Anthropic’s Mythos Found 500 Zero-Days. The Vulnerability Discovery Arms Race Is Here.

Anthropic’s Mythos project found more than 500 zero-day vulnerabilities in Q1 2026. For context: a zero-day is a previously unknown security flaw. Finding one is typically the result of weeks or months of expert research. Mythos found hundreds in three months.

Simultaneously: the cURL maintainer reported that AI-assisted researchers found more bugs in his codebase in Q1 2026 than in all of 2025 combined. The acceleration is not a projection. It’s already happening.

The Dual-Use Problem

Every capability that makes AI useful for finding vulnerabilities makes it equally useful for exploiting them. The same model that scans your codebase for security flaws can be deployed by a threat actor to find entry points in your infrastructure. This is not a theoretical future concern — ransomware groups are already using agentic AI for autonomous reconnaissance and vulnerability scanning.

The asymmetry is brutal: defenders need to find and patch every vulnerability. Attackers only need to find one.

What the Security Industry Needs to Do

The organizations winning the next phase of cybersecurity will be the ones that deploy AI for defense faster than adversaries deploy it for offense. That means automated vulnerability scanning on your own systems before someone else runs it on you. It means AI-assisted patch prioritization. It means treating security as a continuous automated process rather than a periodic audit.

The Buccaneer Take

The vulnerability discovery arms race has started. The window where human-speed security research is competitive with AI-speed threat actors is closing. Six months, maybe twelve. After that, manual security processes are structurally inadequate. The question isn’t whether to use AI for security — it’s whether you deploy it before or after your first breach. 🏴‍☠️