Anthropic's Mythos AI model, which the company previously described as dangerously good at finding security flaws, has completed its first public scan of a major open-source project: the curl library. The result was one confirmed low-severity vulnerability and roughly twenty bugs, a finding that the curl lead developer describes as useful but not revolutionary.
Overview
In April 2026, Anthropic generated significant media attention by claiming its new Mythos model was so effective at finding security vulnerabilities in source code that the company would delay public release and instead offer limited access to select organizations. As part of the Glasswing project, Anthropic provided access to Mythos through the Linux Foundation's Alpha Omega initiative. Daniel Stenberg, lead developer of curl, was offered access but ultimately received a report generated by someone else who had access to the model.
The Scan Results
The Mythos scan analyzed 178,000 lines of code in curl's src/ and lib/ directories. The report initially identified five "confirmed security vulnerabilities." After review by the curl security team, four were dismissed: three were false positives (documented API behavior) and one was classified as a non-security bug. The single remaining vulnerability will be published as a low-severity CVE with the curl 8.21.0 release in late June 2026.
The report also identified approximately twenty non-security bugs. Stenberg noted that the false positive rate was low, suggesting the model had a high confidence threshold.
Comparison to Other AI Tools
Curl had already been scanned with several AI-powered tools before Mythos, including AISLE, Zeropath, and OpenAI's Codex Security. These earlier scans triggered between 200 and 300 bugfixes over the preceding 8-10 months, including a dozen or more CVEs. Stenberg's assessment is that Mythos did not find issues at a significantly higher rate or of a more advanced nature than these existing tools.
"I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos," Stenberg wrote. He characterized the hype around the model as "primarily marketing."
What AI Analyzers Do Differently
Stenberg highlighted several advantages of AI-powered code analysis over traditional static analyzers:
- They can detect when code behavior contradicts comments
- They can check code for platforms and configurations that cannot be tested with conventional analyzers
- They understand third-party library APIs and can detect misuse
- They know protocol specifications and can flag violations
- They provide clear explanations and often generate patches (though patches are not always correct)
Bottom Line
Mythos found no memory-safety vulnerabilities in curl, which Stenberg attributes to curl's extensive existing security infrastructure: fuzzing, static analysis, and years of auditing. The model's performance was consistent with other modern AI tools. For projects that have not yet applied AI-powered scanning, Stenberg recommends doing so immediately, as the tools are significantly better than traditional analyzers at finding known classes of bugs. The key takeaway is that Mythos is a capable addition to the security toolkit, but not the paradigm shift its marketing suggested.