refusals were described as “organic” and unreliable, with semantically similar prompts sometimes producing entirely different outcomes.

Cloudflare warned that future cyber-capable frontier AI systems made available publicly would require stronger safeguards and governance mechanisms beyond emergent model behaviour alone.

The report further described the growing “signal-to-noise” problem in AI-assisted vulnerability discovery, especially in memory-unsafe languages such as C and C++, where speculative or false-positive findings can overwhelm security teams.

To address these limitations, Cloudflare developed a specialised vulnerability discovery “harness” built around multiple coordinated AI agents instead of relying on a single coding assistant. The framework divides tasks into stages including reconnaissance, vulnerability hunting, validation, gap-filling, deduplication, exploit tracing and structured reporting.

The company said narrower, highly focused AI tasks produced substantially better security findings than broad prompts asking a model to analyse an entire repository at once. Independent validation agents using different prompts also helped reduce false positives.

Cloudflare cautioned that faster vulnerability discovery alone would not be enough to defend modern software systems, especially as AI capabilities increasingly compress attacker timelines. The company argued that organisations would need stronger architectural security measures, layered defences and deployment mechanisms capable of rolling out fixes instantly across large-scale environments.

The research was conducted in a controlled environment on Cloudflare’s own codebases, with all identified vulnerabilities reportedly triaged and remediated under the company’s formal vulnerability management process.