From Manual Hunting to AI Security Testing
Cybersecurity is entering a new phase in which AI security testing tools race to uncover software flaws before malicious hackers do. Instead of relying solely on human experts to sift through code, vulnerability discovery AI systems now scan complex platforms, simulate attack chains, and propose fixes at machine speed. This emerging class of tools is particularly relevant to zero-day detection: the identification of unknown vulnerabilities that have no existing patch and can be weaponised immediately. For enterprises, the shift means that automated security research is no longer a theoretical concept but a practical capability being deployed by major AI labs. Yet, despite the power of these models, they are not being unleashed without restrictions. Both Anthropic and Google are embracing tightly controlled rollouts, balancing the need to strengthen software defenses against the risk that the same technology could accelerate offensive cyber operations.
Mythos: Anthropic’s High-Stakes macOS Vulnerability Hunter
Anthropic’s Mythos model has already demonstrated how far vulnerability discovery AI can go in the hands of expert researchers. Security firm Calif used an early Claude Mythos Preview to uncover a sophisticated exploit chain in macOS that targets memory handling in Apple’s desktop software. By linking two distinct bugs, the team achieved a privilege escalation exploit, effectively bypassing standard security protocols and reaching restricted parts of the operating system. The findings were detailed in a 55-page report submitted to Apple for validation and remediation, underscoring that zero-day detection is becoming an AI-assisted discipline. Anthropic has been explicit about Mythos’ potential dual-use risks, warning that its ability to find software flaws at scale could threaten digital infrastructure if released broadly. To mitigate that, the company runs Project Glasswing, a controlled program granting select partners access to Mythos only for defensive security testing.
Google’s CodeMender: An AI Agent Built Into Security Pipelines
Google DeepMind’s CodeMender represents a parallel push toward automated security research, but with a different emphasis: tight integration into engineering workflows. Introduced as a security-focused AI agent, CodeMender combines Gemini Deep Think models with static and dynamic analysis, fuzzing, differential testing, and SMT solvers to trace vulnerabilities back to their root cause. It then drafts candidate patches and runs formal and practical checks before anything reaches human reviewers. Google is now widening API access for vetted experts, expanding the evaluation pool while still avoiding a general release. Security teams can plug CodeMender into existing pipelines to see how AI-generated fixes behave under regression tests, policy reviews, and rollback procedures. In this model, AI security testing becomes a continuous component of development and maintenance, helping maintainers triage bugs and validate patches while preserving human control over what ultimately gets merged into production systems.
Why Human Review Remains the Guardrail for Zero-Day Detection
Despite rapid advances, neither Mythos nor CodeMender is allowed to push patches directly into production. Human oversight is deliberately kept as the main brake on end-to-end automation. Anthropic confines Mythos and its related Claude Code Security tools to limited previews, where suggested mitigations and patches are reviewed by security professionals before any change is adopted. Google takes a similar approach: CodeMender can propose and even test fixes, but human maintainers evaluate every patch against repository rules, change-control policies, and real-world risk. This shared philosophy reflects a broader concern: the same vulnerability discovery AI that accelerates defensive research could just as easily help attackers craft exploits or evade safeguards. By ensuring that experts remain in the loop for triage, approval, and release decisions, both companies are trying to harness AI’s strengths while reducing the chances that automated tooling amplifies offensive capabilities.
The Future of Automated Security Research and Bug Bounties
As Mythos and CodeMender mature, they are reshaping expectations around how enterprises will approach bug bounties and broader security programs. If AI security testing can routinely surface complex exploit chains—such as the chained macOS bugs Mythos helped uncover—organizations may start to treat vulnerability discovery AI as a core part of their security posture rather than a niche experiment. Over time, bounty hunters and in-house researchers are likely to use these systems as force multipliers, rapidly surveying large codebases and reserving human expertise for complex validation and exploit development. At the same time, the restricted-access strategies of Anthropic and Google suggest that access policy will become a strategic differentiator, not just model accuracy. Companies will need governance frameworks that define who can wield powerful automated security research tools, how findings are triaged, and how AI-assisted reports feed into patch management and coordinated disclosure.