Anthropic’s much-hyped AI vulnerability hunter, Mythos, finally went head-to-head with one of open source’s most scrutinized codebases. The result left curl’s creator Daniel Stenberg distinctly unimpressed, not because the system failed, but because he believes it behaved pretty much like the AI-assisted security tools developers already use today.
-
Curl creator Daniel Stenberg tested Anthropic's "too dangerous" Mythos AI and found it "primarily marketing" after it flagged only one real vulnerability in 176,000 lines of code.
-
Mythos initially flagged five issues but three were already documented shortcomings, one was just a bug, and only one qualified as a low-severity vulnerability.
-
Stenberg says earlier AI tools already found "a dozen or more" CVEs in curl, sees no evidence Mythos performs better than existing security tools.
In a sharply worded blog post, Stenberg argued that Mythos looked more like an incremental step forward than the revolutionary leap Anthropic’s marketing has suggested.
“My personal conclusion can, however, not end up with anything other than that the big hype around this model so far was primarily marketing,” Stenberg wrote after reviewing Mythos’ findings against curl. He added that he saw “no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”
Stenberg isn’t the first prominent developer to voice skepticism against Mythos. Last month, Marcus Hutchins, the security researcher famous for halting the WannaCry ransomware outbreak, challenged Anthropic’s claims, arguing they fail to reflect the real-world performance and true economics of AI-driven bug hunting.
Incremental improvement
Mythos has quickly become one of the most closely watched AI security projects in the industry. Just a few weeks ago, it grabbed headlines for reportedly uncovering hundreds of flaws in Firefox and alarmed parts of the cybersecurity industry with claims it was “too dangerous” for broad release.
But curl proved a far less dramatic showcase.
According to Stenberg, Mythos initially flagged five “confirmed” vulnerabilities in curl’s roughly 176,000 lines of C code. But after review by curl’s security team, three findings turned out to be already documented shortcomings rather than security flaws. Another was categorized as “just a bug.” Only one issue ultimately qualified as a real vulnerability. It was assigned a low severity rating and will be patched in the next curl release in June.
Stenberg noted that curl has undergone years of intense security scrutiny through fuzzing, human audits, and multiple AI-assisted scanning tools. Earlier generations of AI tooling, he said, had already helped uncover “a dozen or more” CVEs in curl, pushing back on the idea that Mythos represents a completely new era in software security.
Stenberg’s post quickly ignited fierce debate across Reddit and Hacker News, where many developers see Mythos as little more than overhyped marketing.
Others, however, argued that Stenberg’s post actually underlines Mythos’ usefulness, as finding even one new vulnerability in such mature code as curl counts as a meaningful result.
The Mythos conversation has increasingly drifted into apocalyptic territory. Anthropic’s restricted release strategy, combined with reports of unauthorized access attempts, fueled fears that AI-powered vulnerability discovery could radically accelerate cyberattacks.
However, Stenberg’s post offers a much less dramatic picture. He doesn’t believe Mythos is useless, but rather that many in the industry may falsely be treating an evolutionary step like a revolutionary one.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked