Claude Mythos hype is sales pitch on thin bug-review evidence

Source: tomshardware.com

TL;DR

• Anthropic's article argues Claude Mythos claims of thousands of severe zero-days are overhyped for sales, not proof of sentient hacking.
• Claims extrapolate from 198 manual reviews showing 90% agreement on severity, plus 10 severe bugs and 600 crashable exploits from 7,000 open-source stacks tested.
• It positions Anthropic for government and enterprise contracts amid history of AI fear-mongering, while real risks remain manageable.

The story at a glance

Tom's Hardware analysis calls out Anthropic's Claude Mythos, an internal AI model for finding vulnerabilities, as more sales pitch than breakthrough after its recent blog and 250-page report. The piece critiques claims of "thousands" of high-severity zero-days in major OSes and browsers from Anthropic, CEO Dario Amodei, and partners like Nvidia's Jensen Huang. This comes days after Anthropic's April 7 announcement limiting Mythos to select partners over dual-use risks.[[1]](https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews)

Key points

• Mythos found crashable exploits in about 600 of over 7,000 open-source stacks and just 10 severe vulnerabilities via OSS-Fuzz-style tests.
• "Thousands" of severe zero-days claim relies on extrapolation from 198 manually reviewed reports where expert contractors matched Claude's severity rating in 90% of cases.
• Many bugs target legacy software like a 16-year-old FFmpeg issue Anthropic deemed non-critical and hard to exploit.
• Linux kernel findings couldn't be exploited due to defense-in-depth protections; some were already patched recently.
• Anthropic withholds full details for security reasons and restricts Mythos to partnerships with big tech and governments.
• Red Hat noted many reports flag functionality flaws over true security holes.
• Article ties this to Anthropic's pattern of alarming AI papers, foiled hack claims, and job loss warnings to pitch "responsible" AI.

Details and context

Anthropic's Project Glasswing report details Mythos as a leap in autonomous bug hunting across OSes, browsers, and legacy code, but keeps it internal after U.S. government trials with Claude—later pulled over ethical lines like mass surveillance. The model succeeded in 181 of 250 unsandboxed Firefox JavaScript exploits, yet broader claims lean on automation plus slim human validation.[[1]](https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews)

This fits AI firms racing in cybersecurity: OpenAI announced a similar tool right after. Critics like Nvidia's Huang accused Anthropic of fear-mongering to corner the market, echoing OpenAI's pre-ChatGPT tactics.

No evidence of AI sentience—it's pattern-matching, not understanding—and bug-finding aids defense if shared responsibly.

Key quotes

• "This bug ultimately is not a critical severity vulnerability" and "would be challenging to turn this vulnerability into a functioning exploit." (Anthropic's analysis of FFmpeg bug)[[1]](https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews)
• Anthropic on extrapolation: In 90% of the "198 manually reviewed vulnerability reports, [our] expert contractors agreed with Claude’s severity assessment exactly."[[1]](https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews)

Why it matters

Overstated AI threat claims shape policy, funding, and public fear around tools that mostly automate existing security work. Companies and governments may chase limited-access deals, while actual exploit risks stay low due to mitigations like patching. Watch Anthropic's partnerships and OpenAI's rival tool for real-world patches versus more hype.[[1]](https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews)