Epoch AI's cyber vulnerability tracker shows a sharp jump in new CVE reports lining up with the April 7, 2026 announcement of Claude Mythos Preview, the model Anthropic says can hunt software bugs on its own. The data explorer, updated June 5, pulls from the public CVE record and lets you watch the spike against that release date.
What the tracker actually shows
The correlation is the easy part. Epoch visualizes CVE publication dates, not discovery dates, and flags a large rise in reports around the Mythos launch. Anthropic gave a set of vetted partners early access through its Glasswing program so they could find and fix holes in their own software before shipping.
Some of that work predates the announcement. Epoch notes Mythos was already being used to find bugs before April 7, which likely padded the numbers in the weeks leading up to it. So the spike you see isn't a clean before-and-after.
The 10,000 number
As of May 22, Anthropic said Mythos Preview had turned up more than ten thousand high- or critical-severity bugs. Worth sitting with that figure for a second: not all of them have been publicly reported, so the count is Anthropic's own, not something you can pull from the CVE database and verify line by line.
Ten thousand critical bugs from one program in roughly six weeks is either a stunning indictment of how much low-hanging fruit was sitting in production code, or a sign that the severity labels are doing some heavy lifting. Probably both.
OpenAI isn't sitting this out
Anthropic isn't alone. OpenAI says GPT-5.5, released April 23, and a specialized GPT-5.5-cyber variant that followed on May 7 can handle advanced security tasks too. The company launched its own trusted-partner program the same day as the cyber model.
Two frontier labs, two gated access programs, both pointed at the same pile of vulnerable code within weeks of each other. The CVE curve doesn't distinguish between them, which is part of why untangling cause from coincidence is hard here.
The messy part nobody's mentioning
CVE counts are noisy for reasons that have nothing to do with AI. Epoch points out that Linux became a CNA in February 2024 and started assigning CVEs for thousands of backported bug fixes, which inflated 2024 and 2025 totals on its own. Reporting practices swing wildly between organizations.
So when the line goes up, part of that is better tooling finding real bugs, and part is bookkeeping. Anyone selling you a single clean multiplier for "how much AI increased vulnerability discovery" is smoothing over that mess.
Epoch's next data refresh will show whether the post-April climb holds or flattens once the initial partner sweeps finish. The tracker sits at epoch.ai/data/cve for anyone who wants to filter by vendor and check the shape themselves.




