AI Hacking Steps Out of the Realm of Fiction
Artificial Intelligence has been heavily utilized to write phishing emails or analyze log files, but true autonomous vulnerability discovery has remained a holy grail for security researchers. That threshold has now been crossed. Anthropic’s powerful, unreleased AI model, known as Claude Mythos Preview, has successfully uncovered severe zero-day vulnerabilities within Apple’s macOS kernel.
The discovery was made by researchers at the cybersecurity firm Calif, who utilized Mythos under a controlled initiative called “Project Glasswing.” This event marks a critical inflection point. AI models are no longer just assistants; they are becoming active agents capable of chaining logic flaws to execute privilege escalation exploits on highly secure operating systems.
The Rise of Autonomous Exploitation
According to recent reports, Mythos was able to ingest macOS architecture logic and write exploit code that successfully linked two separate, previously unknown bugs. While human experts from the Calif team provided the strategic framing, the AI executed the heavy lifting of code generation and bug chaining.
This capability is so advanced that the UK’s AI Security Institute (AISI) recently revised its timeline for autonomous cyber capabilities, noting that models like Mythos and OpenAI’s GPT-5.5 have accelerated the threat landscape by years. Mythos has become the first model to clear all of AISI’s complex cyberattack simulations.
“A model is a brain without a body. When paired with human strategic framing, it becomes an unparalleled offensive weapon.”
Why It Matters
The implications for enterprise security and national defense are staggering. If defensive teams have access to tools like Mythos, they can audit source code and discover deeply buried zero-days before they reach production. Microsoft reported similar success this week, using an agentic system to find 16 new critical vulnerabilities in the Windows networking stack in a single day.
However, the democratization of these capabilities presents a terrifying asymmetry. While top-tier tech companies are using models like Mythos for defensive “Red Teaming,” adversarial hackers will eventually gain access to similarly capable open-weight models. The speed at which software must be patched will need to shift from months to hours. Security is moving from a human-driven discipline to an AI-versus-AI arms race, where human engineers simply oversee the automated defense perimeters.
