[Digital Today reporter Chi-gyu Hwang] Some are saying Anthropic’s Mythos AI model for finding software vulnerabilities is not as strong as it is perceived to be.

A recent SecurityWeek report said Mythos found only 1 low-risk vulnerability in the open-source data transfer tool curl project. Curl lead developer Daniel Stenberg (다니엘 스텐버그) posted a blog entry on May 11 local time disclosing results from an external analysis of curl using Mythos.

According to the post, Mythos analyzed 178,000 lines of curl code and reported finding 5 security vulnerabilities. But a review found 3 were known issues already described in official documentation, and 1 was a general bug rather than a security vulnerability.

Curl developers confirmed only 1 issue as a real vulnerability. It was classified as low risk and is due to be patched in late June.

Stenberg acknowledged that AI-based code analysis tools are "definitely better" at finding vulnerabilities than traditional tools. But based on these results, he said Mythos is not as "dangerous" a model as Anthropic described.

He also said, "So far, the hype around Mythos has mostly been marketing," and added, "I could not find evidence that it finds vulnerabilities at a particularly higher or more advanced level than other tools before Mythos."

Other AI tools such as Zeropath, AISLE and OpenAI Codex found about 200 to 300 issues in curl, and confirmed vulnerabilities alone were "dozens or more," Stenberg said.

Reaction in the security industry is mixed. Some argue that curl is a codebase that has already undergone extensive audits, including by other AI tools, making it hard for major vulnerabilities to remain, and that the result reflects curl’s high security maturity rather than Mythos’ limits.

By contrast, Erik Cabetas of Include Security said that after speaking with multiple organisations that had access to Mythos, they reported results similar to curl.