What happened
On June 8, 2026, Anthropic's red team published 'Measuring LLMs' impact on N-day exploits' at red.anthropic.com, evaluating Claude Mythos Preview against known (but recently disclosed) vulnerabilities in Mozilla Firefox and the Microsoft Windows kernel. Across 21 Windows kernel bugs, Mythos caused 'blue screen of death' in 18 cases and generated 8 distinct exploits; the fastest exploit was complete within 31 minutes, the slowest took 5.7 hours. Cost per Windows privilege-escalation exploit: approximately $2,000 in API credits. Researchers evaluated only bugs disclosed after the models' knowledge cutoff to isolate AI uplift from memorisation.
Why it matters
This is the first Tier-2 empirical study to quantify the collapse of the N-day exploit development timeline for enterprise-grade vulnerabilities. Previously, security teams assumed weeks of attacker dwell time after a patch release; Mythos data suggests skilled adversaries with advanced model access can weaponise disclosed flaws in hours. The finding applies equally to open-source models, which the paper notes are reaching similar capability levels. Organisations whose patching cycles run weekly or longer are now operationally exposed from the moment of public CVE disclosure.
Applicability
Any organisation with a patch-gap longer than 24–48 hours for critical or high CVEs should revisit SLA targets immediately. Vulnerability management teams should prioritise CISA KEV and EPSS-scored items over age-based queues. CISOs should brief boards on the new threat model where 'patch window' ≠ 'safe window'.