https://mhicks.me/categories/software-security/Recent content in Software-Security onHugoenTue, 05 May 2026 07:54:48 -0400https://mhicks.me/blog/beyond-penetrate-and-patch/Tue, 05 May 2026 00:00:00 +0000https://mhicks.me/blog/beyond-penetrate-and-patch/<p>In April, Anthropic announced Claude Mythos Preview alongside Project Glasswing, reporting that the model had identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old bug in OpenBSD.<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> Days later, Mozilla announced patches for 271 vulnerabilities Mythos had surfaced in Firefox — a roughly twelve-fold leap over the 22 bugs Opus 4.6 had found only weeks earlier. Mozilla&rsquo;s CTO declared, in a blog post titled &ldquo;The zero-days are numbered,&rdquo; that defenders finally had a chance to win decisively.<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup> Anthropic, in its own announcement, argued that once the security landscape reaches a new equilibrium, powerful language models will benefit defenders more than attackers.</p>