A small team with AI broke in five days what took Apple five years to build
In five days, a small team of researchers demonstrated what years of adversarial testing had not: that Apple's most sophisticated memory defense, five years in the making, could be unraveled with the help of an AI model. The event is less a story about a single vulnerability than about a threshold being crossed — the moment when the asymmetry between building defenses and breaking them shifted in ways the industry had not yet fully reckoned with. What was designed for an era before advanced AI now must answer to it.
- A five-year, hardware-level security system Apple deployed across its newest iPhones and MacBooks was bypassed in less than a week by a three-person team.
- The exploit required no special privileges — any local user could have triggered it — yet it delivered root access, the highest level of system control, on live M5 hardware.
- AI didn't work alone: Mythos Preview excelled at pattern-matching known vulnerability classes, but human researchers had to guide it through the novel terrain of a defense mechanism no AI had encountered before.
- Apple's MIE had already neutralized every known public exploit chain against modern iOS, making this breach a signal flare for the entire security industry, not just Apple.
- The team withheld their 55-page technical report and visited Apple Park directly, framing the disclosure as a warning about what small, AI-assisted teams can now accomplish at scale.
A three-person security team at Calif spent five days dismantling one of Apple's most ambitious defenses. Using Anthropic's Mythos Preview AI, they found two unknown bugs in macOS on M5 silicon, chained them together, and achieved root access on a machine protected by Memory Integrity Enforcement — a system Apple had spent five years building.
MIE works by tagging every region of memory with a secret code. Hardware checks each access against that tag; a mismatch crashes the offending process before any damage is done. Built on Arm's Memory Tagging Extension, it had already neutralized every known public exploit chain against modern iOS, including sophisticated kits like Coruna and Darksword. Apple had extended it to M5 MacBooks as a flagship security guarantee.
The timeline was striking. Bruce Dang found the initial bugs on April 25th. Dion Blazakis joined two days later. Josh Maine built the tooling. By May 1st, they had a working exploit requiring only standard system calls available to any unprivileged user — demonstrated on video in twenty seconds on bare-metal hardware.
What made it possible was the combination of AI pattern recognition and human architectural knowledge. Mythos Preview was effective at surfacing bugs within known vulnerability classes, but MIE was new territory. The researchers used their understanding of kernel internals to direct the AI's exploration and validate what it surfaced — a collaboration that compressed years of potential research into days.
The team produced a 55-page report they have withheld pending Apple's fix, and presented their findings in person at Apple Park. Their broader point was pointed: MIE, like most industry defenses, was designed before models like Mythos Preview existed. The question of how security infrastructure holds up against AI-assisted discovery is no longer hypothetical — it is already being answered.
A team of security researchers at Calif spent five days building a working exploit against one of Apple's most ambitious security systems. Using Anthropic's Mythos Preview AI model, they discovered two previously unknown bugs in macOS running on M5 silicon, chained them together, and gained unauthorized root access to a machine that was supposed to be protected by Memory Integrity Enforcement—a hardware-assisted defense system Apple had spent five years developing.
Memory Integrity Enforcement, or MIE, is Apple's answer to a fundamental computer security problem: memory corruption. The system works by tagging every piece of memory with a secret code. When software tries to access that memory, the hardware checks whether the request includes the correct tag. If the tags don't match, the access is blocked and the application crashes. This approach, built on an Arm specification called Memory Tagging Extension, was designed to catch memory corruption bugs before they could be weaponized into exploits. Apple had integrated MIE into all iPhone 17 and iPhone Air models, and more recently brought it to MacBooks with the M5 chip.
The Calif team's breakthrough began almost by accident. On April 25th, researcher Bruce Dang found the initial bugs. Dion Blazakis joined the effort two days later. Josh Maine built the necessary tools. By May 1st, they had a complete, functional exploit. The attack chain required only normal system calls available to any unprivileged local user, yet it culminated in a root shell—the highest level of system access. A 20-second video demonstrated the exploit working on bare-metal M5 hardware with MIE fully enabled.
What made this possible was the pairing of human expertise with Mythos Preview. The AI model proved particularly effective at identifying bugs that belonged to known vulnerability classes. But MIE was different—a new, state-of-the-art defense mechanism that required novel approaches to bypass. This is where the human researchers came in, using their deep knowledge of kernel internals and security architecture to guide the AI's exploration and validate its discoveries. The team produced a 55-page technical report documenting their work, which they have withheld from public release pending Apple's development of a fix.
The researchers emphasized the significance of what they had accomplished. Apple's MIE, despite billions of dollars in development and five years of engineering effort, had disrupted every known public exploit chain against modern iOS—including sophisticated attack kits like Coruna and Darksword that had been leaked to the security community. Yet in just five days, a small team with AI assistance had found a way through. They visited Apple Park to present their findings directly to Apple's security team.
The implications extend beyond this single vulnerability. The Calif team framed their work as a test case for what becomes possible when cutting-edge AI models are paired with expert human researchers. They noted that MIE, like most security mitigations currently deployed across the industry, was designed and built in an era before Mythos Preview existed. As AI capabilities continue to advance, the question facing the security community is no longer theoretical: how will the best defensive technologies hold up when even small teams, armed with powerful AI tools, can discover sophisticated vulnerabilities in days rather than years? The answer, they suggested, is about to be tested at scale.
Citas Notables
Apple spent five years building MIE. Probably billions of dollars too. According to their research, MIE disrupts every public exploit chain against modern iOS.— Calif team
Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing of AI and human expertise.— Calif team
La Conversación del Hearth Otra perspectiva de la historia
Why does it matter that this took five days instead of five years?
Because it shows the leverage point has shifted. Apple spent billions and five years building something that was supposed to be unbreakable. A small team with an AI model broke it in a week. That's not just a faster timeline—it's a different order of magnitude.
But Apple's MIE still stopped all the known exploits, right?
Yes, it did. That's what makes this unsettling. MIE was working exactly as designed against everything in the historical record. The problem is that Mythos Preview doesn't think like previous attackers. It explores the problem space differently.
So the AI found something humans hadn't thought to look for?
More precisely, it found it faster because it could test hypotheses at a scale humans can't. The researchers then validated and weaponized those findings. Neither piece works alone.
What does this mean for the next generation of defenses?
It means security architects have to assume that adversaries will have access to these same AI tools. You can't design a system that's only secure against human-speed attacks anymore.
Did Apple know this was coming?
They knew AI was advancing. But MIE was built before Mythos Preview existed. That's the real gap—the defense was designed for a threat model that's already obsolete.
Is macOS now unsafe to use?
Not yet. Apple will patch this. But the pattern is clear: the time between discovery and exploitation is collapsing. That changes everything about how we think about security updates and disclosure.