A new cybersecurity race begins
Depthfirst, a young cybersecurity startup, has gained attention with a bold claim. The company claims that its AI system discovered serious flaws in popular open-source software such as FFmpeg, NGINX, Linux Kernel, Chrome, and Apache HTTP. More importantly, Depthfirst claims that Anthropic’s powerful cybersecurity model, Claude Mythos Preview, failed to detect some of these vulnerabilities.
This story is significant because the internet was built using open-source software. Web servers, browsers, phones, banking systems, streaming platforms, cloud servers, and business tools all rely on code written and maintained by individuals and organizations around the world. If hidden bugs remain in that code for years, hackers can exploit them to attack users, businesses, and even national systems.
Depthfirst has announced the Open Defense Initiative, a program that will provide up to $5 million in credits to help open-source maintainers identify and fix zero-day vulnerabilities. According to the company, the initiative is already in collaboration with the maintainers of FFmpeg, Envoy, and Kata Containers, as well as analyzing projects such as Linux, OpenSSH, curl, systemd, SQLite, PostgreSQL, zlib, libpng, and others.
What does Depthfirst claim?
Depthfirst claims its platform discovered 12 previously unknown memory corruption vulnerabilities in FFmpeg, one of the world’s most popular multimedia frameworks. FFmpeg powers video, audio, and streaming functions across a wide range of services and applications. According to Depthfirst, some of these flaws stem from code introduced in 2009. The company also claims that its platform validated the bugs and generated patches that maintainers applied.
The most notable aspect is the cost comparison. According to DepthFirst, Anthropic had previously scanned FFmpeg with Mythos and discovered multiple vulnerabilities for a reported compute cost of around $10,000. Depthfirst claims that its platform later discovered 12 additional vulnerabilities using previous-generation models and approximately $1,000 in compute. This is approximately one-tenth of the reported cost.
This does not prove that Depthfirst outperforms Anthropic in every field. It demonstrates a more specific example. In cybersecurity, a specialized system designed around a specific task can sometimes outperform a larger general model at that task. The model does not represent the whole machine. Workflow, testing harness, patch generation, and verification pipeline are also important.
What Anthropic Mythos has demonstrated
Claude Mythos Preview is not a typical AI chatbot. Mythos was evaluated by the United Kingdom’s AI Security Institute, which discovered that it performed significantly better on cyber tasks. In controlled tests, Mythos was able to identify and exploit vulnerabilities on its own. According to the institute, these are tasks that would require human professionals to work for several days.
In expert-level capture-the-flag tasks, Mythos reportedly succeeded 73% of the time. It was also the first model to complete a 32-step simulated corporate network attack called The Last Ones from beginning to end in three out of ten attempts.
So the story does not revolve around Mythos’s weakness. The truth is the exact opposite. Mythos is powerful enough to concern governments, banks, and cybersecurity experts. However, Depthfirst’s claim demonstrates that the next stage of AI cybersecurity is more than just who has the largest model. It is also about who has the best system that surrounds the model.
Major bugs have been discovered.
Depthfirst’s research page lists real vulnerability work from open-source projects. It contains an NGINX remote-code-execution research item, Chrome V8 type confusion vulnerabilities, Linux kernel issues, and several FFmpeg CVEs. The company claims to find and report genuine vulnerabilities to help secure the software ecosystem.
According to the Business Wire announcement, the company discovered vulnerabilities in the Linux kernel, Chrome, OpenClaw, Apache HTTP, and NGINX, with some still being reviewed by maintainers under responsible disclosure rules.
It is critical to practice responsible disclosure here. When researchers discover a potentially dangerous bug, they typically report it privately to the maintainers first. This gives developers time to patch the flaw before attackers exploit it. Publicly revealing a bug too soon can benefit criminals rather than defenders.
Why does this matter?
The most important aspect is speed. AI can scan larger codebases faster than humans. It can analyze old code, identify patterns, and suggest flaws. This gives the defenders a new weapon.
Cost is the second most important consideration. If a startup can identify serious bugs at a fraction of the cost of frontier systems, open-source maintainers will have a better chance to defend their projects. Many open-source projects are run by small teams or individuals. They do not always have the funds to conduct expensive security audits.
Scale is the third most important consideration. According to Depthfirst, AI is influencing who can find vulnerabilities and how quickly. That holds true for both sides. Defenders have the ability to use AI to fix software. Attackers can use artificial intelligence (AI) to find vulnerabilities.
Expert Reactions
Cybersecurity experts are not ignoring the shift, but many are cautioning against panic. According to Reuters, several cybersecurity professionals believe that concerns about Mythos have been exaggerated. According to experts, Mythos improves vulnerability discovery, but the larger challenge is validating, prioritizing, and fixing flaws once they are discovered.
Semgrep’s founder and CEO, Isaac Evans, told Reuters that there is a communication gap between practitioners and policymakers. He described Mythos as a significant technological advance but noted that public reaction has not always matched what is known about how these capabilities are applied in the field.
According to Cisco’s Anthony Grieco, one advantage of Mythos is its ability to scan large amounts of code more quickly and assist experienced practitioners in reducing false positives. This means that artificial intelligence can assist security teams in focusing on the most important risks.
The message from the experts is clear. AI vulnerability discovery is effective, but finding bugs is only the beginning. Real security still requires human judgment, thorough testing, patches, deployment, and monitoring. real security.
The Truth Behind the Claim
The truth about this story is balanced.
Depthfirst has made credible claims in both a company announcement and its research page. It lists vulnerabilities and claims that the maintainers have applied patches to FFmpeg. Its Open Defense Initiative is also a genuine program aimed at assisting open-source projects.
Simultaneously, Depthfirst makes numerous claims. Every comparison to Mythos has a limited amount of independent public verification. The Forbes article mentioned in the original summary was not fully accessible during verification due to a paywall. So the safest wording is this: Depthfirst claims its AI discovered vulnerabilities that Mythos missed, and public company materials back up the FFmpeg and open-source vulnerability claims. More independent review is required for a comprehensive head-to-head comparison of Depthfirst and Mythos.
Risks and disadvantages
The most significant disadvantage is that AI can overwhelm teams with bugs. A company can discover thousands of potential vulnerabilities, but each must be validated. Some results are false positives. Some are genuine but pose little risk. Certain fixes cause existing systems to fail. Patch backlogs already pose a challenge for security teams.
The second risk is that of misuse. If defenders can use AI to detect hidden bugs, attackers can use similar tools. According to Reuters, the main concern is not just the model itself, but how actors exploit newly discovered vulnerabilities. lities.
Inequitable access is the third risk. Rich businesses can purchase advanced AI security tools. Smaller organizations and open-source maintainers may lag behind. Depthfirst’s credit program attempts to bridge this gap, but the issue is far larger than one startup.
Long-term consequences
AI-powered cybersecurity is becoming an integral component of software defense. Depthfirst claims that its long-term goal is to develop AI systems that secure software from design to production. The company claims that AI capability will continue to improve, attacks will become more sophisticated, and software will become more complex.
This future has two aspects. One of their faces is hopeful. Artificial intelligence can detect bugs before criminals exploit them. It can aid maintainers in patching flaws in code. It has the potential to protect banks, hospitals, governments, and everyday users.
The opposite face is dangerous. AI can make vulnerability hunting more affordable for attackers. It has the potential to reduce the skill gap. It has the ability to repurpose previously forgotten bugs into new weapons.
Conclusion
Depthfirst’s claims signal a watershed moment in AI cybersecurity. The story is more than just startup versus Big Tech. It’s a specialized system versus general intelligence. It demonstrates that in security, the best results come from a complete pipeline, which includes finding the bug, proving it, creating a patch, and assisting maintainers in fixing it.
AI is now infiltrating the hidden rooms of the internet’s code. It can be used as a guard. It could also be used as a thief’s map. The outcome is determined by who uses it first, who patches faster, and who sees cybersecurity as a public responsibility.
Disclaimer
This article is based on publicly available information from Depthfirst, Business Wire, the UK AI Security Institute, and Reuters on May 22, 2026. Some claims, particularly the direct comparison between Depthfirst and Anthropic’s Mythos, stem from Depthfirst’s own public statements and necessitate additional independent technical review. This article does not include hacking instructions or exploit information. It is only meant for news, awareness, and cybersecurity education.