Frontier AI models reshape cybersecurity, but access limits create new vulnerabilities

You don't need a zero day. You only need a couple of sixes.
A security expert explains how frontier AI chains low-severity vulnerabilities into critical exploits that bypass traditional patch priorities.

In the spring of 2026, the ancient contest between those who find weaknesses and those who exploit them entered a new phase — not because the nature of vulnerability changed, but because the speed and depth of its discovery did. Anthropic's frontier model, Claude Mythos, surfaced 271 flaws in Firefox in a single month through a restricted program called Project Glasswing, revealing not just more vulnerabilities but a different category of them: the quiet, below-threshold kind that human auditors never reach. Access to this capability has been deliberately rationed to the stewards of foundational infrastructure, creating a deliberate asymmetry — a wager that the defenders of the stack can harden it before the same power reaches those who would unravel it.

  • Mozilla patched 423 Firefox vulnerabilities in April 2026 — a number that would have been unthinkable months earlier, with 271 traced directly to a single frontier AI model in one month.
  • The most unsettling finding isn't the volume but the kind: Mythos surfaces low-severity flaws that no human auditor would prioritize, and then chains them into corridors that lead straight to critical systems.
  • Access to Mythos is locked behind Project Glasswing, a vetted roster of infrastructure giants — AWS, Google, Microsoft, Apple, Cisco — meaning the most powerful defensive tool in existence is also a map of who gets protected first.
  • Beyond code, frontier AI can now generate social engineering campaigns that arrive slowly, across multiple channels, indistinguishable from genuine relationship-building — prompting researchers to call for 'human risk management' as a new discipline.
  • The two-tier system of AI-assisted defense may have a short shelf life: competing models are being distributed more broadly, and the next twelve months will test whether the asymmetry between defenders and adversaries can hold.

In April 2026, Mozilla's security team patched 423 vulnerabilities in Firefox — a figure that would have seemed implausible just months before. Through most of the prior year, monthly counts had stayed between a dozen and twenty-five. In January, Anthropic provided Claude Opus 4.6, which found 22 vulnerabilities in two weeks. Then came access to something far more powerful: Claude Mythos Preview, deployed through a restricted program called Project Glasswing. In April alone, Mythos surfaced 271 of those 423 bugs.

The scale matters less than the composition. Only three vulnerabilities earned CVE entries — the public identifiers that let security teams worldwide discuss the same flaw by name. The rest were lower-severity issues, architectural hardening opportunities, fixes in code paths no human auditor would have examined. Frontier models don't just find more vulnerabilities. They find different ones — the kind that sit below the noise threshold of traditional security work.

Access to Mythos is not open. Anthropic has restricted it through Project Glasswing to a vetted list of infrastructure stewards: AWS, Google, Microsoft, the Linux Foundation, Broadcom, Nvidia, Cisco, Palo Alto Networks, CrowdStrike, Apple, Mozilla. OpenAI is running a parallel program called Trusted Access for Cyber. The roster is, implicitly, a list of which layers of the technology stack will be hardened first — and which will wait.

The deeper danger lies in chaining. A frontier model can scan an organization's external surface, find a medium-severity flaw in a vendor portal, locate a misconfigured system that provides the necessary foothold, and string the two together into a corridor to sensitive data. Neither flaw alone triggers alarm. Together, they are critical. Early testers report that Mythos excels at exactly this — finding the sequence of low-severity exploits that, combined, become devastating.

The vulnerability extends beyond code. Anthropic's own documentation notes that non-experts have used Mythos to produce working exploits overnight. The same capability applies to social engineering: messages that arrive slowly, across email, phone, and LinkedIn, reading like genuine relationship-building rather than urgent scams. One researcher put it plainly — the future requires not just vulnerability management but human risk management.

For now, the restriction holds. But other organizations are developing competing models and distributing them more broadly, to all paying customers, some of whom may be adversaries. The next twelve months will test whether the two-tier system of AI-assisted defense can survive the moment frontier models become commodities.

In April 2026, Mozilla's security team patched 423 vulnerabilities in Firefox. That number would have seemed impossible just months earlier. Through most of the previous year, the monthly count had stayed modest—somewhere between a dozen and twenty-five flaws. Then, in January, Anthropic sent over Claude Opus 4.6, a capable model that found 22 vulnerabilities in a two-week scan. Fourteen of them were serious. But the real shift came when Mozilla gained access to something more powerful: Claude Mythos Preview, Anthropic's frontier model, deployed through a restricted program called Project Glasswing. In April alone, Mythos surfaced 271 of those 423 bugs.

The scale is striking, but the composition matters more. Only three vulnerabilities warranted CVE entries—the public identifiers that let security teams across the world discuss the same flaw by name. The rest were lower-severity issues, architectural hardening opportunities, and fixes in code paths that no human auditor would have bothered to examine. This distinction points to something larger: frontier AI models don't just find more vulnerabilities. They find different kinds of vulnerabilities, the ones that sit below the noise threshold of traditional security work.

But access to Mythos is not open. Anthropic has restricted it to a vetted list of infrastructure giants through Project Glasswing. The roster reads like a map of the technology stack itself. AWS and Google run the cloud platforms where research pipelines execute. Microsoft and the Linux Foundation maintain the operating systems and open-source libraries. Broadcom and Nvidia manufacture the chips. Cisco and Palo Alto Networks build the firewalls. CrowdStrike monitors endpoints. Apple ships devices. Mozilla maintains Firefox. OpenAI is moving along a parallel track with its own restricted program, Trusted Access for Cyber, granting verified defenders access to more capable models. The list of who gets in is, implicitly, a list of which layers of infrastructure will be hardened first—and which will not.

The real danger lies not in individual flaws but in how they chain together. In February 2024, attackers breached Cencora, a pharmaceutical distribution giant, through a single entry point. From there, patient data from 27 drug companies spilled out—Novartis, Bayer, AbbVie, GSK, Bristol Myers Squibb among them. A frontier AI model could automate that entire sequence. It scans a pharma company's external surface and finds a medium-severity flaw in a vendor portal, rated five or six on the CVSS scale. Exploiting it requires local network access, so it sits low on the patch queue. A second scan finds a misconfigured lab information system that provides exactly that foothold. Neither flaw alone triggers alarm. Together, they are a corridor to research data. Early testers report that Mythos and similar models excel at this chaining—finding the sequence of low-severity exploits that, when strung together, become critical.

But the vulnerability extends beyond code. Anthropic's own documentation notes that non-experts with no formal security training have used Mythos to produce complete, working exploits overnight. That same capability applies to social engineering. Frontier AI can generate messages that don't follow the patterns humans have learned to spot. They arrive slowly, strategically, across multiple channels—email, phone calls, text messages, LinkedIn accounts filled with convincing detail. They read like genuine relationship-building, not urgent scams. A security team can harden every system, but how do you harden a CEO against their own psychology? One security researcher framed it plainly: the future requires not just vulnerability management but human risk management.

For now, the restriction holds. Glasswing and Trusted Access for Cyber limit the most capable models to a short list of defenders. But that constraint may not last. Other organizations are developing competing models and distributing them more widely—to all paying customers, some of whom may be adversaries. The next twelve months will test whether the two-tier system of AI-assisted defense can survive the moment when frontier models become commodities.

The time has come to move down to those low-severity vulnerabilities, especially because AI can sit there and chain multiple of those together in a way that escalates the severity.
— Security researcher quoted in the article
How do you secure a CEO from their psychology? You have to have some kind of human vulnerability management.
— Security researcher on social engineering defense
The Hearth Conversation Another angle on the story
Inventor

So Mozilla found 271 vulnerabilities with Mythos that they wouldn't have found otherwise. That sounds like a win for defense.

Model

It is, in the immediate sense. But the real story is what those vulnerabilities represent. Most of them are low-severity, things that would normally sit in a backlog forever because there are always higher-priority flaws to patch.

Inventor

And that matters because?

Model

Because an AI system can see how to chain them together. A flaw that requires local network access, combined with a misconfigured integration—neither one is dangerous alone. But an AI agent can spot that sequence instantly and exploit it at scale. Humans can't work that fast.

Inventor

So the advantage of finding more flaws is offset by the fact that those flaws can be weaponized more easily?

Model

Exactly. And it gets worse when you move beyond code. An AI can generate thousands of personalized social engineering messages across email, phone, text, LinkedIn. Each one looks human, arrives at the right pace, builds a relationship over time. That's much harder to defend against than a phishing email.

Inventor

How do you defend against that?

Model

That's the question nobody has a good answer for yet. You can patch systems. You can't patch people's judgment. That's why some security people are talking about "human risk management" as a discipline.

Inventor

And meanwhile, only a handful of companies have access to the models that can find these chains in the first place?

Model

Right now, yes. But that won't last. Other companies are building competing models and selling them to anyone who can pay. When frontier AI becomes a commodity, the asymmetry disappears.

Contact Us FAQ