Back in April 2026, Anthropic caused a stir when they claimed their AI model Mythos was exceptionally good at discovering security vulnerabilities in source code. The company initially restricted public access to this model, offering it only to select partners. As curl's lead developer, I was granted access through Linux Foundation's Project Glasswing, though logistical delays meant another party actually ran the analysis on my behalf.

The Mythos scan analyzed 178,000 lines of curl's C code and identified five potential vulnerabilities. After thorough review by curl's security team, four proved to be false positives—either documented API behaviors or non-security bugs. Only one genuine low-severity vulnerability emerged, which will be patched in curl version 8.21.0 later this month.

This result contradicts the extensive media hype surrounding Mythos. Previous AI tools like AISLE, Zeropath, and OpenAI's Codex Security identified roughly 200-300 bugs in curl over the past year, with multiple CVEs published. The Mythos findings, while technically sound, don't demonstrate superior vulnerability detection compared to existing tools. The model appears to use a higher confidence threshold, resulting in fewer but more precise reports.

For curl specifically, Mythos represents another capable static analysis tool rather than a revolutionary breakthrough. The project's extensive security infrastructure—including continuous fuzzing, multiple paid audits, and contributions from 573 developers across 1,465 total contributors—has already eliminated most low-hanging fruit. While the technology shows promise, marketers oversold its capabilities based on this single codebase analysis.