Anthropic allegedly built Mythos so good at finding vulnerabilities that it was too dangerous to release. Then it was handed to only a few dozen very wealthy organizations under Project Glasswing. One of them ran it against curl and sent the project a report claiming five confirmed security vulnerabilities. The curl security team dug in. Three were false positives flagging behavior already documented in the API docs. The fourth was just a bug. One survived: a low-severity CVE shipping with 8.21.0. The most dangerous code-analysis model in the world, pointed at one of the most audited C codebases in existence, found… a single low.
Whomp whomp, sad trombone for Mythos.
The project lead publicly wrote that the Mythos hype was primarily marketing, given no evidence Mythos finds issues to a higher or more advanced degree than tools that came before it. He also said he is not anti-AI-SAST. He reiterated that AI-powered code analyzers are significantly better at finding flaws than traditional analyzers ever were.
I agree with all of that 100%.
curl is one of the most fuzzed and audited C codebases in existence (OSS-Fuzz, Coverity, CodeQL, multiple paid audits), and finding anything is a good challenge. That’s why what happened next is so interesting.
The curl blog post about Mythos unleashed a wave of non-Mythos AI hunting as researchers piled onto curl with their own tooling. AISLE was hunting curl in fall 2025, before Mythos. When the blog post stirred the field, they were already deep in the codebase and just claimed 6 of 18 discovered. Compare those 18 to the single low-severity one that Mythos was credited with. The AISLE blog post makes it clear their AI method has been the most successful and yet it’s the least cost model, opposite of Mythos marketing.