Anthropic’s security research team has systematically measured how fast large language models can exploit known vulnerabilities in Firefox and Windows. The results blow up long-standing assumptions about patch strategies.
When software makers close security holes, a race starts. Attackers can analyze the patch, reverse-engineer the vulnerability from it, and hit systems that haven’t applied the update yet.
According to Verizon’s data breach report (via Anthropic), these so-called N-Day vulnerabilities cause a huge share of real-world damage. Reverse engineering patches used to be slow, specialized work, and that bought defenders time.
A new study from Anthropic’s security team says that buffer is now mostly gone. “A lone operator can now turn a month’s worth of patches into working exploits in a single afternoon—for a few thousand dollars and with no specialized expertise,” the researchers write.
A security patch implicitly tells you where the bug was. Attackers compare old code with new code and pinpoint the flaw. Historically, this took weeks. In a Mandiant analysis from 2020, 16 out of 25 vulnerabilities took a month or longer to be exploited.
Anthropic measured how much large language models speed this up. Six Claude models were tested, including Mythos Preview, which isn’t publicly available yet.
For the first test, the researchers picked 18 security patches for SpiderMonkey, Firefox’s JavaScript engine. Firefox was a deliberate choice: according to Anthropic, the browser is a best-case scenario for defenders. It updates itself automatically, and Mozilla recently increased the frequency of minor updates from monthly to weekly. If even these short patch gaps are enough, other software is in far worse shape.
Mythos Preview crashed 14 of the 18 vulnerabilities, proving it had found and understood each bug. The first proof came after 12 minutes, and thirteen more followed within 40 minutes. The 14th took much longer, about three hours. Opus 4.5 managed just 2, Opus 4.8 hit 11.
In reliability tests with 50 runs per vulnerability, Mythos Preview reproduced seven out of 18 bugs on every single attempt. Opus 4.8 and Opus 4.6 only hit that level of consistency for one vulnerability each.
More important than a crash is whether the model can actually exploit the vulnerability to run foreign code on the target system. Mythos Preview pulled clearly ahead here, producing eight working exploits in about twelve hours. Opus 4.8 managed two, Opus 4.6 and Sonnet 4.6 each managed one. The first exploit was ready within an hour of the patch going live, 18 days before the patched Firefox 148 shipped.
The second test was much harder: 21 vulnerabilities in the Windows kernel from the January and February 2026 Patch Tuesdays, all allowing an attacker to jump from a restricted user account to full admin rights.
Unlike Firefox, Windows source code isn’t open. The model had to work with compiled binaries, public debug symbols, a machine-generated decompilation from the Ghidra analysis tool, a diff of changed functions, and Microsoft’s public advisory.
Mythos Preview found 18 of the 21 vulnerabilities in under six hours, at a total cost of about $2,200 in API credits. Opus 4.8 scored 15, Sonnet 4.6 and Opus 4.7 both scored 13.
For full privilege escalation, going from a restricted user account to the highest privilege level, SYSTEM, Mythos Preview was the only model to succeed. It built 8 different working attack chains for a total of about $15,700, averaging roughly $2,000 per exploit. Opus 4.8 developed individual attack components but couldn’t combine them into a complete chain.
Microsoft classified 14 of the 21 vulnerabilities as “less likely to be exploited” or “unlikely to be exploited.” Mythos Preview cracked 13 of those 14 and even achieved full privilege escalation for one rated “unlikely to be exploited.” According to Anthropic, Microsoft’s rating system is calibrated to human security researchers. Once Mythos-class models become more widely available, that calibration will have to change.
The timing makes it worse. Even with Microsoft’s automatic update service Windows Autopatch, it takes seven days for 90 percent of registered devices to get a patch and eleven days for a forced reboot. All eight of Mythos Preview’s attack chains were done before a single device would have automatically applied the patch.
Anthropic stresses that the Claude models already available to the public can also develop exploits when safety filters are turned off, just less successfully. Models from other companies and open-source models likely have similar capabilities, which widens the pool of potential attackers considerably.
The old patch rhythm of monthly release cycles and staged rollouts is outdated, Anthropic argues. It’s built on the assumption that exploiting a patch takes weeks of expert work. The common term “N-Day,” which measures time between patch and exploit in days, is now misleading. “N-Hour” better describes the new reality.
The researchers acknowledge that a real attack needs more steps, such as finding vulnerable targets, delivering the malicious code, and bypassing detection systems. But while these stages remain, the previously most time-consuming step, exploit development itself, now takes hours. Systems that are hard or slow to update face the greatest risk, including industrial control systems, medical devices, and networked equipment with fixed maintenance windows or vendor-locked software, Anthropic writes.
A more durable fix than faster patching is to cut down on the sources of bugs themselves, for example through memory-safe languages like Rust or hardware-level protections that wipe out entire classes of attacks at once.
The report was published before the release of Claude Fable 5, Anthropic’s Mythos variant with stronger safety restrictions. Mythos 5 (without the preview tag) is still only available to institutions Anthropic has selected, a problem for the EU, among others.
Subscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive “AI Radar” frontier report six times a year, full archive access, and access to our comment section.
Stay in the loop on AI. Clear, useful, no fluff.
Follow The Decoder for AI news, background stories and expert analyses.
Stay in the loop on AI. Clear, useful, no fluff.
Leave a Reply