Small models also found the vulnerabilities that Mythos found

A viral analysis from the LessWrong forum reveals that small, open-weight AI models can match the vulnerability detection capabilities of Anthropic's high-profile Mythos cybersecurity agent. Researchers isolated the specific code vulnerabilities highlighted in Anthropic's Mythos announcement and ran them through eight different smaller models. The results were striking: every model, including one with only 3.6 billion active parameters costing just $0.11 per million tokens, successfully detected Mythos's flagship FreeBSD exploit. A slightly larger 5.1B-parameter open model also recovered the core chain of a 27-year-old OpenBSD bug. This suggests that the initial 'finding' stage of vulnerability research may be more accessible than previously thought.

However, the community discussion quickly contextualized these findings. Commenters, including security experts, pointed out a critical distinction: while small models can identify potential vulnerabilities, they lack Mythos's sophisticated ability to chain multiple vulnerabilities together and develop functional, weaponized exploits. The smaller models also demonstrated a significantly higher false-positive rate—one test showed a 2/3 false positive rate on patched code—meaning their output requires extensive manual verification by skilled security professionals. In essence, they can find the needle in the haystack but cannot effectively build the tool to use it, whereas Mythos aims to deliver a directly actionable result for attackers or defenders.