THREAT INTELLIGENCE | AI SECURITY
10 min read

How AI Discovers Zero-Day Vulnerabilities: A Plain-Language Explainer for Security Leaders

What CISOs and board members need to understand about AI vulnerability discovery before the next briefing

Sources:Anthropic Project Glasswing Announcement|Anthropic Exploit Evals Benchmark Report (May 22, 2026)|Anthropic 90-Day Glasswing Progress Report (July 5, 2026)|UK AI Security Institute Cyber Range Assessment|CISA Known Exploited Vulnerabilities Catalog
21/41
V8 ACE challenges solved by Mythos vs. zero for every other model
10,000+
High/critical severity findings across Glasswing partners
200+
Partner organizations in the Glasswing program

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A zero-day vulnerability is a security flaw that no one has officially discovered and patched yet. For decades, finding them required rare combinations of expertise, time, and sometimes luck. That constraint shaped the entire structure of the cybersecurity industry: patch windows were measured in months, not hours, because attackers with zero-days were rare and sophisticated. That constraint is ending. Anthropic's Claude Mythos, the AI system powering Project Glasswing, solved 21 of 41 expert-level hacking challenges on a standardized benchmark. Every other AI model scored zero. This explainer is for security leaders who need to understand what that means for their organizations without wading through exploit code.

What Is a Zero-Day, in Plain Terms

Software is built by humans, which means it contains mistakes. Most software mistakes are harmless: a button that does not display correctly, a calculation that rounds the wrong way. Some mistakes are security vulnerabilities: flaws that an attacker can exploit to make software do something it was not supposed to do, such as giving an attacker control of a server or access to data it should not reveal.

A zero-day is a vulnerability that the software vendor does not yet know about. The name comes from the fact that there have been zero days for the vendor to issue a patch. If an attacker finds a zero-day before the vendor does, they can use it freely until someone else discovers it and forces a patch to be released. The window between discovery and patch is the period of maximum exposure.

Historically, zero-days were found by sophisticated human researchers: government intelligence agencies, specialized security firms, and highly skilled independent researchers. Finding a zero-day in a mature, well-audited piece of software typically required weeks or months of dedicated effort by someone with deep expertise in that specific software stack. That scarcity made zero-days rare and expensive.

Why Humans Miss Vulnerabilities: The Cognitive Limits of Manual Review

The modern software stack is too large for any human to fully comprehend. A single enterprise application may contain millions of lines of code, hundreds of third-party libraries, and thousands of configuration options that interact in complex ways. Security researchers reviewing this code face a fundamental cognitive limitation: they can only examine one part of the codebase at a time, and they bring their own blind spots and assumptions about where vulnerabilities are likely to hide.

Human researchers also self-select. Given a target with millions of lines of code, a skilled researcher will focus on the components that historically produce vulnerabilities: parsing code, cryptographic implementations, memory management routines. This is rational, but it means that vulnerabilities hiding in less-examined corners of a codebase may go undiscovered for years. The FreeBSD network file system vulnerability that Glasswing surfaced (CVE-2026-4747) had been present in the codebase for 17 years before Mythos found it.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

How AI Changes the Discovery Equation

AI systems like Claude Mythos approach vulnerability discovery without the cognitive constraints that limit human researchers. Mythos can analyze entire codebases simultaneously, maintaining awareness of interactions between components that human researchers would need to context-switch between. It operates continuously, without the fatigue that degrades human analytical performance over long research sessions. And it does not carry the same set of assumptions about where vulnerabilities are likely to be found.

The result is a different kind of coverage. Human researchers go deep into high-probability areas. Mythos goes broad and deep simultaneously, generating and evaluating thousands of vulnerability hypotheses in parallel. The findings that result are not just more numerous. They are different in character: deeper, more complex, and drawn from parts of codebases that had not been systematically examined before.

How Mythos Works at a High Level

Project Glasswing, Anthropic's coordinated vulnerability disclosure program, uses Claude Mythos to analyze the attack surface of partner organizations. Mythos examines source code, compiled software, running systems, and the interfaces between them. It does not just look for known vulnerability patterns. It reasons about what an attacker might try, develops hypotheses about how software might fail, and then attempts to construct working exploits to prove or disprove those hypotheses.

Critically, Mythos does not stop at finding a crash or an error condition. It develops full exploit chains that demonstrate what an attacker could actually accomplish. This is the difference between a theoretical vulnerability and a confirmed security exposure. When Mythos reports a finding, it comes with evidence of exploitability, not just evidence of a flaw.

What the Benchmarks Mean for Your Organization

The ExploitBench result (21 out of 41 V8 arbitrary code execution challenges, with every other model scoring zero) is a capability threshold, not a performance metric. It means that Mythos has crossed from academic capability into demonstrated offensive effectiveness on the kinds of challenges that have historically required elite human expertise.

The SCONE-Bench result identifies $35 million in smart contract vulnerability value, demonstrating that the capability extends beyond traditional systems software into financial and blockchain infrastructure. The ExploitGym result (10.5 times more working exploits than Claude Opus 4.6, the next most capable model) shows that the capability gap between Mythos and the previous generation of AI security tools is not incremental. It is categorical.

For your organization, these benchmarks mean that the assumption underlying most patch prioritization frameworks is no longer valid: the assumption that sophisticated, targeted exploitation of complex zero-days requires rare human expertise and significant time investment. Both constraints are dissolving.

The Defender's Dilemma: AI Finds Vulns Faster Than Organizations Patch

The cybersecurity industry has spent two decades building patch management processes calibrated to a world where new critical vulnerabilities emerge slowly and exploitation follows discovery by weeks or months. Glasswing has issued 1,596 coordinated disclosure notifications in 90 days. The vendor ecosystem receiving those notifications was not built to absorb that volume.

The defender's dilemma is not primarily about AI attackers using these vulnerabilities before defenders can patch. It is about the disclosure volume overwhelming the patch prioritization, testing, and deployment pipelines that organizations rely on. An organization that receives ten Glasswing disclosure notifications simultaneously faces triage decisions that its current processes were not designed to handle.

Patch velocity is the metric that matters most right now: how quickly can your organization move from a validated critical finding to a deployed patch in production? For most organizations, the honest answer is measured in weeks. That window is too long when the disclosure volume is this high.

Board-Level Questions and Answers

Security leaders briefing boards on this topic will encounter a consistent set of questions. Here are direct answers.

'Are we at risk from Glasswing findings?' If your organization runs any of the nine publicly confirmed CVE-affected software components (FreeBSD, wolfSSL, FFmpeg, Linux kernel, VMM software, browser-based applications, V8-dependent systems, OpenBSD, or smart contract infrastructure), you should assume exposure and verify patch status immediately.

'Is Anthropic sharing these vulnerabilities with attackers?' No. Glasswing follows coordinated disclosure principles: vendors receive private notification and a 90-day patch window before public disclosure.

'Is our security team equipped to handle this?' Probably not at current staffing and tooling levels. The volume and sophistication of AI-discovered findings requires AI-assisted triage and patch prioritization on the defensive side.

'What should we spend money on first?' Patch velocity infrastructure, CVD intake processes, and AI-assisted vulnerability management tooling, in that order.

What Leaders Should Do Right Now

Three immediate priorities emerge from the Glasswing 90-day results.

First, verify patch status for the nine confirmed Glasswing CVEs in your environment today. These are not theoretical exposures. They are confirmed, exploitable vulnerabilities in widely deployed software. FreeBSD NFS (CVE-2026-4747), wolfSSL (CVE-2026-5194), and the Linux LPE are the highest-priority for most enterprise environments.

Second, establish a CVD intake process if you do not have one. When Glasswing (or any future AI vulnerability discovery program) contacts your organization with a finding, you need a documented process for receiving, triaging, and escalating the notification. The process should include a designated technical contact, a severity assessment framework, and a patch deployment SLA.

Third, brief your board with the correct threat model. AI vulnerability discovery is not a future risk. It is producing confirmed CVEs today. The board discussion should frame this as a patch velocity and disclosure management challenge, not an abstract AI risk scenario.

Practitioner-Level Defensive Framework: Mythos Brief

The high-level guidance above addresses the most immediate priorities. The Mythos Brief provides a practitioner-level defensive framework built around the Glasswing finding distribution.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

AI has crossed the threshold from research curiosity to active vulnerability discovery at scale. Project Glasswing is not a pilot program or a proof of concept: it is producing confirmed CVEs in production software today. Security leaders who frame this as a future concern are already behind. The Mythos Brief at decryptiondigest.com/mythos-brief provides the practitioner-level detail your team needs to build a defensive posture calibrated to this reality, starting with the nine confirmed CVEs your environment may be running right now.

Frequently asked questions

Should my board be briefed on this?

Yes. The shift to AI-powered vulnerability discovery changes the threat model in two ways that board members need to understand: the speed at which vulnerabilities can be discovered and weaponized is accelerating, and the organizations that previously had security through obscurity (legacy systems, niche software) are no longer protected by that obscurity. This is a material risk question, not just a technical one.

Is AI vulnerability discovery legal?

Yes, when conducted under proper authorization. Project Glasswing operates under explicit agreements with partner organizations. Unauthorized AI-powered vulnerability scanning of systems you do not own would face the same legal exposure as unauthorized human penetration testing, including potential Computer Fraud and Abuse Act liability in the US.

How fast can AI find zero-days?

Anthropic has not published per-finding discovery timelines, but the Glasswing program surfaced more than 10,000 high- and critical-severity findings across 200+ organizations in approximately 90 days of operation. That volume represents more vulnerability discovery in a single quarter than most organizations see from all sources in a decade.

What is our biggest exposure?

Based on the Glasswing CVE distribution, the highest-risk categories are: legacy C and C++ codebases in network-exposed services, cryptographic library implementations, virtualization and container escape paths, and software components with long periods between security audits. If your organization runs FreeBSD, wolfSSL, FFmpeg, or similar foundational open-source software in production, those components warrant immediate audit attention.

Do we need to buy AI security tools now?

The more immediate priority is ensuring your vulnerability management program can handle the incoming volume of AI-discovered CVD notifications. Organizations should have a documented CVD intake process and a patch deployment SLA before they invest in offensive AI tooling. The defensive infrastructure is the bottleneck, not the discovery capability.

What technical evidence should a CISO present to the board to demonstrate that AI vulnerability discovery represents a material change to the organization's threat model, not just incremental risk?

The most compelling technical evidence is the ExploitBench capability gap: Mythos solved 21 of 41 V8 arbitrary code execution challenges while every other evaluated AI model scored zero, which demonstrates a categorical capability threshold rather than an incremental improvement. Pair that with the discovery velocity data -- 10,000-plus high- and critical-severity findings across 200-plus organizations in 90 days -- to show that the rate of vulnerability discovery has increased by an order of magnitude compared to what human research programs produce. The third evidence point is the 17-year-old FreeBSD NFS RCE (CVE-2026-4747): a vulnerability that existed undetected through decades of human security audits and was found within 90 days of AI-assisted review. That single data point demonstrates that the assumption underlying most security posture assessments -- that mature, widely audited codebases have been adequately reviewed -- is demonstrably false. Together, these three points make the case that AI vulnerability discovery changes mean time to exploit, changes the coverage of previously trusted codebases, and changes the volume of disclosures organizations must operationally absorb, all of which are material to the risk model the board uses to set security investment levels.

Sources & references

  1. Anthropic Project Glasswing Announcement
  2. Anthropic Exploit Evals Benchmark Report (May 22, 2026)
  3. Anthropic 90-Day Glasswing Progress Report (July 5, 2026)
  4. UK AI Security Institute Cyber Range Assessment
  5. CISA Known Exploited Vulnerabilities Catalog

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.