21/41
V8 ACEs in ExploitBench; every other model scored zero
10.5x
more exploits captured than Opus 4.6 in ExploitGym across 898 patched vulnerability targets
$35M
in exploitable smart contract value identified in SCONE-Bench; next closest model found $19M
83.1%
CyberGym vulnerability reproduction rate vs 66.6% for the prior flagship model

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The cybersecurity industry has lived through two years of AI security tool marketing that rarely connected to adversarial reality. ExploitBench, ExploitGym, SCONE-Bench, and CyberGym are different. They test whether a model can produce working exploits against patched, real-world vulnerabilities under time and turn constraints -- not whether it can write Metasploit modules or explain what a buffer overflow is.

Claude Mythos's results across these four benchmarks are not incremental. They represent the first time any AI model has demonstrated autonomous arbitrary code execution development in V8 at any scale (21/41 versus zero for all others), kernel exploit development at 10.5x the rate of the prior Anthropic flagship, and the ability to identify $35M in smart contract exploits against post-training-cutoff targets. The gap between Mythos and all other models is not a matter of degree.

This analysis walks through what each benchmark tests, what the Mythos results mean in operational terms, and what the combined picture tells security teams about the current state of automated exploit development. If you have been tracking AI security capability claims and waiting for independently verifiable evidence, this is the clearest signal yet.

ExploitBench: V8 Arbitrary Code Execution at Scale

ExploitBench presents models with 41 patched V8 JavaScript engine vulnerabilities organized across 16 capability tiers. Each model receives a 300-turn budget per target and must develop a working arbitrary code execution proof-of-concept from vulnerability description to functional exploit -- no templates, no human scaffolding, no pre-written exploit primitives. The benchmark measures the complete autonomous exploit development pipeline.

Mythos scored 21 out of 41. Every other tested model scored zero. That is not a margin; it is a categorical boundary. The benchmark separates models that can develop end-to-end exploits from those that cannot, and as of the published results, only Mythos crosses it.

Mythos is also the only model in the benchmark to reliably escape the V8 sandbox -- a prerequisite for the class of browser exploit that reaches beyond the renderer process. On CVE-2023-6702, all prior human-developed public exploits were probabilistic, relying on heap layout assumptions that had to be retried. Mythos produced a near-deterministic exploit derived from first principles. The benchmark co-author's assessment: 'Mythos executed this cleanly and flawlessly without any publicly available information on this specific exploit technique.' That means it was not replaying a memorized approach. It reasoned to the technique.

ExploitGym: Kernel Exploits at 10.5x the Rate

ExploitGym scales the evaluation to 898 patched vulnerabilities across OSS-Fuzz, V8, and the Linux kernel. Models receive a two-hour window per target. Scoring distinguishes between flags captured via the intended vulnerability path -- harder, requires understanding the specific flaw -- and flags captured via any viable path. The distinction matters because intended-path captures demonstrate real vulnerability comprehension rather than opportunistic exploitation.

Mythos: 157 intended-path flags, 226 total. Opus 4.6: 36 total. The 10.5x ratio understates the practical gap, because total flags include easier alternative paths. On intended-path captures alone, Mythos is operating in a category Opus 4.6 does not meaningfully participate in.

The more operationally significant finding is kernel exploit development. Mythos is one of only two models across the entire ExploitGym field that regularly produced kernel exploits -- the vulnerability class that leads directly to local privilege escalation. Kernel exploits have historically required senior vulnerability researchers months of work. Seeing a model produce them reliably, at scale, in a two-hour window is the ExploitGym result that security teams most need to absorb.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

SCONE-Bench and CyberGym: The Remaining Benchmarks

SCONE-Bench addresses a legitimate criticism of AI capability benchmarks: models may be recalling memorized exploit techniques rather than reasoning about vulnerabilities. SCONE-Bench restricts its test set to smart contract vulnerabilities published after January 2026, past Claude Mythos's training cutoff. Memorization cannot explain the results. Exploit value is measured at historical exchange rates to normalize for asset price volatility.

Mythos: $35M in exploitable smart contract value identified. The next closest model identified approximately $19M -- a 75% gap. Mythos was the only model to exploit every tested vulnerability. On a benchmark explicitly designed to prevent training-data advantage, it still dominates by a margin that rules out marginal capability differences.

CyberGym measures vulnerability reproduction: given a CVE description and target, can the model reproduce a working exploit? Mythos: 83.1% versus 66.6% for Opus 4.6. On Firefox JIT heap spray specifically -- a well-documented but technically demanding exploit class -- Mythos achieved 72.4% versus 14.4% for Opus 4.6, a five-fold improvement in autonomous exploit reliability. The UK AI Security Institute's independent evaluation found Mythos to be the first model to complete both of their cyber range challenges end-to-end. XBOW's web exploit benchmark yielded an unambiguous practitioner assessment: 'significant step up over all existing models.'

What the Benchmark Results Mean for Security Operations

The framing matters. These results are not evidence that AI models are incrementally better at security tasks. The benchmark authors describe the advance as 'a step-change in the ability to combine multiple attack primitives into complete exploitation chains.' Prior models could develop individual primitives -- a heap spray here, a type confusion trigger there. Mythos chains them. That is the capability that makes the difference between an AI model that assists a researcher and one that operates as a researcher.

The practical implication for security operations: attack surface that was previously too complex to chain reliably -- multi-stage V8 exploits, kernel local privilege escalation, cross-contract reentrancy chains -- is now reachable by an automated system for API costs in the low thousands of dollars per target. The cost curve for sophisticated exploit development has dropped by several orders of magnitude.

Security teams need to update three assumptions. First: vulnerability age no longer predicts audited status. Second: the exploit development timeline for known CVEs is now measured in hours, not weeks. Third: the population of actors capable of producing working exploits against complex targets is no longer constrained by the supply of senior human researchers. Each of these has direct implications for patch prioritization, disclosure windows, and IR trigger thresholds that are covered in the defensive guide linked below.

The bottom line

ExploitBench and ExploitGym are the most rigorous public measurements of AI exploit capability published to date. Mythos's 21/41 V8 ACE rate and 10.5x ExploitGym lead over Opus 4.6 are not marketing claims -- they are independently structured evaluations with patched real-world targets. Security teams that have been waiting for clear evidence before updating their threat models now have it. For a practitioner-focused breakdown of what Claude Mythos means for your specific operations and how to evaluate AI cybersecurity risk in your environment, read the free Mythos Brief at /mythos-brief.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is ExploitBench and how does it test AI models?

ExploitBench is a benchmark that presents AI models with 41 patched V8 JavaScript engine vulnerabilities organized across 16 capability tiers. Each model receives a 300-turn budget per target and must produce a working arbitrary code execution proof-of-concept from scratch. It measures autonomous exploit development end-to-end, not just vulnerability identification.

What is ExploitGym?

ExploitGym tests 898 patched vulnerabilities drawn from OSS-Fuzz, V8, and the Linux kernel. Models receive a two-hour window per target and are scored on whether they capture flags using the intended vulnerability path (harder, scored separately) or any viable path. Mythos produced 157 intended-path flags and 226 total, compared to 36 total for Opus 4.6.

What is SCONE-Bench?

SCONE-Bench evaluates smart contract exploitation against vulnerabilities published after January 2026, past Claude Mythos's training cutoff, eliminating the possibility of memorized exploits. Exploit value is measured at historical exchange rates. Mythos identified $35M in exploitable value, 75% more than the next closest model, and was the only model to exploit every tested target.

What score did Claude Opus 4.6 achieve on ExploitBench?

Claude Opus 4.6 scored zero on ExploitBench. Every model other than Claude Mythos scored zero. Mythos scored 21 out of 41, making it the only model to demonstrate autonomous arbitrary code execution against patched V8 vulnerabilities at any level.

What does 'arbitrary code execution' mean in the ExploitBench context?

In ExploitBench, arbitrary code execution means the model has produced a working proof-of-concept that allows an attacker to execute attacker-controlled code in the target process by triggering a memory safety vulnerability in the V8 JavaScript engine. It requires escaping the V8 sandbox, which Mythos is the only model to do reliably.

Are these benchmarks publicly available?

The benchmark methodologies and aggregate results are described in Anthropic's Exploit Evals report at red.anthropic.com. The underlying vulnerability datasets are not publicly released in full due to responsible disclosure requirements, but the benchmark co-authors have published methodology papers and detailed per-result notes for select vulnerabilities.

Sources & references

  1. Anthropic Exploit Evals benchmark report
  2. Assessing Claude Mythos Preview cybersecurity capabilities, Anthropic
  3. MOSAIC-Bench: Measuring Compositional Vulnerability Induction in Coding Agents
  4. Benchmarking Mythos-Linked Bug Rediscovery
  5. Claude Mythos: AI Vulnerability Discovery and Containment Failures, Cloud Security Alliance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.