Small Open Models Reproduce Key Mythos Vulnerability Analysis
Original: Small models also found the vulnerabilities that Mythos found View original →
What the post argues
AISLE’s April 7, 2026 post became one of the largest Hacker News discussions of the cycle, reaching 802 points and 218 comments by April 12, 2026. The article responds directly to Anthropic’s Mythos Preview and Project Glasswing launch, which framed limited-access AI systems as capable of finding and exploiting serious vulnerabilities in critical software. AISLE agrees that the category is real, but argues that the public evidence says less about one unbeatable model than about the surrounding security system.
The strongest part of the write-up is its insistence that AI security is not one monolithic skill. AISLE separates broad scanning, vulnerability detection, false-positive discrimination, patch generation, and exploit construction into different tasks with different scaling behavior. Once the relevant code path was isolated, the company says, small and cheap models could still recover surprisingly large parts of the analysis used to showcase Mythos.
Evidence AISLE highlights
- Eight out of eight tested models detected the flagship FreeBSD NFS issue that Anthropic highlighted.
- That list included a 3.6B-active model priced at $0.11 per million tokens.
- A 5.1B-active open model recovered the core chain of the older OpenBSD SACK bug.
- On a basic security-reasoning task, small open models outperformed several frontier models, reinforcing AISLE’s claim that capability rankings reshuffle from task to task.
Why it matters
AISLE is explicit that these were narrower probes, not full autonomous repository-scale hunts. That caveat matters. Even so, the post pushes the conversation in a useful direction: if cybersecurity capability is jagged rather than smooth, then orchestration, validation, throughput, and maintainer trust matter as much as raw frontier intelligence. For defenders, that implies a different economic model. Instead of relying on one expensive system to look in the right places, teams may be able to deploy cheaper models broadly, then use expert scaffolding to turn wide coverage into actionable findings.
Related Articles
A high-scoring LocalLLaMA thread amplified AISLE's claim that smaller open or low-cost models reproduced much of the vulnerability analysis Anthropic highlighted for Mythos. The central Reddit pushback was that reasoning over an isolated vulnerable function is very different from autonomously finding that bug inside a large codebase.
Anthropic says Project Glasswing used Claude Mythos Preview to surface more than 10,000 high- or critical-severity vulnerabilities. The sharper signal is operational: verification, disclosure, and patching may now lag behind AI-assisted discovery.
Anthropic unveiled Project Glasswing on April 7, 2026, giving major tech and security partners access to Claude Mythos Preview for defensive vulnerability discovery. The company says the model has already found thousands of high-severity flaws and is backing the effort with up to $100 million in usage credits and $4 million in open-source donations.
Comments (0)
No comments yet. Be the first to comment!