소규모 오픈소스 LLM, 앤스로픽 신형 보안 모델과 동일한 취약점 발견

AI Cybersecurity After Mythos: The Jagged Frontier Author Stanislav Fort Date Published April 7, 2026 Why the moat is the system, not the model TL;DR: We tested Anthropic Mythos's showcase vulnerabilities on small, cheap, open-weights models. They recovered much of the same analysis. AI cybersecurity capability is very jagged : it doesn't scale smoothly with model size, and the moat is the system into which deep security expertise is built, not the model itself. Mythos validates the approach but it does not settle it yet. The announcement On April 7, Anthropic announced Claude Mythos Preview and Project Glasswing , a consortium of technology companies formed to use their new, limited-access AI model called Mythos , to find and patch security vulnerabilities in critical software. Anthropic committed up to 100M USD in usage credits and 4M USD in direct donations to open source security organizations. The accompanying technical blog post from Anthropic's red team refers to Mythos autonomously finding thousands of zero-day vulnerabilities across every major operating system and web browser, with details including a 27-year-old bug in OpenBSD and a 16-year-old bug in FFmpeg. Beyond discovery, the post detailed exploit construction of high sophistication: multi-vulnerability privilege escalation chains in the Linux kernel, JIT heap sprays escaping browser sandboxes, and a remote code execution exploit against FreeBSD that Mythos wrote autonomously. This is important work and the mission is one we share. We've spent the past year building and operating an AI system that discovers, validates, and patches zero-day vulnerabilities in critical open source software. The kind of results Anthropic describes are real. But here is what we found when we tested: We took the specific vulnerabilities Anthropic showcases in their announcement, isolated the relevant code, and ran them through small, cheap, open-weights models. Those models recovered much of the same analysis. Eight out of eight models detected Mythos's flagship FreeBSD exploit, including one with only 3.6 billion active parameters costing $0.11 per million tokens. A 5.1B-active open model recovered the core chain of the 27-year-old OpenBSD bug. And on a basic security reasoning task, small open models outperformed most frontier models from every major lab. The capability rankings reshuffled completely across tasks. There is no stable best model across cybersecurity tasks. The capability frontier is jagged. This points to a more nuanced picture than "one model changed everything." The rest of this post presents the evidence in detail. Context: where AI cybersecurity already stands At AISLE , we've been running a discovery and remediation system against live targets since mid-2025: 15 CVEs in OpenSSL (including 12 out of 12 in a single security release , with bugs dating back 25+ years and a CVSS 9.8 Critical), 5 CVEs in curl, over 180 externally validated CVEs across 30+ projects spanning deep infrastructure, cryptography, middleware, and the application layer. Our security analyzer now runs on OpenSSL, curl and OpenClaw pull requests, catching vulnerabilities before they ship. We used a range of models throughout this work. Anthropic's were among them, but they did not consistently outperform alternatives on the cybersecurity tasks most relevant to our pipeline. The strongest performer varies widely by task, which is precisely the point. We are model-agnostic by design. The metric that matters to us is maintainer acceptance. When the OpenSSL CTO says "We appreciate the high quality of the reports and their constructive collaboration throughout the remediation," that's the signal: closing the full loop from discovery through accepted patch in a way that earns trust. The mission that Project Glasswing announced in April 2026 is one we've been executing since mid-2025. Decomposing the pipeline The Mythos announcement presents AI cybersecurity as a single, integrated capability: “point” Mythos at a codebase and it finds and exploits vulnerabilities. In practice, however, AI cybersecurity is a modular pipeline of very different tasks, each with vastly different scaling properties: Broad-spectrum scanning : navigating a large codebase (often hundreds of thousands of files) to identify which functions are worth examining Vulnerability detection : given the right code, spotting what's wrong Triage and verification : distinguishing true positives from false positives, assessing severity and exploitability Patch generation : fixing the vulnerability correctly (and potentially also) Exploit construction : turning a vulnerability into a working attack (ROP chains, privilege escalation, sandbox escapes) The Anthropic announcement blends these into a single narrative, which can create the impression that all of them require frontier-scale intelligence. Our practical experience on the frontier of AI security suggests that the reality is very uneven. We view the production function for AI cybersecurity as having multiple inputs: intelligence per token, tokens per dollar, tokens per second, and the security expertise embedded in the scaffold and organization that orchestrates all of it. Anthropic is undoubtedly maximizing the first input with Mythos. AISLE's experience building and operating a production system suggests the others matter just as much, and in some cases more. The bottom line, before the evidence We'll present the detailed experiments below, but let us state the conclusion upfront so the evidence has a frame: the moat in AI cybersecurity is the system, not the model. Anthropic's own scaffold is described in their technical post: launch a container, prompt the model to scan files, let it hypothesize and test, use ASan as a crash oracle, rank files by attack surface, run validation. That is very close to the kind of system we and others in the field have built, and we've demonstrated it with multiple model families, achieving our best results with models that are not Anthropic's. The value lies in the targeting, the iterative deepening, the validation, the triage, the maintainer trust. The public evidence so far does not suggest that these workflows must be coupled to one specific frontier model. There is a practical consequence of jaggedness. Because small, cheap, fast models are sufficient for much of the detection work, you don't need to judiciously deploy one expensive model and hope it looks in the right places. You can deploy cheap models broadly , scanning everything, and compensate for lower per-token intelligence with sheer coverage and lower cost-per-token. A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look. The small models already provide sufficient uplift that, wrapped in expert orchestration, they produce results that the ecosystem takes seriously. This changes the economics of the entire defensive pipeline. Anthropic is proving that the category is real. The open question is what it takes to make it work in production, at scale, with maintainer trust. That's the problem we and others in the field are solving. The evidence: cybersecurity capability is surprisingly jagged To probe where capability actually resides, we ran a series of experiments using small, cheap, and in some cases open-weights models on tasks directly relevant to the Mythos announcement. These are not end-to-end autonomous repo-scale discovery tests. They are narrower probes: once the relevant code path and snippet are isolated, as a well-designed discovery scaffold would do, how much of the public Mythos showcase analysis can current cheap or open models recover? The results suggest that cybersecurity capability is jagged : it doesn't scale smoothly with model size, model generation, or price. We've published the full transcripts so others can inspect