The latest generation of AI models has fundamentally changed how quickly security vulnerabilities can be found in software, for both defenders and attackers. Understanding what’s happening helps explain why we keep emphasizing the importance of keeping your devices updated.

In April 2026, AI company Anthropic announced Mythos Preview, an AI model with unprecedented capabilities for finding security flaws in software. Unlike previous AI-assisted security tools that often produced false positives and created more work for human evaluators, Mythos proved that it can discover true vulnerabilities that have evaded detection for decades—including a 27-year-old bug in OpenBSD, an operating system famous for its security.

Alongside Mythos, Anthropic launched Project Glasswing, a collaborative effort with approximately 50 partners—including Apple, Microsoft, Google, Amazon, and numerous financial institutions—to identify and fix vulnerabilities in critical software before similar AI-powered capabilities fall into the hands of malicious actors. As Firefox engineers said when reporting on their use of Mythos, “The current moment is a perilous one, but also full of opportunity. Let’s work together to secure the internet.”

Why This Matters

The security implications are significant. Within a month of Project Glasswing’s launch, Anthropic reported that partners collectively found more than 10,000 high- or critical-severity vulnerabilities in their software. Several partners reported that their bug-finding rate increased by more than tenfold.

Firefox developer Mozilla published compelling evidence of Mythos’s capabilities, noting that it identified and fixed 271 vulnerabilities in Firefox 150—over 10 times as many as they found in Firefox 148 with the previous-generation Claude Opus 4.6. Of those 271 bugs, 180 were rated high-severity, meaning they could be exploited through normal user behavior, such as browsing a Web page. (The chart below shows higher numbers because it includes bugs from other sources and other versions.)

Mozilla’s results are remarkable for both their volume and their quality. Firefox engineers reported finding bugs that had remained undiscovered through many years of traditional security testing.

How Apple Fits In

Apple is a founding partner in Project Glasswing, yet another signal that the company takes security seriously. Apple’s vertical integration—controlling everything from chip design to the operating system to the App Store—gives it a structural advantage in secure design. For instance, Apple’s newest M5 Mac chips and A19 iPhone and iPad chips include Memory Integrity Enforcement (MIE), a hardware-level protection designed specifically to stop memory corruption exploits.

However, even these cutting-edge protections aren’t invulnerable. Security researchers at Calif.io demonstrated the first public macOS kernel memory corruption exploit on M5 silicon in May 2026. Working with Mythos Preview, they built a working privilege escalation exploit in just five days—targeting hardware protections that Apple spent five years developing.

An Arms Race Against Time

The uncomfortable reality is that while Anthropic currently controls access to Mythos, equivalent capabilities will inevitably become more widely available. OpenAI and Google probably already have similarly capable models in development, as do other AI model developers, some of whom may be accessible to or even beholden to hostile entities.

The security dynamics differ depending on whether we’re talking about existing software or new code that hasn’t shipped yet. For new code, defenders have a clear advantage—they can scan for vulnerabilities before release and catch bugs that would never have been found manually.

For existing software already running on billions of devices, the picture is darker. Attackers only need to find one exploitable bug to get in; defenders need to find and fix all of them. Worse, attackers don’t have to test their code to avoid breaking features, schedule a release, or get approval from other departments—they can exploit a vulnerability the moment they find it. As the Zero Day Clock site shows, the window between a vulnerability being discovered and being exploited has dropped precipitously—what once took months now happens in days and is expected to happen in minutes in a year or two.

This transition period—while AI rapidly discovers vulnerabilities in existing code that takes time to patch—is where we’re most at risk. The Zero Day Clock site features a call to action offering 10 suggestions for how the industry—and society—should rethink cybersecurity to stave off this threat.

Keep Installing Updates

For most users, the best defense against AI-powered exploits is nothing new—keep your devices updated—but it’s more important than ever. The fixes in Apple’s updates increasingly include patches for AI-discovered vulnerabilities. Practically speaking, you should:

• Enable automatic updates: Don’t allow yourself to forget to install updates. On iPhones and iPads, go to Settings > General > Software Update > Automatic Updates. On Macs, go to System Settings > General > Software Update, click the ⓘ button, and turn on all the switches. (If you’re working in an organization with an update policy, check with IT first.)

• Consider security in hardware upgrades: Although the main reason to upgrade hardware should be functional, keep in mind that a newer device will likely be more secure thanks to improved hardware protections.

• Replace unsupported devices: Hardware that no longer receives security updates is increasingly risky. This applies not just to your Apple devices but to every piece of gear that can be updated, including network hardware, printers, and smart home devices like cameras and doorbells.

In the long run, the emergence of AI-powered security tools favors defenders—developers will be able to catch many more bugs before shipping. For the near future, however, it’s essential that we keep our devices running the latest and most secure software.

(Featured image by iStock.com/Thinkhubstudio)

---

Social Media: Anthropic’s Mythos Preview AI model found over 10,000 high- or critical-severity vulnerabilities in one month. Similar AI models will soon be available to attackers, so keeping your devices updated has never been more important.