flash on Nostr: ⚡️🚨🤖 NEW - Cloudflare's CISO just published what Anthropic's unreleased ...
⚡️🚨🤖 NEW - Cloudflare's CISO just published what Anthropic's unreleased Mythos did against more than 50 of their own production repos. According to him, Mythos is too powerful and must "include additional safeguards" before releasing to the public.
Turns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at "interesting bug, unclear if exploitable."
At triage time, that means fewer hedged findings and less time spent asking "is this even real?" A finding that arrives with a PoC is a finding you can act on.
Cloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.
Interesting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on.
Published at
2026-05-19 05:33:00 UTCEvent JSON
{
"id": "6aa2a66952656605b59ec08527f0b1e418477099e0a4cac7a7d090c88260207d",
"pubkey": "4d7842051782e0d3feb034d150adc2b6bae4ee3b49786793bffa468b6f5b96b3",
"created_at": 1779168780,
"kind": 1,
"tags": [],
"content": "⚡️🚨🤖 NEW - Cloudflare's CISO just published what Anthropic's unreleased Mythos did against more than 50 of their own production repos. According to him, Mythos is too powerful and must \"include additional safeguards\" before releasing to the public.\n\nTurns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at \"interesting bug, unclear if exploitable.\"\n\nAt triage time, that means fewer hedged findings and less time spent asking \"is this even real?\" A finding that arrives with a PoC is a finding you can act on.\n\nCloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.\n\nInteresting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on. \nhttps://blossom.primal.net/d918f7baded68f292028ee8fab1fb91580a905f88e46cad49f0dae283fb94bde.jpg\nhttps://blossom.primal.net/d7bae3700d687a6c217a8cee92290d477614ba711852412ea4bf477ee4af3db1.png",
"sig": "f97d72ebde3dd1dde81ddb2d2dfe5dd9d5ef30eea5caa0623942e77a991bf1a76bdc7bb751c8d4a694281e068d3231d1868fec514e73a1b1e89b3c408e4d46a6"
}
