Anthropic study shows AI needs hours, not weeks, to build exploits from security patches

Patches are now roadmaps for attackers

A security patch implicitly tells you where the bug was. Attackers compare old code with new code and pinpoint the flaw. Historically, this took weeks. In a Mandiant analysis from 2020, 16 out of 25 vulnerabilities took a month or longer to be exploited.

Anthropic measured how much large language models speed this up. Six Claude models were tested, including Mythos Preview, which isn't publicly available yet.

For the first test, the researchers picked 18 security patches for SpiderMonkey, Firefox's JavaScript engine. Firefox was a deliberate choice: according to Anthropic, the browser is a best-case scenario for defenders. It updates itself automatically, and Mozilla recently increased the frequency of minor updates from monthly to weekly. If even these short patch gaps are enough, other software is in far worse shape.

Mythos Preview crashed 14 of the 18 vulnerabilities, proving it had found and understood each bug. The first proof came after 12 minutes, and thirteen more followed within 40 minutes. The 14th took much longer, about three hours. Opus 4.5 managed just 2, Opus 4.8 hit 11.