Every day this week, in meeting after meeting with CISOs and their security teams, I was asked to prep them for board meetings on Anthropic Mythos. Novel? No, just read the cards. It’s a sad case of a vendor spreading breathless hyperbole while the facts tell a very different story.
It is exactly the sort of thing that calls for a challenge coin commemorative pin. For everyone holding the line on common sense, or who wants to:
The Register asked for my opinion on the Mozilla blog post that pumps up Mythos. I gave them a short answer. Here’s the long form.
As a disinformation historian, I see tell-tale signs in the marketing from Mozilla beyond it just being disguised as engineering report. A conclusion comes first; examples get curated to support it; an authority signs; urgency closes; whatever would falsify has been pushed off the table to the floor.
To be fair, modern marketing follows the same shape as disinformation because they are rooted in the same thing in America, the WWI propaganda office. Mozilla’s new post on hardening Firefox with Claude Mythos Preview adheres to doctrine at length.
A marketing claim would be that you cannot run a mile under six minutes without drinking Coca-Cola. Then a sponsored athlete says they just did it. Compare that with measurement, which would say before Coca-Cola the athlete ran six minutes and after Coca-Cola, five. One is just a reading, a belief. The other is research, science.
The fundamental problem with the Mozilla post is that logically it keeps stabbing itself with its own swordplay. There are three claims that all need to stay alive at the same time for the post to make sense, and yet they are in danger of killing each other.
Any two of these break the third.
If prior work was rigorous and 271 bugs survived, the bugs were findable under concentrated effort with existing tools. Mythos drops to one option among several. The uniqueness claim falls.
Try betting on rigor with uniqueness instead, and the marginal yield should be small. 271 is far past small. The rigor claim breaks.
If you try to read prior work as inadequate, the 271 fits. The post becomes a rebranding of old underinvestment as new capability. And the whole framing collapses.
The chart in the post shows this three-way collision. Twenty to thirty fixes per month for fourteen months, then suddenly 423. The prior baseline represented either diligent attention or sustained underinvestment. April’s number forces a big choice, an explanation, and the post avoids it entirely. It lays on the floor.
Let’s look at it from the top down. The post opens by naming exactly two causes for the breakthrough.
First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models.
Two, not one. Two.
A real finding would next isolate which of these produced which effect. Mozilla names two causes and then jumps straight to attribution of the single result to just one of them. 271 bugs, credited to Mythos Preview. No explanation why. Mozilla built the harness. Anthropic gets the credit. Something isn’t right there, particularly because the harness could in fact be the entire difference in findings. The post rules out clean attribution in its opening and then drops a dirty one as its headline.
Next, Mozilla admits Opus 4.6 was already producing in the same pipeline. This is one of the most important facts that needs to be highlighted in every conversation about Mythos.
We began with small-scale experiments prompting the harness to look for sandbox escapes with Claude Opus 4.6. Even with this model, we identified an impressive amount of previously-unknown vulnerabilities.
A controlled comparison would specify the Opus 4.6 baseline and then move towards Mythos as a delta. Mozilla published the Mythos number and left the baseline blank, a propagandist wave of the hand. The marginal contribution of Mythos over Opus 4.6 sits unstated. And if you read the Anthropic initial Mythos announcements, even they suggest Sonnet and Opus were doing far better discovery, leaving Mythos to a marginal, minor role. We have Mozilla floating 271 in the air without any way to get it to ground truth.
And then Mozilla admits the model itself is fungible.
Once the end-to-end pipeline is in place, it’s trivial to swap in different models when they become available.
Ok, ok, this is actually a huge swipe at Anthropic. Different models doesn’t specify same provider. Agnosticism crept into a religious tome, because users naturally want to be free of vendor lock-in. If models swap into a Mozilla security pipeline freely, then the most important variable is that pipeline and not the model. Mozilla built the thing that hooks into any model. The post then sleepwalks into credit for the model. That allocation of credit runs against the post’s own technical claim.
At this point, I’m ready to shred the Mozilla post, open the chicken coop and put down some new bedding. However, dear reader, apparently their show must go on and so I present you another logic flaw.
AI analysis provides much more comprehensive coverage of this critical surface.
More comprehensive than what, exactly? That’s a comparison statement without any comparison. Eating your shoe provides much more fiber for your belly. I fear the people writing never took a philosophy 101 course. The post gives literally no elements needed to stand up the comparison. This bomb of a sentence is dropped with the form of a finding, and lands a dud, with the content of an assertion.
Then comes the big closer.
Anyone building software can start using a harness with a modern model to find bugs and harden their code today. We recommend getting started now.
Research papers invite you to try to reproduce, validate, see if you get the same outcome. Replication is satisfying to those who want more than “believe me, this snake oil really cures you”. Sales pitches close deals. The Mozilla post shouldn’t fool anyone familiar with America’s troubled history with carnival barkers.
Mozilla makes a particularly troubling move at this point. They try to spin their empty narrative into an industry standard, which smells yet again like Anthropic trying to corner the security industry. Best-practice claims by a vendor and a big customer of their should not suddenly become liability baselines. A team running libFuzzer, AddressSanitizer, ThreadSanitizer, and CodeQL at full intensity should not face presumptive negligence claims if a bug surfaces that one VC-backed PE-pushed vendor’s harness might have caught. If you link the bar to rhetoric, you get a rhetorical bar detached from engineering ethics. That is regulatory capture by a vendor making a self-fulfilling recommendation to preempt regulation, let alone legislation. Belief is produced and weaponized into liability.
It’s like how Coca Cola ran marketing that was effectively “Drink Fanta for health” in Nazi Germany as if not drinking it was unhealthy.
A better Mozilla report would have run Mythos and existing tooling head-to-head against the same code, then published the overlaps and the unique finds.
Mozilla published a 1940s Fanta health benefits brochure instead.
To be clear. Real bugs are real. Faster fixes help fix. It’s the hand-wavy self-dealing capability claim that makes the missing study somehow turn into this logically flawed press release.
Science publishes methods. Science is transparent. Mozilla did the opposite by writing outcomes and skipping straight to saying readers should adopt the approach. Why? Based on what, exactly? If they don’t invite scrutiny, and pull back the curtain, they are peddling hopes and prayers.
Sponsored athlete crosses the finish line and holds up the Fanta bottle. The camera zooms in close, frames the Nazi regime refreshment as a cause of great success. The control case is cut out of view, after running in the next lane without the logos. Jesse Owens posts a time far better than the uber Fanta man. The authority-controlled frame chooses for you which curated data point gets pushed to your attention.
You really have to wonder why nobody is reporting the news as it is.
Neither Anthropic’s blog post nor SpaceXAI’s mentions anything about data isolation, customer-managed keys, or an operator threat model in their new arrangement.
Anthropic running on Musk infrastructure puts all its users at risk. Their own announcement admits Colossus 1 capacity will serve Claude Pro and Max subscribers, so user prompts and model outputs will run on Nazi metal. Inference will not be cryptographically blinded from the operator. Weights and activations sit in plaintext on the GPUs by necessity. Hardware confidential compute on H100/H200 provides some attestation, but the host operator controls firmware, physical access, side channels, and the trust chain itself.
Musk wrote on his Swastika platform that SpaceX reserves the right to take back the compute if Claude “engages in actions that harm humanity.” He defines harm. He decides when it applies. Anthropic has not publicly rebutted this. The custody hands him surveillance over inference. The clause hands him a shutdown lever above it. Naming what counts as harm puts him in the seat that decides when to pull either one.
The Musk AI deal is the industry worst on every axis because he overtly signals Nazism and political alignment with movements that target named populations, he runs an underperforming competing model, and he put a literal unilateral reclaim authority in writing. Anthropic’s training decisions, refusal patterns, and publication choices now depend on what one infamously bad guy defines as harm.
Anthropic is maybe fixated on an ability to grow larger. That is better described as greed, because it’s known to blind people to obvious threats. Inference telemetry alone is commercial intelligence. Weight exfiltration would be catastrophic. SpaceX is weeks from a roadshow that needs a hyperscaler narrative, and the narrative now rests on the competitor whose traffic it physically sees.
Anthropic management has revealed it cares only about capacity and rate limits, which should terrify any customer of theirs. Availability is worthless when it means confidentiality and integrity breaches. Better to be out of compute than out of privacy. The structural questions, what Musk can observe, what Musk can shut off, and what he will do with a literal kill clause, Anthropic has not publicly explained yet.
You should be on a 60 day plan now to exit Anthropic. You do not want your data let alone processing anywhere near Musk.
The Pentagon blacklisted Anthropic in March as a supply chain risk over disagreement about how its models could be used. Anthropic sued. Then Anthropic moved its inference onto infrastructure directly controlled by the Trump administration’s largest political ally, a Nazi, who now holds reclaim authority over those same models. The external block switched to internal corruption. The control Trump failed to deploy from the Pentagon, Anthropic accepted contractually from Musk.
The Hill tells us that FBI bourbon is getting a rebrand.
“The Kash Patel bourbon: strong notes of insecurity, narcissism, incompetence and alcohol-fueled national security risk,” the lawmakers wrote in a snarky social media post on Thursday. “Pairs well with taxpayer-funded getaways and the occasional SWAT-assisted wake-up call.”
The lawmakers added a “warning” that this liquor “impairs judgment, undermines critical FBI decisions and causes paranoia.”
The buried lede is that the bottles have no security, so they go missing. And when they do, the FBI spends money on lie detector tests as if they can figure out who did it.