10APR

Tom's Hardware challenges Mythos zero-day claims

2 min read

16:54UTC

A technical review found Anthropic's marketing relied on 198 manual reviews to support claims of thousands of severe vulnerabilities.

← Back to The model they won't release Jump to analysis ↓

EconomicDeveloping

Key takeaway

Only 198 manual reviews support Anthropic's claim of thousands of zero-day discoveries.

Tom's Hardware published a critical review of Anthropic's Mythos claims on 9 April, noting that the "thousands of zero-days" assertion rested on only 198 manual reviews ¹. Many of the flagged vulnerabilities were in outdated software no longer in active use. The gap between Anthropic's marketing language and the verified sample is wide enough to warrant caution.

The Bessent-Powell emergency meeting at Treasury headquarters proceeded regardless of this scrutiny. Challenger data confirmed AI-attributed cuts crossed 107,094 the same month , suggesting federal regulators assessed the systemic risk of AI broadly, beyond Mythos's specific claims. Whether Mythos found hundreds or thousands of exploitable flaws, the CyberGym benchmark score of 83.1% versus 66.6% for its predecessor represents a measurable capability jump that the twelve Glasswing partners will deploy in production environments.

Deep Analysis

In plain English

When Anthropic announced that Claude Mythos had found 'thousands' of serious security flaws in software, it was a dramatic claim. Tom's Hardware, a technology publication, looked at how Anthropic had actually counted those flaws. The answer was: 198 human reviewers manually checked the model's outputs. Many of the flaws it identified were in old software that organisations had already stopped using. The gap between 'thousands of vulnerabilities' and 198 verified reviews is significant. The US Treasury and Federal Reserve held their emergency meeting with bank CEOs regardless of this critique, which suggests the regulators assessed the risk from the model's overall capability trajectory, not just the specific zero-day count.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2016 controversy over DeepMind's AlphaGo claims, in which Google's marketing described the system as defeating the world champion 'under official match conditions' when several conditions differed from tournament rules. Independent verification eventually confirmed the underlying capability while correcting specific claim framing. The Mythos methodology question follows the same pattern: contested marketing language around a genuine capability advance.

Counter-parallel: IBM's 1997 Deep Blue versus Kasparov match produced verified, independently adjudicated results that settled the capability claim definitively. Cybersecurity benchmarks lack equivalent independent adjudication, making the gap between Anthropic's 198-review sample and its 'thousands' headline durable in ways that chess results were not.

Consensus view: Trail of Bits co-founder Dan Guido and Veracode's Chris Wysopal assess the 198-review gap as a credibility problem for Anthropic's marketing rather than a refutation of the underlying capability: the CyberGym benchmark improvement from 66.6% to 83.1% is independently verifiable, and that gap is operationally significant regardless of zero-day count methodology.

Counter-view: Recorded Future's intelligence analysts note that threat actors routinely inflate capability claims to generate deterrence value, and that AI vendors have structural incentives to do the same. Overstated AI security capabilities may cause organisations to misallocate defensive resources toward theoretical AI attack vectors while under-investing in conventional vulnerability management.

Key tension: Whether the verified CyberGym benchmark gain represents a genuine operational security threat or a marketing projection requiring independent validation before driving regulatory and corporate resource allocation.

Sources:Tom's Hardware

Mentions:Google →US Treasury →CyberGym →Federal Reserve →Prima →Anthropic →Claude Mythos Preview →

First Reported In

Update #5 · The model they won't release

Tom's Hardware· 10 Apr 2026

Read original →

Causes and effects

This Event

Tom's Hardware challenges Mythos zero-day claims

Independent scrutiny of Mythos's capability claims introduces uncertainty about the model's actual security impact, even as regulators acted on the headline numbers.

Led to

AISI confirms Mythos 20-hour attack chain

AISI partly vindicates Tom's Hardware's critique of single-task superiority claims while confirming a distinct attack-chaining capability the Hardware review did not assess.

Occurred 15 Apr 2026

Read story →

Different Perspectives

Directors Guild of America

The DGA opened AMPTP talks on 12 May seeking AI training-use royalties that SAG-AFTRA and the WGA both settled without winning. France's SACD and European creative unions watch the DGA outcome as the US template for their own pending AI-training royalty negotiations with streaming platforms.

German IG Metall and European trade unions

German unions led by IG Metall have pushed for binding co-determination rights on AI deployment since 2024; the Digital Omnibus literacy-duty weakening directly undercuts their model, which depends on a statutory information floor before works councils can challenge AI systems affecting members.

Chinese Ministry of Human Resources (MOHRSS)

China's MOHRSS recognised 42 new AI occupations in April 2026 while Hangzhou courts upheld bans on AI-driven dismissal without retraining under the Labour Contract Law. Beijing's regulatory posture contrasts directly with Colorado's retreat: Chinese courts are adding employment liability for AI-driven redundancy while US courts remove state-level AI worker protection.

UK workers and Bank of England

The ONS May 2026 bulletin showed payrolled employment down 210,000 year on year with no AI-specific breakdown, while the Bank of England's stress scenario used 500,000 additional unemployed as its AI-displacement worst case. UK workers are approaching that threshold through a dataset that cannot name its own cause.

India's IT sector workforce and NASSCOM

NASSCOM's FY2026 data shows India's sector at 5.9 million while entry-level hiring fell 20 to 25%. GCC expansion by JPMorgan, Goldman Sachs and Apple benefits mid-career workers while closing the graduate entry pathway, replicating the under-25 displacement the NY Fed documented in US AI-exposed occupations.

European Parliament and Council (Digital Omnibus)

The Digital Omnibus trilogue concession on AI-literacy duties reflects the Draghi report's argument that compliance overhead suppresses EU AI adoption. The Council traded the binding literacy mechanism for employer flexibility, leaving the December 2027 high-risk employment deadline without the worker-facing transparency layer Parliament had built around it.