AI Exploit Window Collapses to 4 Hours: Anthropic Mythos

In 2018, the average time between a software vulnerability being disclosed and an attacker weaponizing it was 771 days. By 2024, that window had collapsed to 4 hours. That single statistic — tracked by Zero Day Clock, a real-time vulnerability-monitoring website — signals that the security model the world relied on for decades is no longer viable against AI-powered cyberattacks.

Anthropic's Mythos Preview, a restricted-access AI cybersecurity model (an AI system trained specifically to find and exploit software weaknesses), has put concrete numbers on the threat: it discovered critical vulnerabilities in every major operating system and browser, achieves an 83% first-attempt success rate when creating exploits, and can scan at a rate no human team can match. The catch? Only 40 organizations worldwide have access. Everyone else is defending against AI-powered attackers with tools built for a slower era.

From 771 Days to 4 Hours: How AI Cybersecurity Broke the Patch Window

For decades, the standard cybersecurity playbook assumed a predictable sequence: a researcher finds a flaw, a vendor releases a patch (a code fix for a security weakness), and organizations apply the update before attackers can exploit it. That timeline assumed a human-speed adversary. That assumption is gone.

AI can now reverse-engineer a software patch and generate a working exploit (actual attack code that takes advantage of a flaw to breach a system) in minutes. According to Zero Day Clock, founded by security researcher Sergej Epp, most major vulnerabilities in 2025 were weaponized before the public was even notified they existed. Nation-state-backed groups operating out of Russia, North Korea, Iran, and China are using AI coding tools to compress what once required weeks of skilled labor into automated pipelines running overnight.

Alex Stamos, co-founder of AI security firm Corridor and former director of the Stanford Internet Observatory, put it plainly: "Lots of companies are going to have to deal with new bugs. It's an AI bugocalypse."

• 89% increase in AI-enabled cyberattacks globally in 2025 versus 2024
• Median exploit window: 771 days (2018) → 4 hours (2024)
• North Korean hackers using AI tools stole $12 million in recent months alone
• Southeast Asian AI-powered scam networks cost Americans more than $10 billion in 2024
• Over 99% of vulnerabilities discovered by Mythos remain unpatched, even among Glasswing partner firms

What Anthropic's Mythos Actually Does — and Why 83% Is Alarming

Mythos Preview is not a general-purpose chatbot or coding assistant. It is a cybersecurity-specific model trained to perform offensive security research (simulating real attacks to expose real weaknesses before attackers do). This dual capability — identifying vulnerabilities and validating whether they can be exploited — is what separates it from every AI tool previously available at scale.

The preview results are stark. Mythos found high-severity vulnerabilities (flaws that allow unauthorized system access or data theft) across every major operating system — Windows, macOS, Linux — and every major browser. It achieves an 83% success rate on its first exploit attempt, creating attack code that would work against real systems. Shane Fry, CTO at RunSafe Security, a firm specializing in memory-safe software design, summarized the dilemma: "Vulnerability discovery is outpacing patching."

Tal Kollender, founder of Remedio, a security remediation company, reported that her clients reacted to the Mythos announcement with immediate alarm — "They were panicking" — and offered a warning that applies to every organization relying on standard patch cycles: "Finding risk faster than you can fix it does not make companies more secure. At least for the next year, defenders are finding themselves in a race they're not yet equipped to win."

Anthropic's answer is Project Glasswing, an industry consortium (a group of companies pooling resources toward a shared mission) designed to use Mythos proactively to find and fix flaws in foundational systems — the core software infrastructure underpinning banking, healthcare, and global communications. The initial 40 members include major U.S. technology companies alongside firms like Stryker (medical devices) and CrowdStrike (enterprise cybersecurity).

AI Cybersecurity Divide: Forty Companies, and the Global South Gets Nothing

Restricting Mythos to 40 partners is a defensible safety decision. A model capable of autonomously hacking nearly any system cannot be released openly without arming attackers as much as defenders. But the structural consequence is a two-tier global security landscape that will take years to close.

Large Western tech firms, financial institutions, and government-connected agencies gain early access to AI-powered defenses that identify and patch vulnerabilities at machine speed. The thousands of smaller organizations that cannot — hospitals in Lagos, municipal governments in Manila, universities in Colombo, banks in Lima — face the same AI-accelerated attackers with no equivalent defensive tools.

Nick Srnicek, a technology researcher at King's College London, notes that "widely used — often American — software is likely to be patched quickly." The implication is pointed: companies running mainstream U.S. enterprise software benefit indirectly because Glasswing partners prioritize widely deployed platforms. Organizations running regional or custom stacks are on their own.

Chandramouli Dorai, CTO of Zoho Corporation — a software company serving millions of businesses across the developing world — was direct: "Security should not be a luxury. If the technology giants treat it as one, everyone will pay the price."

The Regions Absorbing the Worst of the AI Cyberattack Surge

The 89% increase in AI-enabled attacks is not distributed evenly. Rest of World's reporting by Rina Chandran maps how the damage concentrates in regions least equipped to respond:

• Southeast Asia — Myanmar and Cambodia have become operational bases for AI-powered fraud infrastructure, generating losses exceeding $10 billion for American victims in 2024
• West Africa — Nigeria faces a surge in business email compromise (AI-crafted fraudulent emails that trick finance teams into transferring money), amplified by AI language generation tools that eliminated the spelling errors that once revealed scam attempts
• Taiwan and the Philippines — Facing targeted AI reconnaissance operations (AI-powered intelligence gathering run before a breach) from China-linked state actors
• India and South Asia broadly — Structural disadvantage as attacker AI tools scale faster than local security investment and capacity

The workforce gap amplifies the crisis at every level. There are currently 5 million unfilled cybersecurity positions worldwide. That number is projected to reach 85 million by 2030 — a shortage so severe that even if AI defensive tools were freely distributed, there would not be enough professionals to operate them effectively.

Before Your Vendor's Patch Arrives: What You Can Do Now

The 4-hour exploit window means the old advice — keep your software updated — is necessary but no longer sufficient. If AI is generating weaponized exploits before patches exist, a layered defensive approach is the only realistic response for anyone outside a Glasswing-tier organization.

• Enable automatic updates everywhere — manual update schedules are operationally dangerous in a sub-4-hour window environment; apply this to phones, routers, and cloud services, not just laptops
• Ask your software vendors directly whether they participate in Project Glasswing or an equivalent AI-assisted patching consortium — products from Glasswing members may receive AI-prioritized patches sooner
• Shift from prevention to detection — assume breaches will occur and invest in endpoint detection and response (EDR) tools, software that monitors devices for suspicious behavior after a breach begins, rather than only trying to block entry
• Track the Zero Day Clock at zerodayclock.com for near-real-time visibility into how fast current vulnerabilities are being exploited in the wild

For teams looking to automate security monitoring without enterprise budgets or Mythos access, our AI automation guides cover accessible tools that don't require security clearances or six-figure contracts to deploy.

The reality Mythos has made visible is not new — security researchers have warned for years that AI would compress the attacker's advantage to near-zero. What is new is the scale of confirmation: 83% first-attempt success across every major OS, measured in minutes, held by 40 companies and no one else. As Tal Kollender put it: defenders are in a race they're not yet equipped to win. The harder question the rest of the world now faces is whether Anthropic's gatekeeping decision — however responsible it may be — leaves 8 billion people waiting for an answer that arrives too late.

Related Content — Set Up AI Automation | AI Security Guides | More AI News