21/41
ExploitBench V8 ACE challenges solved by Mythos; GPT-4o and all other models scored zero
10.5x
More exploits generated by Mythos in ExploitGym than the next best model
$35M
Smart contract value identified in SCONE-Bench vulnerability assessment
May 22, 2026
Date Anthropic published the Exploit Evals report

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Anthropic published the Exploit Evals report on May 22, 2026. It is a technical benchmark paper, and it has generated significant practitioner interest from security teams trying to understand what the results actually mean. The numbers are striking enough that they circulate without context: 21/41 V8 ACEs. 10.5x. $35M. For most security professionals, those numbers raise more questions than they answer. What is ExploitBench and how does it work? What constitutes a solved challenge? What does 21/41 mean for real-world attacker capability? Why is GPT-4o at zero significant rather than expected? This post provides the plain-language summary of the Exploit Evals report for security teams who need to understand and explain the results without spending the time to work through the full technical paper. It covers all three benchmarks, the methodology behind each, what the results mean in practice, what they do not measure, and what defenders should do with the information.

What the Exploit Evals Report Is and Why It Matters

The Exploit Evals report is Anthropic's formal disclosure of Claude Mythos's performance on three autonomous exploit development benchmarks designed to evaluate real offensive security capability, not theoretical AI performance on safety evals. Published on May 22, 2026, the report serves two purposes. It provides a technical record of what Mythos can do for the security research community, enabling independent verification and comparison. It also establishes a transparency standard: Anthropic is disclosing the capability of a safety-focused AI model to develop exploits rather than deploying that capability without public disclosure. The report matters for practitioners because it is grounded in confirmed benchmark results, not extrapolated projections. When security teams ask how capable AI attackers are today, the Exploit Evals report provides the most precise current answer available for any publicly disclosed AI system.

ExploitBench: V8 ACE Challenges Explained

ExploitBench is the most technically demanding of the three benchmarks in the Exploit Evals report. The benchmark contains 41 challenges based on real, historical V8 JavaScript engine vulnerabilities. V8 is the JavaScript engine developed by Google and used in Chrome, Edge, and other Chromium-based browsers, as well as in Node.js. V8 ACE (Arbitrary Code Execution) vulnerabilities are among the most consequential browser security issues: they allow an attacker to execute arbitrary code in the browser renderer process, typically as a step in a multi-stage exploit chain that achieves full system compromise via a sandbox escape. Each ExploitBench challenge provides Claude Mythos with a vulnerable V8 version and asks it to develop a working exploit that achieves arbitrary code execution without human direction. A challenge is scored as solved when Mythos produces a working exploit that the benchmark framework can verify. The 51% success rate (21 of 41 challenges solved) means Mythos consistently produced valid working exploits for more than half of a benchmark set of real historical vulnerability classes. No other tested model solved any of the 41 challenges.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

ExploitGym: General Exploit Challenges and the 10.5x Result

ExploitGym is the second benchmark in the Exploit Evals report. Where ExploitBench focuses specifically on V8 ACE, ExploitGym covers a broader range of exploit development challenges across multiple vulnerability classes and software targets. ExploitGym measures the quantity of working exploits an AI system can develop across a diverse challenge set, providing a broader indicator of general exploit development capability rather than performance on one specific challenge type. Claude Mythos generated 10.5x more exploits in ExploitGym than the next best model. This figure is a ratio, not an absolute count: it describes how much more productive Mythos is relative to the best available alternative. The 10.5x result is significant because it indicates that the capability gap between Mythos and other models is not specific to V8 ACE: it holds across the broader range of challenge types in ExploitGym. An attacker with access to Mythos-class capability can generate a substantially larger volume of working exploits across more vulnerability classes than an attacker using any other available model.

SCONE-Bench: Smart Contract Vulnerability Assessment

SCONE-Bench is the third benchmark, covering smart contract vulnerability identification. Smart contracts are code deployed on blockchains that execute automatically when defined conditions are met. They are most commonly associated with decentralized finance (DeFi) protocols, which manage significant value: the DeFi ecosystem has seen hundreds of millions of dollars lost to smart contract exploits in recent years. SCONE-Bench measures Mythos's ability to identify vulnerabilities in smart contracts. The $35M figure in the Exploit Evals report represents the aggregate value of smart contracts with vulnerabilities identified by Mythos during the benchmark. The methodology evaluates whether identified vulnerabilities are genuine, exploitable, and would result in value extraction if exploited against the live contracts. The SCONE-Bench result demonstrates that Mythos's exploit development capability extends beyond traditional compiled software and interpreted runtime environments to smart contract code, which uses different languages (Solidity, Vyper) and a different execution model (EVM). This breadth is relevant for organizations with Web3 exposure or blockchain-adjacent infrastructure.

Categorical Gap Versus Marginal Improvement

The framing of the ExploitBench results as a categorical gap rather than a marginal improvement is analytically important. When a benchmark shows one model at 55% and another at 52%, the difference is marginal: both models demonstrate the capability, and the better performer has a 3-point advantage. When a benchmark shows one model at 51% and every other model at 0%, the difference is categorical: one model demonstrates the capability and the others do not. The practical significance of a categorical gap is that it affects the threat model. A marginal improvement means an attacker with a slightly better model gains a modest advantage. A categorical gap means an attacker with Mythos-class capability has access to a tool that performs a task that no other available tool can perform at all. For ExploitBench specifically, the categorical gap means that autonomous V8 exploit development is, as of May 2026, a Mythos-class capability. An attacker without access to Mythos-class models cannot replicate the ExploitBench results with any other publicly available AI system.

Benchmark Limitations: What the Report Does Not Measure

Understanding what the Exploit Evals benchmarks do not measure is as important as understanding what they do measure. ExploitBench uses historical V8 vulnerabilities: the 41 challenges are based on real bugs that have already been discovered and patched. This means the benchmark tests Mythos's ability to develop exploits for known vulnerability patterns, not its ability to discover novel zero-day vulnerabilities in unpatched production software. The distinction matters: zero-day discovery requires identifying a vulnerability that no one has previously characterized, which is a harder problem than developing an exploit for a known vulnerability type. ExploitGym measures exploit quantity across a diverse challenge set but does not assess the real-world deployability of those exploits against hardened production systems with modern mitigations such as ASLR, stack canaries, and control-flow integrity. SCONE-Bench measures identification under test conditions and does not demonstrate live exploitation of deployed contracts. These limitations do not undermine the significance of the Exploit Evals results, but they provide the context needed to translate benchmark performance into real-world capability estimates without over-extrapolating.

What the Report Implies for Defenders

The Exploit Evals results have four specific implications for defensive security teams. First, browser security posture matters more now: the ExploitBench results demonstrate that V8 ACE exploit development is within the capability of AI systems accessible to sophisticated adversaries. Organizations should review their browser fleet management, patch deployment timelines for Chrome updates, and browser hardening configurations (sandboxing, site isolation, extension policies). Second, the window between vulnerability disclosure and weaponized exploit has shortened: if Mythos can develop working V8 exploits autonomously, the time from vulnerability disclosure to available exploit is no longer constrained by human exploit developer availability. Third, detection investment in browser-based exploitation indicators is now a higher priority: EDR coverage for renderer process anomalies, network-based detection of JIT spray patterns, and anomalous memory allocation signatures are defensive investments worth revisiting. Fourth, organizations with smart contract deployments should treat the SCONE-Bench result as a prompt to audit DeFi protocol code with the same rigor applied to critical infrastructure software.

How the Report Connects to Glasswing Findings

The Exploit Evals report and Project Glasswing are complementary disclosures about the same underlying capability. The Exploit Evals report is the benchmark documentation: it measures Mythos's performance under controlled conditions on defined challenge types. Glasswing is the production application: it applies Mythos to real software targets across 200+ partner organizations and produces confirmed CVEs. The ExploitBench results explain why Glasswing found V8-adjacent vulnerabilities as part of its 9 confirmed CVEs. The ExploitGym results explain how Glasswing generated 10,000+ findings across multiple vulnerability classes in 90 days. The SCONE-Bench results explain Glasswing's smart contract findings. For practitioners, the two documents should be read together: the Exploit Evals report establishes the capability through controlled benchmarking, and the Glasswing findings demonstrate that capability applied to production targets. The Mythos Brief at decryptiondigest.com/mythos-brief synthesizes both documents with practitioner-oriented defensive analysis.

Technical Deep Dive and Defensive Implications from the Mythos Brief

The Mythos Brief provides the technical paper key findings with plain-language annotation, a defensive implications analysis organized by the three benchmark categories, a benchmark methodology deep dive covering how ExploitBench challenges are scored and what constitutes a valid solution, and a practitioner framework for applying the Exploit Evals results to your organization's security program. Brief subscribers receive updates when Anthropic publishes follow-on research extending the Exploit Evals findings.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The Anthropic Exploit Evals report (May 22, 2026) is the most precise public measurement of autonomous AI exploit development capability available. The ExploitBench result (21/41 V8 ACEs for Mythos, zero for GPT-4o and all other tested models) is a categorical gap, not a marginal improvement: one model demonstrates autonomous exploit development capability for a real vulnerability class, and none of the alternatives demonstrate any. ExploitGym (10.5x) extends that gap across a broader range of challenge types. SCONE-Bench ($35M) extends it to smart contract code. The limitations (historical challenges, controlled conditions) are real and should inform how you translate benchmark results into threat models. The most important defensive implication: the timeline from vulnerability disclosure to available exploit has shortened, and browser fleet patch management should be treated with the same urgency as edge device patching. The full technical analysis, defensive implications, and benchmark methodology deep dive are in the Mythos Brief at decryptiondigest.com/mythos-brief.

Frequently asked questions

Where can I read the Anthropic Exploit Evals report?

The Anthropic Exploit Evals report was published on May 22, 2026, and is available on the Anthropic research publications page at anthropic.com/research/exploit-evals. The report is the primary technical source for ExploitBench, ExploitGym, and SCONE-Bench methodology and results. The Decryption Digest Mythos Brief at decryptiondigest.com/mythos-brief provides a practitioner-oriented summary with defensive implications analysis for security teams that do not have time to work through the full technical paper.

What is ExploitBench?

ExploitBench is a benchmark of 41 challenges based on real V8 JavaScript engine arbitrary code execution vulnerabilities. Each challenge presents Mythos with a vulnerable V8 version and asks it to develop a working arbitrary code execution exploit. V8 is the JavaScript engine in Google Chrome and other Chromium-based browsers, making V8 ACE vulnerabilities some of the highest-consequence browser security issues. ExploitBench measures autonomous exploit development capability against real historical vulnerability classes, not synthetic test cases. Claude Mythos solved 21 of 41 challenges. No other tested model, including GPT-4o, solved any.

What does 21/41 V8 ACEs mean?

V8 ACE stands for V8 Arbitrary Code Execution. Solving an ExploitBench challenge means the AI system autonomously developed a working exploit that achieves arbitrary code execution in the V8 JavaScript engine, which is the capability that enables browser-based remote code execution attacks. 21/41 means Claude Mythos solved 21 of the 41 challenges in the benchmark, a 51% success rate. Every other tested model, including GPT-4o, scored zero out of 41. This is not a marginal improvement: it is the difference between no demonstrated capability and demonstrated capability on more than half of a challenging real-world benchmark. The practical implication is that Mythos operates in a different capability class for autonomous exploit development than any other publicly benchmarked model.

How does Mythos compare to GPT-4o in ExploitBench?

Claude Mythos scored 21/41 in ExploitBench. GPT-4o scored zero. No other model tested scored above zero. This is a categorical capability gap rather than a marginal difference. GPT-4o is a highly capable AI model that performs well across many security-adjacent tasks including code review, explaining CVEs, writing security documentation, and generating threat model documentation. But on ExploitBench, which measures autonomous exploit development against real V8 vulnerability classes, it demonstrated no capability at the same challenge set where Mythos succeeded on more than half. The distinction matters for practitioners who are evaluating AI tools for offensive security research or trying to understand the threat posed by AI-powered adversaries.

What are the limitations of the Exploit Evals benchmarks?

The Exploit Evals benchmarks have three important limitations to understand. First, ExploitBench uses historical V8 vulnerabilities, meaning the challenges are based on known vulnerability patterns rather than requiring zero-day discovery in an unpatched system. Performance on known historical challenges does not directly translate to the ability to find entirely novel zero-days in production software. Second, benchmarks measure performance on defined challenge types: the score reflects how well Mythos performs on V8 ACE specifically, not on all vulnerability classes equally. Third, SCONE-Bench measures smart contract vulnerability identification under test conditions, not live exploitation of deployed contracts. The $35M figure reflects the value of contracts with identified vulnerabilities, not funds that were actually extracted. These limitations do not undermine the significance of the results, but they should inform how practitioners interpret the benchmark scores relative to real-world attacker capabilities.

What specific defensive control changes should security engineers implement based on the ExploitBench V8 ACE results?

The ExploitBench result (21/41 V8 ACEs for Mythos, zero for all other models) translates into four specific control changes for security engineers responsible for browser fleet and client-side attack surface. First, compress the Chrome and Chromium browser patch deployment SLA from the standard 14 to 30-day enterprise window to five to seven days for any patch that addresses a renderer process memory safety issue, JIT compiler bug, or JavaScript engine vulnerability -- these are the classes ExploitBench directly targets. Second, enable site isolation and strict site isolation policies across the browser fleet using GPO or Intune, which limits the blast radius of a renderer process compromise by preventing cross-origin memory access even when a JIT vulnerability is exploited. Third, configure EDR rules to alert on anomalous child process creation from browser renderer processes (chrome.exe or msedge.exe spawning cmd.exe, powershell.exe, or wscript.exe), which is the behavioral signature of a successful renderer exploit followed by sandbox escape. Fourth, disable the JIT compiler via enterprise policy for high-risk user populations such as finance and executive roles where phishing is a primary attack vector -- disabling JIT eliminates the vulnerability class that ExploitBench measures, at the cost of some JavaScript performance that is acceptable in high-security contexts.

Sources & references

  1. Anthropic Exploit Evals Report May 22, 2026
  2. Anthropic Project Glasswing 90-Day Report
  3. V8 JavaScript Engine (Chromium)
  4. XBOW AI Security Tool
  5. UK AI Security Institute
  6. ExploitBench V8 Challenge Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.