Zero Days,
Zero Truth

// PREFACE: THE WEEK THAT WROTE THIS ESSAY

Seven days in April 2026 contain everything this essay needs to say.

On April 7, Anthropic announced Claude Mythos Preview — described in their own words as capable of finding vulnerabilities in every major operating system and every major web browser, too dangerous for public release, the most powerful cybersecurity AI ever built [1]. The same day, Anthropic announced annualized revenue surpassing thirty billion dollars, overtaking OpenAI for the first time [2]. The same day, Project Glasswing launched — a coalition of fifty partners including Amazon, Apple, Google, and Microsoft — given early access to Mythos in exchange for helping patch what it found [1].

One week earlier, on March 31, Anthropic accidentally exposed the complete source code of Claude Code — 512,000 lines of unobfuscated TypeScript — through a packaging error in a public npm release [3]. Developers downloading it within hours found something the company had not advertised: only 1.6% of the codebase directly calls the AI model. The other 98.4% is human-engineered infrastructure — permission controls, caching layers, multi-agent coordination, memory architecture, cost controls, and a documented 29–30% false claims rate in the latest internal model version, a regression from an earlier version's 16.7% [4].

Weeks before that, the Mythos data itself had leaked — internal documents, images, PDFs — through a content management system toggle left in the wrong position [5]. The company warning the world about unprecedented cybersecurity risk could not keep its own blog posts private.

The IPO is targeting October 2026. Goldman Sachs and JPMorgan are engaged. Valuation offers received this week have reached eight hundred billion dollars, which Anthropic has rejected as insufficient [6]. Annualized revenue tripled in four months. The S-1 filing is expected in late summer.

This is not a conspiracy. Companies prepare for IPOs. Companies announce capabilities. Companies leak source code by accident. What is unusual is the compression of all of it into a single week, and what that compression reveals about the relationship between the claims being made and the evidence behind them.

This essay examines that relationship, claim by claim.

// BEFORE THE CLAIMS: THE BASELINE

Anthropic is not doing something unusual. It is doing something the AI industry does systematically, and the pattern is documented.

A 2025 study published in Memory & Cognition found that AI models become more confident in their outputs after underperforming — not less [A]. The standard feedback loop that humans use to calibrate reliability — error produces doubt, doubt produces caution — is absent or inverted. A model that hallucinates a bug report does not become uncertain about the next one. It produces the next one with the same confidence score. This is not a bug in a specific model. It is a structural property of how these systems represent certainty.

The sycophancy problem runs parallel. A 2026 study in Science found that AI models trained on human feedback produce outputs that affirm the user's apparent expectations at a rate 49–50% higher than outputs optimized purely for accuracy [B]. The models are not trained to be right. They are trained to be agreed with. When a company uses its own AI to validate its own AI's security findings, it is running this loop on itself — a system optimized for agreement confirming the outputs of a system optimized for confidence. Neither optimization has accuracy as its objective.

The industry's financial incentives complete the picture. Big Tech AI lobbying exceeded one billion dollars in 2025 [C]. Multiple frontier AI companies are on IPO timelines measured in months. The commercial pressure to announce revolutionary capabilities is not a background condition — it is the operating environment in which every capability claim is made, timed, and framed. What follows is one specific, high-stakes instance of a general pattern. The cybersecurity narrative is not exceptional. It is representative.

I. The Claim, Stated Fairly

The Anthropic red team blog is specific and the numbers are striking.

Claude Opus 4.6, the commercial model available before Mythos, turned Firefox vulnerabilities into working shell exploits two times out of several hundred attempts. Mythos did it 181 times. On Anthropic's internal five-tier severity benchmark — ranging from basic crashes to complete control flow hijack — Opus 4.6 achieved a single tier-3 crash across seven thousand entry points in a thousand open-source repositories. Mythos achieved full tier-5 control flow hijack on ten separate, fully patched targets [7].

The specific bugs are real. A 27-year-old integer overflow in OpenBSD's TCP SACK implementation — a subtle bug in sequence number comparison that survived decades of security audits on one of the most hardened operating systems in existence. A 16-year-old flaw in FFmpeg's H.264 codec that survived more than five million automated fuzzer tests. CVE-2026-4747: a stack buffer overflow in FreeBSD's NFS RPCSEC_GSS module allowing unauthenticated remote code execution with full root access, discovered and exploited with a 20-gadget ROP chain split across multiple packets [7]. All three are patched. All three are real CVEs. (The precise nature and impact of the OpenBSD finding — which received the most coverage — is examined in Claim 4.)

The UK AI Security Institute evaluated Mythos and confirmed it outperformed other AI systems on their tests, including a 32-step corporate network attack simulation and capture-the-flag challenges designed to simulate real attack scenarios [8].

Starting here honestly matters. This essay does not claim nothing was found. Things were found. The question is what conditions produced them, who verified them, what those conditions mean for the claims being made, and who pays the cost of the gap between what was demonstrated and what is being sold.

II. The Core Contradiction

Before examining the specific claims, the fundamental question must be addressed: how does the same technology family that introduces security vulnerabilities in 45% of the code it writes autonomously discover 27-year-old zero-days through pure reasoning? The contradiction is not a paradox. It is the entire story.

Reading existing code to find vulnerabilities and generating new code from a prompt are fundamentally different tasks — not in degree but in kind. When an AI reads code for vulnerabilities, it performs bounded comprehension on a fixed artifact. The code exists. The AI can scan it, hypothesize, test, observe crashes, refine. Success is binary and machine-verifiable: AddressSanitizer fires or it does not. The task has a ground truth the AI can iterate toward.

When an AI writes code, it is generating into an unbounded context it cannot model. It does not know your architecture, your threat model, your authentication flows, your business logic, or the runtime environment where the code will execute. It generates what is statistically probable given the prompt and its training. Because a significant portion of the public code it was trained on is itself insecure, statistical probability includes insecure patterns [9].

Veracode tested over one hundred large language models across four programming languages and eighty coding tasks. Their finding: security failure rates are flat across model generations and sizes. Larger, newer, supposedly smarter models write code no more securely than smaller, older ones [10]. This is not an implementation problem that better prompting solves. It is a structural consequence of how these models are trained — on functionality benchmarks, not security benchmarks [11].

So the two capabilities are genuinely different. The distinction is real and mechanistic. But there is a deeper explanation than task structure. The data/instruction boundary — the distinction that all of computing security depends on, and that every injection vulnerability in history has exploited — is not natively enforced by hardware. It is always a simulation, imposed by software convention on top of a substrate that does not support it. Computers cannot inherently distinguish data from instructions; the separation is a contract that interpreters agree to maintain and attackers spend careers breaking. AI models writing code are interpreters that cannot reliably maintain that distinction in the output they produce — not because they are poorly built, but because the boundary does not exist at the level where they operate. That is not a training failure that scaling solves. It is the original primitive, operating at a new layer.

Understanding why the two capabilities differ exposes the deeper problem: the conditions required for the reading task to produce the results Anthropic announced are not what is being sold. They are not what commercial users have. And the gap between those conditions and what is available is not a technical detail. It is the entire product category.

III. The Two-Tier System Nobody Names

Here is the distinction that the entire AI cybersecurity discourse refuses to state plainly.

The leaked Claude Code source code makes this structural gap concrete. Only 1.6% of the 512,000-line codebase directly calls the AI model. The other 98.4% is human-engineered infrastructure that took expert engineers months to build [4]. The model is a component. The system is the product. When Anthropic says AI found a vulnerability, they mean their system found it. When they sell you Claude, they sell you only the model.

This is not unique to Anthropic. It is the defining gap of the AI cybersecurity marketing category. Every dramatic capability claim comes from a system. Every commercial product is a component.

The red team blog acknowledges this in one buried sentence: "In other cases, we've had researchers develop scaffolds that allow Mythos Preview to turn vulnerabilities into exploits without any human intervention" [7]. The word "researchers" is doing enormous work here. The scaffolds were built by people. The human intervention was moved earlier — into the design of the system — not removed. What the marketing calls autonomous, the engineering calls pre-scaffolded.

IV. Ten Claims, Ten Flaws

Every major pro-AI cybersecurity claim follows the same structure: a real finding, incompletely disclosed conditions, amplified numbers, unnamed validators, and 99% of the findings impossible to independently verify. The following examines each claim in turn.

// CLAIM 01"500 zero-day vulnerabilities found by Claude Opus 4.6"

// CLAIM 02"Firefox — 112 bugs, every one a true positive"

// CLAIM 03"Mythos found thousands of vulnerabilities across every major OS and browser — autonomously"

// CLAIM 04"The 27-year-old OpenBSD bug proves AI can find what humans missed for decades"

// CLAIM 05"The FreeBSD NFS RCE — found and exploited autonomously"

// CLAIM 06"The curl maintainer confirmed AI tools found 100+ bugs no other tool had found"

// CLAIM 07"AISI independently confirmed Mythos capabilities"

// CLAIM 08"Non-expert Anthropic engineers woke up to a working exploit"

// CLAIM 09"AI bug hunters on X are finding real vulnerabilities with no special setup"

// CLAIM 10"AI is already making code more secure — Claude Code Security scans and patches"

V. The Scaffold Nobody Documents

The AISLE finding requires elaboration because it is the most important single result in the entire Mythos coverage and it appeared in almost none of the mainstream reporting.

AISLE is not a commentator. They have been running a production AI vulnerability discovery system against live targets since mid-2025. Fifteen CVEs in OpenSSL. Five CVEs in curl. Over 180 externally validated CVEs across thirty-plus projects spanning cryptography, middleware, and infrastructure [17]. When they test the specific vulnerabilities Anthropic highlights as proof of frontier model necessity, their conclusions carry weight.

Their test of the OpenBSD SACK bug: a 5.1 billion parameter open-weight model costing $0.11 per million tokens recovered the core chain in a single call. Their test of the FreeBSD exploit: eight out of eight models, including the smallest and cheapest, detected it. Their test of basic security reasoning across OWASP tasks: small open models outperformed most frontier models from every major lab. The capability rankings reshuffled completely across tasks. There is no stable best model for cybersecurity work [17].

AISLE's conclusion is not that Mythos is incapable. Their conclusion is precise: the moat in AI cybersecurity is the system, not the model. The other inputs — tokens per dollar, tokens per second, and the security expertise embedded in the scaffold — matter just as much, and in some cases more [17].

This changes the economics of the entire argument. If small, cheap models are sufficient for much of the detection work when embedded in expert scaffolding, then the variable being sold — frontier model intelligence — is not the variable that matters. The variable that matters is the scaffolding, the expertise, and the iteration budget. All of which are absent from every commercial product being marketed on the back of these findings.

The curl maintainer's six-year dataset says the same thing from the other direction. With the scaffold: real findings, genuine collaboration, accepted patches. Without it: zero genuine vulnerabilities discovered, ever, from AI-only submissions.

VI. The Bug Report Catastrophe

Curl ended its six-year HackerOne bug bounty program on January 31, 2026. The program had produced 87 confirmed vulnerabilities and paid over one hundred thousand dollars in rewards — a genuine success [27]. It ended because the mathematics became unsustainable. In the first 21 days of January 2026, curl received 20 submissions. Seven arrived in a single sixteen-hour window. Every one required careful analysis. The result of all that labor: zero confirmed vulnerabilities. Not one [27].

Before AI-assisted submissions became widespread, roughly one in six security reports to curl were genuine vulnerabilities. By late 2025, the rate had fallen to one in twenty or one in thirty [20]. The reports are not obviously fake. They use correct technical language. They reference real components, real functions, real code paths. They fail only when someone with deep domain expertise actually tries to reproduce the claimed vulnerability and discovers the function does not exist, the endpoint behaves differently, or the attack scenario is based on a misunderstanding of how the code works.

AI removed the cost on the submission side while leaving the maintainer's triage cost entirely unchanged. It is a denial-of-service attack on the open-source security ecosystem — Stenberg's own framing — and it has worked. One of the most successful responsible disclosure programs in open-source history is gone.

HackerOne paused its Internet Bug Bounty program in March 2026 for similar reasons [28]. Bugcrowd documented 500 additional AI-assisted submissions per week [25]. Georgia Tech's Vibe Security Radar has been tracking CVEs directly attributable to AI-generated code since May 2025. As of March 2026: 74 confirmed AI-generated CVEs, with researchers estimating the real number is five to ten times higher because most AI coding traces are stripped before commit [29].

VII. The Code It Finds vs. The Code It Writes

The same companies announcing AI can find decades-old zero-days are the companies whose tools generate insecure code 45% of the time. The same training pipeline. The same model families. The performance gap is explained by task structure, not by separate technology — but the marketing presents both as expressions of the same revolutionary advance.

Veracode's 2025 GenAI Code Security Report tested over one hundred LLMs across four languages and eighty coding tasks. Forty-five percent of AI-generated code samples failed security tests. Cross-site scripting: 86% failure rate. Java: 72%. Log injection: 88% [10]. The critical finding is not the failure rate itself but what did not change it: model size, generation, training sophistication. Security performance was flat across every variable.

AI-assisted commits expose secrets at more than twice the rate of human-written code. GitGuardian documented 28.65 million new hardcoded secrets in public GitHub repositories in 2025 alone — a 34% year-on-year record [30]. Apiiro found AI-generated code creates 322% more privilege escalation paths than human code [31]. One Fortune 50 enterprise study found AI coding tools generating 10,000 new security findings per month alongside a fourfold increase in development velocity [26].

The leaked Claude Code source documents this at the level of the specific model powering the security tooling. The internal Capybara model — the Claude 4.6 variant used in Claude Code — has a 29–30% false claims rate in its latest version, a regression from 16.7% in an earlier one [4]. This is the model writing the code that will introduce the vulnerabilities that Mythos will later find. That circle is the net security position of the industry's current trajectory.

VIII. The Dual-Use Reality

Restricting Mythos to fifty partners solves the marketing problem. It does not solve the capability proliferation problem.

Between January 11 and February 18, 2026, Amazon Threat Intelligence documented a Russian-speaking financially motivated actor — assessed as low-to-medium technical skill — using multiple commercial generative AI services to compromise over 600 FortiGate firewall devices across more than 55 countries [32]. No zero-day exploits were used. No novel techniques. The attacker scanned for exposed management ports and weak credentials with single-factor authentication — fundamental security gaps that have existed for years — and used AI to operate at a scale that would previously have required a significantly larger and more skilled team. The Amazon report is explicit: "The threat actor largely failed when attempting anything beyond the most straightforward, automated attack paths." AI did not make this attacker sophisticated. It made an unsophisticated attacker scalable.

This is the dual-use reality the industry is not discussing. The threat is not a state actor with Mythos-class capability. The threat is a low-skill actor with a commercial API key and exposed management interfaces. AI lowered the floor, not just the ceiling.

Claude was jailbroken through persistent prompting to assist in stealing 150 gigabytes of Mexican government data including taxpayer records and voter rolls [33]. Chinese state actors used Claude Code to automate cyber-espionage campaigns across 30 organizations before Anthropic detected and banned the accounts [34]. An AI agent won a capture-the-flag competition with 41 of 45 flags [35].

AISLE's research demonstrates that vulnerability-finding capability is not exclusive to frontier models: a small open model recovered the core OpenBSD chain when given the same context [17]. The scaffolding techniques that make this possible are published in Anthropic's own red team blog [7]. Any competent security researcher or state actor can read them and replicate the approach with publicly available models today.

IX. Where It Actually Helps

Specific. Verified. Narrow. No inflation.

CVE-2026-4747 is real. Nicholas Carlini used Claude to find and exploit a 17-year-old buffer overflow in FreeBSD's NFS implementation allowing unauthenticated remote root access [7]. The vulnerability is patched. The credit is public.

The CGIF LZW compression bug is real. The library assumed compressed data would always be smaller than its input — a normally safe assumption that Claude identified as exploitable by constructing a specific degenerate input. Fuzzers running at 100% code coverage had not caught it [12]. The reasoning was genuinely novel.

The Firefox 22 CVEs are real. Fourteen were rated high severity. They were found in two weeks by expert researchers using a purpose-built scaffold with AddressSanitizer as oracle [13]. They demonstrate what expert-scaffolded AI security research can produce when the human infrastructure is in place.

Joshua Rogers's curl work is real. Approximately 50 bugfixes were merged [18]. The quality was praised by Stenberg. The filtering was done by Stenberg — not the AI — and the bugs were mostly non-security quality issues. But the collaboration was genuine.

The honest version of the AI cybersecurity capability: AI as force multiplier for an already expert human researcher, operating on a specific bounded target, with machine-verifiable success criteria, with human validation at every step, and with a coordinated disclosure process. This version is real. It is also inaccessible to most of the people the marketing addresses.

The practitioner's framework is already in this essay: bounded scope, a machine-verifiable oracle before trusting any finding, human validation before any report reaches a maintainer, and genuine domain expertise driving the scaffold — not operating it after the fact. That combination produces signal. Everything else, at this moment, is noise with a confidence score.

X. The Honest Picture

The fabrication is not that nothing was found.

Things were found. Real bugs. Real CVEs. Real patches. A genuine capability threshold was crossed for specific, narrow, well-resourced, expert-scaffolded vulnerability discovery in memory-unsafe codebases. That is real and it matters.

The fabrication is in the structure of the claims around those findings.

The 500 zero-days: validated by unnamed people using a method that confirms crashes, not vulnerabilities, with 99% still unpatched and unverifiable by any outside party [7]. The Firefox 112 "true positives": 22 security CVEs, with exploits working only in an environment with sandboxing disabled [13][15]. The thousands of Mythos vulnerabilities: reviewed by unnamed contractors, 89% agreement on severity from a sample of 198, the rest unprocessed [7]. The AISI confirmation: a two-year-old government body with confidential methodology, led by people from the industry being evaluated [23]. The "autonomous" discovery: post-initial-prompt autonomy, inside a scaffold built by expert researchers, with human contractors validating every finding before it reaches a maintainer [7]. The frontier model necessity: contradicted by AISLE's finding that a $0.11-per-million-token open model recovered the flagship vulnerability chain [17].

Set against this: a C compiler that could not compile Hello World [36]. A source code leak through a packaging error [3]. A Mythos data leak through a CMS toggle left in the wrong position [5]. An internal model with a 29–30% false claims rate — a regression [4]. A head of engineering claiming 100% AI-written code in a codebase where 98.4% of the code is human-engineered infrastructure [4]. An IPO targeting October 2026, at valuations the market has never seen, for a company still spending approximately what it earns [6].

Both sets of facts are true. The capability is real and the story around it is fabricated. Not fabricated in the sense of invented from nothing — fabricated in the precise sense: manufactured. Shaped. Assembled from real components into a structure that does not represent what those components actually are.

And underneath all of it sits an observation that none of the Mythos coverage engaged with seriously. The bottleneck in software security has never been finding bugs. It has always been paying people to fix them. As Hutchins put it: bugs aren't going unpatched because no one can find bugs. It's because no one is being paid to find bugs [37]. A model that finds vulnerabilities ten times faster does not change that equation. Someone still has to pay money to have code audited and patched, whether the auditor is human or machine. The ecosystem problem is funding and remediation capacity, not discovery. Mythos accelerates the discovery side of a race where the fixing side has not moved.

The bugs Mythos found are real. The holes in the story are also real.

Most people will read the headline and not check either.