Claude Mythos Signals Transitional Decade: AI Exposes Legacy Code Flaws, Sparing Cybersecurity Vendors

Alexander Gostev, Chief Technology Expert at Kaspersky, argues in a recent analysis that advanced AI like Anthropic's Claude Mythos poses a greater threat to outdated software than to security firms.

Drawing a historical parallel to the 1851 Great Lock Controversy, where locksmith Alfred Hobbs exposed flaws in vaunted British locks, Gostev warns of a similar disorienting period in cybersecurity.

The Power of Project Glasswing

Unveiled on April 7, 2026, Project Glasswing provides select partners including AWS and JPMorgan Chase with Claude Mythos Preview access, backed by $100 million in credits.

This frontier model has discovered thousands of zero-day vulnerabilities, many critical and decades old, chaining them into full exploits with ruthless efficiency.

Notably, Mythos uncovered a 27-year-old bug in the rigorously audited OpenBSD codebase from 1996, remaining unpatched in over 99% of instances.

Achieving a perfect 100% score on the Cybench benchmark underscores its superior vulnerability-hunting prowess over prior models like GPT-2.

Legacy Code's Vulnerability Crisis

Systems built on 1980s-1990s languages like COBOL in banking, payment rails, and grid controllers relied on obscurity, now eroded by cheap AI discovery tools.

Unlike patchable flaws in modern audited code, legacy bugs often defy fixes due to lost institutional knowledge.

Cybersecurity Vendors' Evolving Role

Vendors face no existential threat but a workflow shift toward "security left" in development, risking complacency as AI checks seem sufficient—yet models generate secure code only 56% of the time.

Frontier AIs falter on binary analysis, real-time threat intelligence, and attribution, preserving value in human expertise and proprietary data.

A Secure Future Post-Transition

This "transitional decade" demands adaptation, much like the lock industry innovated post-1851, potentially yielding far fewer vulnerabilities by 2035.

Critical infrastructure must seize the grace period to upgrade, averting cascading failures and emerging stronger.