Can a small model also find cybersecurity vulnerabilities that Claude Mythos detects? AISLE: the moat is in the system, not the model

Cybersecurity startup AISLE has recreated part of the core demonstrations from Anthropic’s flagship cybersecurity system, Mythos, with a 3.6B-parameter open-source model that costs only $0.11 per million tokens. The boundaries of AI cybersecurity capabilities are more “uneven” than you think.
(Background: When Anthropic published Mythos, would it be the DeFi nuclear moment?)
(Additional background: Mythos at Anthropic is so powerful it triggered an emergency meeting: Bessenett, Bauer convened Citi, Goldman Sachs, Bank of America, and JPMorgan, with the five major banks focusing on financial risk.)

Table of contents

Toggle

• What did the Mythos demo show, and what did the small model also reproduce?
• Why bigger models don’t necessarily mean a safer system
• Where the moat is—and where it isn’t

This week, Anthropic released the not-yet-public model Claude Mythos Preview and also launched Project Glasswing, a “glass wing” initiative made up of 12 tech companies, including Amazon, Apple, Microsoft, CrowdStrike, and Cisco, which use that model for defensive cybersecurity research.

Because Mythos is said to autonomously find thousands of zero-day vulnerabilities in each major operating system and browser (zero-day vulnerability refers to security flaws that have not yet been patched publicly and that even vendors may not know about), it suggests a new era of AI-led cybersecurity defense is about to begin.

However, less than a week later, cybersecurity startup AISLE, co-founded by Stanislav Fort, a former DeepMind and Anthropic researcher, published a systematic report in the company’s technical blog.

The key takeaway is direct: in the flagship demo task of Mythos, an open-source small model with only 3.6B active parameters and costing $0.11 per million tokens achieves the same vulnerability detection results.

What did the Mythos demo show, and what did the small model also reproduce?

AISLE designed three sets of tests, corresponding to different cybersecurity tasks with varying difficulty and nature.

The first set is an OWASP (Open Web Application Security Project) false-positive test.

Translated, it means: a segment of Java SQL query code looks like SQL Injection (a database injection attack), but in reality the logic is safe. The correct answer is not a vulnerability.

The test results show an almost reverse scaling effect: the small open-source model GPT-OSS-20b (3.6B active parameters, $0.11/M tokens) correctly tracked the program logic and determined it was harmless.

In contrast, Claude Sonnet 4.5, all GPT-4.1/5.4 series (except o3 and pro), and Anthropic’s entire lineup up to Opus 4.5, confidently misjudged them as high-severity vulnerabilities. Only a very small number of top models—o3, OpenAI-pro, Sonnet 4.6, and Opus 4.6—got it right.

The second set is a FreeBSD NFS vulnerability, the CVE-2026-4747 that was specifically demonstrated in Mythos’s flagship release—a 17-year-old unauthorized remote code execution vulnerability.

Result: all 8/8 tested models successfully detected it, including that 3.6B active-parameter small model. All models correctly identified a stack buffer overflow, computed remaining space, and rated it as Critical RCE.

AISLE’s conclusion is: this detection capability has been “commoditized.”

The third set is an OpenBSD SACK vulnerability (27-year history), which requires genuine mathematical reasoning: a multi-step logical chain tracing signed integer overflow.

The difficulty increases significantly, and model performance diverges. GPT-OSS-120b (5.1B active parameters) fully reproduced the exploit chain; AISLE rated it A+. The open-source version of Kimi K2 got A-. Meanwhile Qwen3 32B produced an incorrect conclusion that the “code is very robust,” rated it F.

Even in this more difficult task, a low-cost open-source model still achieved an equivalent demonstration to the flagship system.

Why bigger models don’t necessarily mean a safer system

The real argument of this report is not “a small model is enough,” but that the structure of AI cybersecurity capabilities is far more complex than the outside world imagines.

AISLE breaks the AI cybersecurity pipeline into five independent sub-tasks:

• broad scanning
• vulnerability detection
• triage and validation
• patch generation
• exploit construction

Each sub-task has different scaling characteristics, and therefore requires different levels of model capability. Mythos’s announcement integrates these five layers into one complete system, but in practice their model requirements differ dramatically: some sub-tasks are already fully saturated at 3.6B parameters, while others require complex reasoning capabilities.

This echoes the “Jagged Frontier” concept proposed by researchers at Harvard Business School in 2023, including Dell’Acqua and Mollick: the boundary of AI capability is not a smooth curve, but a sawtooth edge with bumps and dips—far beyond humans on some tasks, yet unexpectedly fragile on neighboring tasks.

That research shows that if users deploy AI within the capability boundary, productivity improves by about 40%; but if they extend it rashly beyond the boundary, performance instead drops by 19%.

Within this framework, AISLE offers a more operational inference: “A thousand adequate detectives search everywhere, instead of one genius detective guessing where to look—so you can find more vulnerabilities.”

Mass-deploying low-cost models for broad scanning may yield better overall value than scheduling a single high-cost model cautiously. AISLE says that since mid-2025, it has executed a vulnerability discovery system on real targets: finding 15 CVEs in OpenSSL (including 12 in a single security release, with CVSS 9.8 Critical), 5 in curl, and across more than 30 projects totaling over 180 externally validated CVEs.

Where the moat is—and where it isn’t

This analysis is neither a comprehensive critique of Anthropic nor a simple endorsement.

AISLE clearly states that the meaning of Mythos is to prove that the “AI cybersecurity” category is real—that it’s not just a concept from a demonstration lab, but a system that can operate on real targets. What Anthropic is doing is maximizing “intelligence density per token,” which still has irreplaceable value for tasks requiring deep reasoning.

But AISLE also points to a more fundamental issue for the entire industry: the moat is in the system, not in the model itself.

In the cybersecurity domain, AISLE believes that architectural designs that embed deep domain expertise—such as how to break down tasks, how to schedule models of different costs across sub-tasks, and how to maintain maintainer trust in production environments—are the true source of differentiation.

A system that can find CVSS 9.8 vulnerabilities in OpenSSL, versus a system that detects known-pattern vulnerabilities in a controlled demonstration, requires not just a stronger model, but entirely different engineering logic.

Overall, AISLE’s report finds that cheaper, more open models can reproduce part of its core demonstrations. The real problem may not be whose model is strongest, but who first gets the architecture for these five sub-tasks working end-to-end in production environments.