AI Cybersecurity's Jagged Frontier: Small Models vs Mythos

TL;DR

When Anthropic announced Claude Mythos Preview on April 7, 2026 — a model so capable at finding zero-day vulnerabilities that it would not be publicly released — the cybersecurity community took notice. One day later, security startup AISLE published research showing that 8 out of 8 models it tested, including one with just 3.6 billion active parameters costing $0.11 per million tokens, detected the same FreeBSD vulnerability (CVE-2026-4747) that Mythos used as a headline showcase. The finding challenges the narrative that only restricted frontier models can threaten software security, and introduces the concept of a "jagged frontier" in AI cybersecurity: model rankings reshuffle completely across tasks, and no single model dominates.¹²

What You'll Learn

• What AISLE's "jagged frontier" research found when testing 25+ models against Mythos's showcase vulnerabilities
• Why a 3.6-billion-parameter model detected the same critical FreeBSD flaw as Anthropic's largest frontier model
• How vulnerability detection and exploitation represent fundamentally different capability tiers
• What the OWASP false-positive test reveals about inverse scaling in cybersecurity
• Why the moat in AI cybersecurity may be the system, not the model
• What this means for organizations building AI-driven security programs

The Backdrop: Claude Mythos Preview and Project Glasswing

On April 7, 2026, Anthropic announced Claude Mythos Preview alongside Project Glasswing — a consortium of 12 launch partners: AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security work ($2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation).³⁴

The central claim was striking: Mythos Preview had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser, including CVE-2026-4747, a 17-year-old remote code execution flaw in FreeBSD's RPCSEC_GSS implementation, and a 27-year-old TCP SACK vulnerability in OpenBSD. Mythos Preview is priced at $25 per million input tokens and $125 per million output tokens — five times the cost of Claude Opus 4.6 ($5/$25) — and access is restricted to vetted organizations only.⁵⁶

The message was clear: this model is so dangerous that it cannot be released publicly, and only a coordinated industry effort can safely channel its capabilities toward defense. (For a deep dive on Mythos Preview and Project Glasswing, see our comprehensive breakdown of Claude Mythos Preview.)

Then AISLE ran the same vulnerabilities through smaller models.

AISLE: Who They Are and Why Their Research Matters

AISLE is an AI-native cybersecurity company founded by Ondrej Vlcek (former CEO of Avast and president of Gen Digital), Jaya Baloo (three-time CISO at Rapid7, Avast, and KPN Telecom), and Stanislav Fort (chief scientist with research roles at Google DeepMind, Anthropic, and Stability AI). The company is backed by angel investors including Jeff Dean (chief scientist at Google), Thomas Wolf (chief science officer at Hugging Face), Olivier Pomel (CEO at Datadog), and Aparna Chennapragada (chief product officer at Microsoft).⁷⁸

Crucially, AISLE is not an armchair critic. The company has been running its AI-driven vulnerability discovery and remediation system against live targets since mid-2025, racking up a verified track record: all 12 CVEs in the January 2026 OpenSSL coordinated release, 5 CVEs in curl, and over 180 externally validated CVEs across more than 30 projects spanning the Linux kernel, glibc, Chromium, Firefox, WebKit, Apache HTTPd, GnuTLS, OpenVPN, and Samba.⁹¹⁰

On April 8, 2026 — one day after Anthropic's announcement — AISLE published "AI Cybersecurity After Mythos: The Jagged Frontier," along with an open-source repository of their prompts and transcripts on GitHub (stanislavfort/mythos-jagged-frontier).¹

The Core Finding: Detection Is Commoditized

AISLE's methodology was straightforward. They isolated the specific code snippets from Anthropic's showcase vulnerabilities, constructed targeted prompts, and ran them through more than 25 models from every major AI lab.¹

FreeBSD CVE-2026-4747: Every Model Found It

The vulnerability that Anthropic highlighted most prominently — a stack buffer overflow in FreeBSD's svc_rpc_gss_validate() function where a 128-byte stack buffer receives an unchecked copy of the RPCSEC_GSS credential body — was detected by every single model tested.²¹¹

Eight out of eight models identified the bug. The smallest, with just 3.6 billion active parameters and costing $0.11 per million tokens, correctly identified the stack buffer overflow, computed the remaining buffer space, and assessed it as critical with remote code execution potential. As AISLE concluded: the detection of this bug is "commoditized."¹²

The OpenBSD SACK Bug: Harder, But Still Accessible

The 27-year-old OpenBSD TCP SACK vulnerability is more technically demanding. It requires understanding that sack.start is never validated against the lower bound of the send window, that the SEQ_LT/SEQ_GT macros overflow when values are approximately 2^31 apart, that a carefully chosen sack.start can simultaneously satisfy contradictory comparisons, and that if all holes are deleted, a null pointer dereference occurs on the append path.¹¹²

This vulnerability separated models more sharply. Yet a 5.1-billion-active-parameter open model recovered the core analysis chain in a single call and proposed the correct mitigation — essentially matching the actual OpenBSD patch.¹

The Jagged Frontier: Rankings Reshuffle Across Tasks

The term "jagged frontier" originates from a 2023 Harvard Business School and Boston Consulting Group study involving 758 knowledge workers. The original research, led by Fabrizio Dell'Acqua, Ethan Mollick, and colleagues, demonstrated that AI assistance improves performance on some tasks while worsening it on others — even within the same workflow and at similar difficulty levels. The paper was formally published in Organization Science in March 2026.¹³¹⁴

AISLE applies this concept to cybersecurity with a specific finding: capability rankings reshuffled completely across different security tasks. There is no stable "best model" for cybersecurity.¹

OWASP False-Positive Test: Near-Inverse Scaling

Perhaps the most surprising result was on OWASP false-positive testing, where the results showed near-inverse scaling: small, open models outperformed most frontier models from every major lab. This means that throwing more parameters at the problem did not improve — and in some cases actively hurt — performance on a core security task.¹

What This Tells Us

The jagged frontier means three things for AI cybersecurity:

First, detection capability is broadly accessible today. If the goal is finding known vulnerability patterns in code — buffer overflows, integer overflows, unchecked copies — models across the size spectrum can accomplish this. The FreeBSD result proves the point: an $0.11-per-million-token model found what a $25-per-million-token model found.¹²

Second, different tasks demand different models. A model that excels at vulnerability detection may struggle with false-positive filtering, and vice versa. Organizations building AI security pipelines cannot simply pick the most expensive model and expect uniform performance.¹

Third, exploitation is a different capability tier. AISLE acknowledged this distinction: while detection is commoditized, autonomous exploitation — chaining multiple vulnerabilities, developing JIT heap sprays, constructing multi-gadget ROP chains — may genuinely require frontier-class reasoning. But AISLE argued this distinction cuts in favor of their position: Project Glasswing's stated purpose is defensive, and defense is primarily about detection and remediation, not exploitation.¹⁵

The Broader Debate: Safety or Competitive Moat?

AISLE's research landed amid a wider conversation about Anthropic's motivations. A TechCrunch analysis published on April 9 asked directly: "Is Anthropic limiting the release of Mythos to protect the internet — or Anthropic?"¹⁵

The criticism has several threads. Restricting access to Mythos creates a competitive advantage for the 12 Project Glasswing launch partners and 40+ additional vetted organizations, while defenders outside the consortium must rely on less capable — but, as AISLE demonstrated, often sufficient — alternatives. The $25/$125 per million token pricing creates a significant financial barrier even for organizations that gain access.⁶

Supporters counter that Mythos's autonomous exploitation capability — not just detection — represents a genuine escalation. Anthropic's own testing showed that Mythos can chain up to four vulnerabilities in browser exploits, develop KASLR-bypass techniques, construct 20-gadget ROP chains, and write attacks against cryptographic libraries. The cost of an autonomous exploit was measured at $1,000 to $2,000, with completion times of half a day to one day.⁵ These are capabilities where the gap between Mythos and smaller models is far wider than in pure detection.

The truth likely lies in the middle. Detection is commoditized. Exploitation at Mythos-level complexity is not — yet. But the jagged frontier means the gap will close unevenly across different exploit categories, and organizations cannot assume today's frontier capabilities will remain exclusive for long.

What This Means for Security Teams

For organizations building AI-driven security programs, AISLE's research offers practical guidance:

Do not wait for frontier model access to start. If your vulnerability management program lacks AI-assisted code scanning, there is no reason to wait for Project Glasswing access. Models at a fraction of the cost can identify critical vulnerability classes including buffer overflows, integer overflows, and authentication bypasses.¹²

Build the system, not the model dependency. AISLE's overarching argument is that "the moat in AI cybersecurity is the system, not the model." An effective AI security pipeline involves orchestration, context management, false-positive filtering, triage workflows, and remediation automation. The model is one component — and a replaceable one.¹

Test multiple models per task. Given that rankings reshuffle across cybersecurity tasks, a one-model approach will leave gaps. Consider ensemble approaches or task-specific model routing, especially for false-positive-sensitive workflows where smaller models may outperform larger ones.¹

Track the exploitation frontier separately. While detection is broadly accessible, autonomous multi-step exploitation remains a frontier capability. Organizations that are targets for sophisticated adversaries should monitor how quickly exploitation capabilities diffuse to smaller models.⁵

The Bottom Line

AISLE's "jagged frontier" research does not diminish what Claude Mythos Preview accomplished — autonomously discovering and exploiting thousands of zero-day vulnerabilities is a genuine milestone. But the research demonstrates that the defensive side of AI cybersecurity, which is Project Glasswing's stated purpose, does not require restricted frontier model access. A $0.11-per-million-token model found the same FreeBSD vulnerability that headlined Anthropic's announcement. A 5.1B-parameter open model recovered the analysis chain of a 27-year-old OpenBSD bug.

The jagged frontier is real: there is no stable "best model" for cybersecurity, detection is commoditized, and the moat is in the system — the orchestration, context, and remediation workflows — not in any single model. For security teams, this is good news. You do not need to wait for an invitation to Project Glasswing to start building AI-driven defenses. The tools are already here.

References