Zero-Day vs N-Day Vulnerabilities: What the Mythos Announcement Teaches Us
Anthropic’s Claude Mythos Preview technical disclosure uses specific security terminology — zero-day, N-day, control flow hijack — that is second nature to security researchers but opaque to most business owners. This post explains the key concepts and what they mean for your business.
Key Terms From the Mythos Disclosure Explained
| Term | What It Means | Why It Matters for Your Business |
|---|---|---|
| Zero-day vulnerability | A software flaw that is unknown to the software maintainer. No patch exists because nobody knows about it yet. | Mythos found these in every major OS and browser. You cannot patch what nobody knows about — but Project Glasswing is working to change this. |
| N-day vulnerability | A known vulnerability for which a patch has been released but not yet universally deployed. | Mythos can rapidly turn these into working exploits. If you have unpatched known vulnerabilities, your risk window just got shorter. |
| Exploit | Code that takes advantage of a vulnerability to cause unintended behaviour — typically gaining unauthorized access or control. | Mythos autonomously developed complete, working exploits — not just found vulnerabilities. |
| Remote code execution (RCE) | A class of exploit that allows an attacker to run arbitrary code on a target system without physical access. | The most serious common vulnerability class. Anthropic engineers asked Mythos to find RCE vulnerabilities and woke up to working exploits. |
| Control flow hijack (tier 5) | Complete control over a programme’s execution — the attacker determines what code runs next. | Mythos achieved this on 10 separate fully patched targets in internal testing. This is the highest severity level in Anthropic’s five-tier benchmark. |
| JIT heap spray | A specific technique for exploiting just-in-time compiled code (used in browsers) by controlling memory layout. | Mythos wrote a complex JIT heap spray that escaped both browser and OS sandboxes — a highly sophisticated exploit technique. |
| ROP chain | Return-oriented programming — a technique that chains together existing code fragments to achieve arbitrary execution. | Mythos split a 20-gadget ROP chain across multiple packets in a FreeBSD NFS exploit — a technique requiring deep systems knowledge. |
The N-Day Problem: Why Patch Speed Just Became More Critical
The most actionable business implication of the Mythos disclosure is about N-day vulnerabilities — the known vulnerabilities that are already patched but not yet deployed across all systems. Historically, the gap between a vulnerability being publicly disclosed and working exploit code being developed and weaponised has been measured in days to weeks for most vulnerabilities, and months for more complex ones. This gap — the N-day window — has given businesses time to patch before exploitation becomes likely.
Mythos Preview’s capability fundamentally changes this window. A model that can autonomously develop 181 working exploits from known Firefox vulnerabilities on a single overnight run can apply the same capability to any publicly disclosed vulnerability immediately after disclosure. The N-day window — which businesses have historically relied on as a grace period for patching — may now effectively be zero for vulnerabilities that AI tools are applied to immediately after disclosure.
What Zero-Day Discovery at Mythos Scale Means
The scale is unprecedented
Mythos Preview achieved tier-5 crashes (full control flow hijack) on ten separate, fully patched targets in a single test run against roughly 7,000 entry points across 1,000 open source repositories. Traditional security research — even with fuzzing — would typically take weeks to months to find a single tier-5 vulnerability in a well-maintained codebase. Mythos found ten in a single automated run. The implication: if similar capability becomes broadly available, the number of unknown vulnerabilities being discovered and potentially exploited will increase dramatically.
Project Glasswing is the coordinated response
The reason Anthropic launched Project Glasswing alongside the Mythos announcement is precisely the N-day and zero-day problem: if Mythos can find these vulnerabilities, and similar capabilities will eventually be available in broadly released models, the solution is to use Mythos defensively to find and patch the vulnerabilities first. The coordinated disclosure process — reporting to maintainers before publishing — ensures that patches can be developed and deployed before the vulnerability becomes public knowledge that could be weaponised.
The practical business response to N-day compression
For businesses: the practical response to the N-day window compression that Mythos represents is to treat patch management as a continuous, high-priority process rather than a periodic maintenance task. Critical and high-severity patches — particularly for web browsers, operating systems, and network-facing services — should be deployed within hours to days of release, not within the weeks that has been considered acceptable in many organisations. Automated patch management tools (Windows Update, unattended-upgrades on Linux, managed device management for endpoints) reduce the human overhead of rapid patching.
📌 Anthropic’s disclosure notes that the oldest zero-day found by Mythos so far is a 27-year-old bug in OpenBSD — now patched. This demonstrates that the age of a codebase or the security reputation of the software (OpenBSD is known specifically for its security focus) does not guarantee that all vulnerabilities have been found by prior review. AI-powered vulnerability discovery finds vulnerabilities that have survived decades of expert human review.
Does this mean my business’s systems are actively being attacked right now using Mythos?
No — Mythos Preview is currently in limited release to vetted Project Glasswing partners for defensive use only. The risk is not from Mythos itself but from future models with similar capabilities that may be less carefully released, or from the time when Mythos becomes more broadly available. The appropriate response is to use this period to strengthen your security posture — particularly patch management — before that broader availability arrives.
How do I prioritise which vulnerabilities to patch first?
Use the CVSS (Common Vulnerability Scoring System) score as a guide: Critical (9.0-10.0) and High (7.0-8.9) severity vulnerabilities should be patched within days of patch availability. Focus particularly on internet-facing systems, web browsers, and operating systems — the same categories where Mythos demonstrated zero-day discovery capability. Use tools like CVE Mitre, the National Vulnerability Database (NVD), or your software vendor’s security bulletins to stay current on new vulnerability disclosures.
Want to Understand AI’s Impact on Your Technology Risk?
SA Solutions helps businesses navigate frontier AI developments and their practical security and operational implications.
