Frontier AI for Vulnerability Discovery
On this page
- Question
- Current position
- Supporting evidence
- Counter-evidence
- Open evidence gaps
- How this position has evolved
- Open sub-questions
Question
How are frontier AI models being used in 2026 to discover vulnerabilities in production code, and what is the gap between demonstrated capability (research demos, isolated audits) and operational practice (continuous adoption in enterprise AppSec, dedicated tooling, vendor consolidation)? Where do Claude, GPT-class, and Mythos-class models sit on the spectrum from supervised reverse-engineering assistant to autonomous zero-day finder, and what procurement, IP, and disclosure constraints shape adoption?
Current position
Three sourced anchors landed within 36 hours (May 12-13 2026): XBOW’s offensive Mythos evaluation, Microsoft’s defensive MDASH announcement, and Anthropic’s Project Glasswing announcement. They differ in orientation but converge on one argument: the model is one input, the harness around it is the durable engineering, and the gap between a candidate finding and a validated one is the load-bearing observation. The timing reflects a coordinated launch, not three independent results.
The harness, not the model, is the durable surface. The cleanest measurement is the MDASH-versus-raw-Mythos delta on CyberGym: the harness scores 88.45% against the raw model’s 83.1%, roughly five points from orchestration alone.1 A model produces candidates; a harness validates them, and validation is where the engineering accrues.
The convergent argument
| Observation | Evidence | Source |
|---|---|---|
| Frontier models materially advance vuln discovery | Mythos 83.1% on CyberGym vs Opus 4.6’s 66.6% (raw); 42-55% FN reduction in XBOW harness12 | Glasswing / XBOW |
| Harness over model is the load-bearing surface | MDASH 88.45% vs raw Mythos 83.1% on CyberGym, +5pp from the harness1 | MDASH vs Glasswing |
| Validation separates a finding from a fix | XBOW’s live-site wedge; MDASH’s automated PoC construction; Glasswing’s 27-year-old OpenBSD example3 | All three |
| Capability is coalition-distributable | 12 named Glasswing partners plus 40+ extended organizations3 | Glasswing |
| Defender-side adoption is industrial-scale | $100M credit commitment; Microsoft, Google, AWS, and financial-sector adoption3 | Glasswing |
The three anchors
Anthropic’s Project Glasswing announcement is the organizing anchor. Anthropic announced a 12-partner coalition (AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks) plus more than 40 additional organizations, with up to $100M in usage credits and $4M in open-source-security donations, applying Claude Mythos Preview to defensive vulnerability discovery on critical software.3 Anthropic states that AI models “can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”3 Mythos is not planned for general availability; it is preview-only at $25/$125 per million tokens for Glasswing participants, on a 90-day public report cadence.
XBOW’s Mythos evaluation is an independent offensive test by a non-partner. XBOW reports a 42% reduction in false negatives versus Opus 4.6 on its web-exploit benchmark without source access, and 55% with source access, framing the model as “a brain without a body” because live-site validation is the hard part.2
Microsoft’s MDASH announcement is defensive in orientation and a Glasswing-partner artifact. MDASH orchestrates more than 100 specialized agents — auditors, debaters, dedup agents, provers — and scores 88.45% on CyberGym against raw Mythos’s 83.1%.1 Internal results report 96% recall on the clfs.sys five-year MSRC retrospective, 100% on tcpip.sys, and 16 new CVEs in the May 2026 Patch Tuesday. Microsoft’s framing matches the others: the harness does the work, and the model is one input.
Production paths
- Coalition-distributed defensive deployment (Glasswing). The 12 named partners and 40+ extended organizations apply Mythos to defensive vulnerability discovery on critical infrastructure, backed by $100M in usage credits and $4M in OSS-security donations on a 90-day report cadence.3 This is the dominant production mode on the axis.
- Glasswing-partner harness products. Microsoft MDASH is one sourced example: defender-side, multi-model orchestration across more than 100 specialized agents. Google operates a two-agent stack that predates the May 2026 convergence — Big Sleep (Project Zero and DeepMind) for variant-analysis discovery and CodeMender (DeepMind) for reactive and proactive patching. AWS applies Mythos internally; CrowdStrike runs it through Falcon AIDR. The shared pattern — multi-agent specialization, LLM-judge validation, automated regression checks — converges with the MDASH design.
- Independent offensive deployment. XBOW orchestrates Mythos against live web targets through a harness that adds tooling, browser interaction, and validation logic. XBOW is not a Glasswing partner, so its evaluation is an independent check on Anthropic’s own claims.
- Open-source maintainer-side tooling. OpenAnt, from Knostic, is an open-source entry with an auditable pipeline and published per-stage costs.4 Its six stages (parse, reachability, classification, discovery, verification, dynamic) use Adversarial Reflexion — constrained-attacker-persona verification with an explicit trace — as the false-positive control. On OpenSSL it narrowed 15,232 candidate units to 3 confirmed exploitable, a 99.98% reduction, for about $443 in tokens against $329K for a naive per-unit Opus pass.4 RedAI (Kyle Polley, MIT-licensed) is a second open-source entry in this slot with a distinct architectural commitment: validator agents run inside a live target — a Chrome instance or an iOS Simulator out of the box, any plugin a user implements beyond that — and produce confirmed/disproved/unable-to-test verdicts with reproducible artifacts before any finding reaches the report. The two together establish open-source coverage on both sides of the validation discipline: OpenAnt at the static-pipeline-with-Docker-sandbox layer, RedAI at the live-environment-as-plugin layer.
- Commercial research-preview tooling. Codex Security (formerly Aardvark, from OpenAI) and Claude Code Security (Anthropic) are closed-source previews integrated with each vendor’s developer product. Both reject the rule-based SAST framing and adopt the human-security-researcher metaphor. Aardvark uses a four-stage pipeline (analysis, commit scanning, sandboxed validation, Codex-generated patching) and reports 92% recall on internal golden repositories with 10 CVE IDs assigned from OSS work.5 Claude Code Security uses multi-stage self-critique (“Claude attempts to prove or disprove its own findings”) with severity and confidence ratings and human-approval-gated patches; the underlying Anthropic Frontier Red Team capability, using Claude Opus 4.6, found more than 500 vulnerabilities in production open-source code that had gone undetected for years.6
- Adjacent research-stage approaches. Glass-box security (Carl Hurd, Starseer) and mechanistic interpretability for defense establish an inverse capability. Agent Commander earlier placed autonomous vulnerability discovery “maybe in a year or so” beyond prompt-C2; the May 2026 evaluations suggest the timeline compressed faster than predicted.
- Technology- and services-partner productization (the Opus partner roundup). Seven firms ship Opus-powered defense across three jobs.7 Offensive testing at scale: Wiz Red Agent at 150,000+ assets per week with a zero-false-positive claim, Palo Alto Unit 42 compressing a year of pentesting into under three weeks, and CrowdStrike Frontier AI Readiness. Closing the find-to-fix gap: Accenture Cyber.AI moving coverage from 10% to 80%, Trend Micro virtual patching up to 96 days before a vendor patch, and Deloitte CTEM. Governed production: PwC Claude Native Cybersecurity. The throughline — the gap between finding and fixing — is VulnOps productized, and confirms the bottleneck inversion from the services side.
The CMM L5+ Leading-Edge tier references research-stage primitives that overlap this axis but stops short of treating frontier-AI-for-vuln-discovery as a distinct capability. D7 (Observability and Detection), D3 (Supply Chain), and the L5+ tier are the natural homes for Glasswing, MDASH, and XBOW evidence.
Supporting evidence
Primary sources
- Glasswing announcement — coalition anchor: 12 partners, $100M credits, $4M OSS donations, 90-day cadence.3
- Microsoft MDASH — defender-side artifact: 88.45% on CyberGym, 16-CVE Patch Tuesday cohort, 100+ agents.1
- XBOW evaluation — independent offensive check: 42-55% false-negative reduction versus Opus 4.6.2
- Claude Mythos Preview — Anthropic frontier model; not planned for GA; $25/$125 per M tokens for participants.
- OpenAnt (Knostic) — open-source pipeline with published per-stage costs and the Adversarial Reflexion FP control.4
- Codex Security (OpenAI) — 92% recall on golden repos; 10 CVE IDs assigned.5
- Claude Code Security (Anthropic) — self-critique verification; FRT found 500+ OSS vulnerabilities.6
The validation discipline
Across a three-month window, five vendors — Anthropic, OpenAI, Knostic, Microsoft, and Google — framed their tools in convergent language: not rule-based pattern matching, but reading code, tracing data flow, and writing tests the way a human researcher would, with validation as the primary architectural stage. Adversarial Reflexion is the shared false-positive-control discipline. Sourced mechanism instances span AgentShield (provenance-aware weighting), OpenAnt (constrained-attacker-persona), Aardvark (sandboxed exploit-trigger validation), Claude Code Security (self-critique), MDASH (ensemble and prover), and AISLE (false-positive discrimination with PoC validation). The framing positions SAST as the prior generation and now holds across the vendor side of the axis.
Vendor-strategic context
Anthropic’s 2026 Agentic Coding Trends report, published before Glasswing, names “agentic coding improves security defenses, but also offensive uses” as a top trend and embedding security architecture from the earliest stages as a priority. The same report’s collaboration paradox — high AI usage, little fully delegated work — establishes human-in-the-loop as the default for all agentic coding, including defensive deployments. That is the candidate-versus-validation asymmetry this axis tracks.
Quantitative anchors
The capability-versus-operational-cost gap the thesis once argued qualitatively now has concrete data points:
- MDASH: 88.45% on CyberGym; 96-100% recall on the clfs.sys and tcpip.sys MSRC retrospectives; 16 CVEs in the May 2026 Patch Tuesday.1
- AISLE: 12 of 12 CVEs in the January 2026 OpenSSL coordinated release, including CVE-2025-15467 (CVSS 9.8, vulnerable code dating to 1998); 5 of the 12 fixes were authored by AISLE.
- Aardvark / Codex Security: 92% recall on internal golden repos; 10 CVE IDs from OSS disclosure.5
- Claude Code Security (FRT capability): 500+ vulnerabilities in production OSS using Claude Opus 4.6.6
- OpenAnt: 15,232 to 3 verified units on OpenSSL, a 99.98% reduction, for about $443 against roughly $329K for a naive per-unit pass.4
- XBOW with Mythos: 42-55% false-negative reduction versus Opus 4.6.2
- Glasswing: a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg bug, and an autonomous Linux kernel privilege-escalation chain.3
These figures are not directly comparable: CyberGym, internal golden repos, web-exploit benchmarks, and filter-ratio reporting measure different things. Benchmark comparability is the largest measurement gap on the axis, qualified below.
Counter-evidence
The strongest counter-evidence anchor is METR’s 2025 RCT, a randomized controlled trial with 16 experienced open-source maintainers working on their own repositories. Enabling early-2025 AI tools made them roughly 19% slower on real tasks; the forecast was that AI access would be faster.8 The study selects for the worst case for AI benefit — in-domain expert humans — so it bounds rather than refutes the productivity claims. It is the most rigorous counter-evidence cited across PwC’s 2026 Agentic SDLC report and the Anthropic Trends report.
The implication for this axis: capability gains for vulnerability discovery are real but situation-specific, and verification cost is non-trivial. The XBOW, MDASH, and Big Sleep numbers each reflect their own benchmark methodology and are not cross-comparable; the METR finding shows that even when raw capability rises, end-to-end productivity still carries verification overhead.
Open evidence gaps
Benchmark comparability
The benchmarks now form a cross-vendor stack mapped in the benchmark landscape: CyberGym for reproduction, ExploitBench and ExploitGym for exploit development, SCONE-bench for smart contracts, and CTI-REALM for defender-side detection. Each ranks multiple labs’ models, and Mythos leads every public surface. The residual gap is narrower: no shared scale exists across benchmarks, and independent verification is weak. CyberGym’s leaderboard is self-reported, ExploitBench and ExploitGym numbers come from the authors and Anthropic, and no neutral party has reproduced the Mythos figures. Contamination risk grows as public corpora become training targets.
IP and disclosure constraints
Even when frontier models find real vulnerabilities, the disclosure pipeline — coordinated-disclosure timelines, CVE assignment, vendor patch latency — is calibrated for human-paced research. Discovery rates that outpace this pipeline are themselves a vulnerability-discovery problem, which the Glasswing one-month update confirms from the supply side.9
How this position has evolved
- 2026-05-13. Seeded as part of the wiki scope expansion; position provisional, the thinnest of the new scope axes. Over the day, four developments moved it to
developing. XBOW’s Mythos evaluation supplied quantitative third-party evidence and made the candidate-versus-validation asymmetry the load-bearing observation. Microsoft’s MDASH (same day, opposite orientation) made architectural convergence the strongest signal. Anthropic’s Glasswing revealed the three artifacts as coordinated launches. Earlier pricing and GA claims (5× Opus at GA, per XBOW’s blog) were corrected against Anthropic’s authoritative numbers ($25/$125 per M tokens, no GA planned), and the MDASH-versus-raw-Mythos +5pp delta on CyberGym became the clean quantitative anchor for the harness-over-model argument. - 2026-05-13. Big Sleep and CodeMender established that the May 2026 convergence is not the start of productionized agentic vuln-discovery. The lineage runs OSS-Fuzz to AI-powered fuzzing to Project Naptime to Big Sleep to CodeMender to the tri-vendor May 2026 convergence.
- 2026-05-15. OpenAnt (Knostic) added a second distinct FP-control mechanism, Adversarial Reflexion, alongside MDASH’s ensemble-and-debate. Two unrelated mechanisms reaching the same architectural conclusion is stronger evidence than two implementations of one mechanism. Its cross-project filter ratios put concrete numbers on the capability-versus-operational-cost gap.
- 2026-05-15. Codex Security (OpenAI) and Claude Code Security (Anthropic) added two commercial private-preview paths, both implementing validation as the architectural primary stage. The FP-control-as-primary discipline is now sourced widely enough — five vendors, four mechanism instances, two domains — to treat as established rather than one-vendor positioning, and the convergent rejection of rule-based SAST is itself load-bearing.
- 2026-05-15. AISLE supplied primary-source detail on 12 OpenSSL zero-days, including CVE-2025-15467 (CVSS 9.8) whose vulnerable code dates to 1998. This adds a separate vendor lineage to the decade-class latent-bug anchor previously held by Glasswing.
- 2026-05-15. The SANS Mythos-ready briefing added the first community-consensus strategic source, with quantitative anchors on Mythos exploit-generation rates and DARPA AIxCC results documented on its own page. It introduced two durable concepts: VulnOps, a permanent function for autonomous vulnerability research and remediation, and Zero Day Clock, the anchor for the window-of-exposure-collapse claim.
- 2026-05-22. Anthropic’s one-month Glasswing update gave the strongest primary-source confirmation of two thesis claims. The bottleneck has inverted: ~50 partners found 10,000+ high/critical vulnerabilities in a month, and Anthropic states the constraint is now verification, disclosure, and patching, not discovery.9 Maintainers asked Anthropic to slow down; the supply-side limit is the volunteer-maintainer commons. New neutral benchmarks ExploitBench and ExploitGym measure exploit development and rank Mythos first, narrowing the common-third-party-benchmark gap.
- 2026-05-23. The Anthropic Frontier Red Team series supplied the primary sources under the 500+ figure, the reasoning-over-code mechanism, and the discovery-versus-exploitation asymmetry; its CVD dashboard quantifies the find-to-fix funnel from the discovering side, with human triage named as the rate-limiting step.6 AISLE closed its mechanism gap: the Jagged Frontier post discloses a five-stage hybrid AI-plus-symbolic system whose make-or-break stage is false-positive discrimination with PoC validation. AISLE’s framing (“the moat is the system, not the model”; capability is jagged) is the strongest external statement of the harness-over-model argument, from a vendor outside the frontier-lab set.
Open sub-questions
- What is the right relationship between this axis and MITRE ATLAS? ATLAS is calibrated for adversarial ML (attacks against models), not for models used to find attacks in non-ML systems. Is the answer a new taxonomy, an ATLAS extension, or patient ingestion?
- Does “Mythos” refer to a specific tracked product or a class of internal-tooling capability? Ingest priorities depend on the answer.
- At what point should this thesis page be retired or merged? If the field consolidates around a small vendor set, the right move may be vendor pages plus an
aspectssection on CMM D6/D8, not a freestanding thesis. - See Gaps Index for related open questions.
Footnotes
-
Microsoft Security Blog, Defense at AI speed: Microsoft’s new multi-model agentic security system tops a leading industry benchmark (2026-05-12). See the page summary. ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
XBOW, Mythos for Offensive Security: XBOW’s Evaluation (2026-05-12). See the page summary. ↩ ↩2 ↩3 ↩4
-
Anthropic, Project Glasswing (2026-05-12). See the page summary. ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8
-
Knostic, OpenAnt: OpenSSL 15,232 candidate units narrowed to 3 confirmed exploitable (99.98% reduction) at ~$442.65 in tokens. See the page summary. ↩ ↩2 ↩3 ↩4
-
OpenAI, Introducing Aardvark: 92% recall on golden repositories; ten CVE IDs assigned from OSS responsible-disclosure work. See the page summary. ↩ ↩2 ↩3
-
Anthropic Frontier Red Team, vulnerability-research series (2026): more than 500 high-severity OSS vulnerabilities found with Claude Opus 4.6. See the page summary. ↩ ↩2 ↩3 ↩4
-
Anthropic, How our partners are putting Opus to work for cybersecurity. See the page summary. ↩
-
METR, Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity (2025-07-10): 16 developers, 19% slower with AI tools. See the page summary. ↩
-
Anthropic, Project Glasswing: An initial update (2026-05-22): ~50 partners, 10,000+ high/critical vulnerabilities in the first month, with verification and patching named as the new constraint. See the page summary. ↩ ↩2