April 11, 2026
Honey, I shrunk the hacker
Small models also found the vulnerabilities that Mythos found
Cheap AIs crash the Mythos party, but skeptics cry cherry-pick
TLDR: Small, cheap open models reportedly reproduced many of Anthropic's Mythos showcase vulnerabilities, hinting that size isn't everything. The crowd is split: skeptics call the test cherry-picked snippets, while supporters say Mythos stands out by autonomously building exploits—shifting the debate to systems, methods, and real-world proof.
Anthropic’s big splash with its new security-focused AI, Mythos, came with bold claims—thousands of hidden bugs found across everything from OpenBSD to FFmpeg and even a dramatic FreeBSD hack—plus a $100M credit pledge and a coalition called Project Glasswing. But then a rival team said the quiet part out loud: small, cheap, open models could recreate much of the same analysis. Cue comment-section fireworks. One camp says the test was a cheat code: they “isolated the relevant code,” basically pointing the models at the problem area. “That’s not the same as letting an AI roam free and find it,” argue skeptics, who demand a transparent, repeatable method. Another camp claps back: Anthropic’s brag isn’t about spotting the hole—it’s about autonomously building the exploit, which older models supposedly failed at. The vibe? “Size doesn’t matter” jokes everywhere (someone dropped “Honey, I shrunk the hacker”), while others insist the real moat isn’t the model—it’s the full system and process behind it. The community mood is spicy but pragmatic: prove it works outside curated snippets, show end-to-end wins, and let maintainers vouch for it. Until then, Mythos vs. Mini-Mythos is the hottest reality show in AI security.
Key Points
- •Anthropic announced Claude Mythos Preview and Project Glasswing, committing up to $100M in usage credits and $4M in donations to open source security groups.
- •Anthropic reported Mythos autonomously found thousands of zero-days and built advanced exploits, including cases in OpenBSD, FFmpeg, Linux kernel, and an RCE on FreeBSD.
- •AISLE tested Mythos’s showcased vulnerabilities with small open-weights models and reproduced much of the analysis, including detecting the FreeBSD exploit across eight models.
- •A 3.6B-parameter model (at $0.11 per million tokens) and a 5.1B-parameter model recovered key elements of Mythos’s examples, indicating jagged capability scaling and no single best model across tasks.
- •AISLE reports extensive prior results (200+ CVEs across projects) via a model-agnostic, modular pipeline focused on maintainer-accepted patches and pre-merge analysis on projects like OpenSSL and curl.