Cloudflare: Mythos turns small bugs into working exploit chains

Cloudflare has given one of the clearest public looks yet at what advanced cyber models do when they are pointed at real production code. The company tested Anthropic's Mythos Preview through Project Glasswing and described a shift security leaders should take seriously: the model does not merely flag individual weaknesses. It can connect several small flaws into a working exploit chain.

That is the difference between a scanner and an attacker.

Cloudflare says it ran Mythos Preview against more than 50 of its own repositories. The work covered live code across its runtime, edge data path, protocol stack, control plane and open-source dependencies. The goal was twofold: find issues in Cloudflare's own infrastructure, and understand what attackers may soon be able to do with the same class of models.

Mythos Preview is not generally available. Cloudflare received access through Anthropic's Project Glasswing. The company says the work was conducted in a controlled environment against its own code, and that every vulnerability surfaced through the work was triaged, validated and remediated where action was needed.

What Cloudflare observed

Cloudflare highlights two capabilities that make Mythos different from general-purpose frontier models.

The first is exploit chain construction. Real attacks rarely rely on one bug. They often combine several primitives: a use-after-free, an arbitrary read or write primitive, control-flow hijacking and code execution through a chain of techniques. Cloudflare writes that Mythos can reason about how to combine such steps into a working proof.

The second is proof generation. The model writes code intended to trigger a suspected bug, compiles it in a scratch environment, runs the test and adjusts its hypothesis when the program behaves differently than expected. The governance point is simple: a report with a working proof of concept is actionable. A vague possible issue is just another item in the queue.

Cloudflare says other frontier models found some of the same underlying bugs. The difference was often where they stopped. They could explain why a bug mattered, but did not always complete the chain that showed whether it was exploitable. Mythos closes more of that gap on its own.

Refusals are not a safety boundary

One of the most important observations is not about raw capability. It is about unstable safety behavior. Cloudflare writes that the Mythos Preview version provided through Project Glasswing did not have the additional safeguards present in generally available models such as Opus 4.7 or GPT-5.5. Even so, the model sometimes pushed back against certain requests.

The problem was consistency. Equivalent tasks could be refused in one context and completed in another. Cloudflare describes cases where the model initially refused to perform vulnerability work on a project, then accepted similar work after an unrelated change to the environment. In another case, it found and confirmed serious memory bugs, but refused to write a demonstration exploit until the task was framed differently.

That matters for executives. Model behavior cannot be the only control. If a company uses powerful agents for security work, controls must also sit around the model: access management, isolated execution, logging, policy, approvals, data boundaries and accountable human review.

Noise is now a management problem

Cloudflare also points to the operational problem every CISO knows: signal versus noise. AI tools can generate more findings than humans can triage. That is especially true in C and C++, where memory-safety issues produce many false positives. It is also true because models are biased toward finding something when they are asked to search. Possibly, potentially and could in theory are not patch plans.

Cloudflare says Mythos improves the situation because it can provide clearer reproduction steps and working proofs of concept. But the company does not conclude that teams should simply point a generic coding agent at a large repository. Quite the opposite. A single agent follows one hypothesis and loses useful coverage as the context window fills up.

Cloudflare's answer is a harness around the agents. A first agent reads the repository and builds architecture context, trust boundaries, entry points and likely attack surface. Then many narrow hunting tasks run in parallel. Cloudflare describes roughly 50 concurrent hunters, each with exploration subagents. After that, an independent validation agent tries to disprove the finding, followed by gap filling, deduplication, cross-repository tracing and structured reporting into an ingest system.

That is the lesson for enterprise leaders. The value is not only in the model. It is in the operating system around the model.

What leaders should do next

Cloudflare writes that several security teams are now talking about a two-hour SLA from CVE release to patch in production. That sounds decisive. It can also be dangerous. If regression testing takes a day, a two-hour SLA means something is being skipped. An AI-generated patch can remove the original bug while quietly breaking something else.

This makes AI vulnerability hunting a governance issue, not just a SOC tool. CIOs, CISOs and boards should ask five questions now:

• Which codebases, libraries and supplier components may security agents read?
• Which tools may they run, and in which isolated environments?
• Who decides that a finding is real, exploitable and urgent?
• How fast can the company roll out a fix without dropping regression testing?
• Which supplier contracts need to change when exploitability can be demonstrated faster than before?

The story is especially relevant for companies with critical infrastructure, finance, healthcare, energy exposure or a large software supply chain. Attackers will gain better tools for turning low-priority bugs into working attacks. Defenders will get the same class of tools, but only organizations with mature process, access control and deployment discipline will benefit. Everyone else will just get more alerts.

This is why Cloudflare's post is more than an Anthropic update. It shows how security work itself is changing. Patch SLAs, triage capacity, SBOM, supplier obligations and production rollout now belong in one operating chain. AI shortens the distance between a theoretical vulnerability and a working proof. That forces better governance.

Sources and media

• Primary source: Cloudflare Blog, Project Glasswing: what Mythos showed us, published 2026-05-18. https://blog.cloudflare.com/cyber-frontier-models/
• Publish time verified through Google News RSS: 2026-05-18T13:02:06Z. The Cloudflare page shows the date 2026-05-18.
• Cloudflare states that the work was conducted in a controlled environment against its own code, and that findings were triaged, validated and remediated under its formal vulnerability management process.
• Thumbnail: OpenAI Image 2 / hogby.ai.