Claude Mythos found 500+ zero-days: automate your security checks
On April 7 2026, Anthropic announced Claude Mythos Preview. Within days of internal testing, it found over 500 high-severity vulnerabilities in some of the most scrutinized codebases on the planet: a 16-year-old out-of-bounds write in FFmpeg, a 27-year-old denial-of-service in OpenBSD, and a remote code execution in FreeBSD that went undetected for 17 years (CVE-2026-4747).
You don't have access to Mythos. Anthropic restricted it to Project Glasswing partners: AWS, Apple, Google, Microsoft, Nvidia, CrowdStrike, and a handful of others. But the message is clear: if AI can find bugs hiding in codebases tested by fuzzers millions of times, your infrastructure has gaps too.
This post covers six security checks you can automate right now with API calls. No Mythos access required. Each
one takes a single curl command and returns structured JSON you can pipe into alerts, dashboards, or
CI pipelines.
What Mythos found (and why it matters for your stack)
Traditional fuzzers throw random inputs at code. Mythos reads and reasons about source code like a security researcher. It traced Git commit history, identified incomplete patches, and constructed exploit chains spanning multiple vulnerabilities.
| Project | Bug type | Age | Detail |
|---|---|---|---|
| FFmpeg H.264 codec | Out-of-bounds write | 16 years | Slice-numbering collision; fuzzers hit the line 5 million times without triggering it |
| OpenBSD TCP/SACK | Denial of service | 27 years | Signed integer overflow + NULL pointer dereference; crashes any machine remotely |
| FreeBSD NFS | Remote code execution | 17 years | CVE-2026-4747; stack buffer overflow in RPCSEC_GSS auth, no authentication needed |
| GhostScript | Stack bounds bypass | Decades | Incomplete bounds check in font handling; mirrored a previously patched path |
| CGIF | Buffer overflow | Years | LZW dictionary resets cause output to exceed input size; 100% code coverage missed it |
The cost? Under $20,000 to find the OpenBSD bug. Under $10,000 for the FFmpeg vulnerabilities. That's cheaper than a single week of manual penetration testing.
You can't run Mythos against your own code today. But you can close the gaps that don't require deep binary analysis: expired certificates, missing email authentication, weak security headers, and silent downtime.
Check 1: SSL certificate expiry
Expired SSL certificates cause outages and kill user trust. Stripe, Microsoft, and Spotify have all had certificate-related incidents. A single API call tells you how many days you have left.
curl -s -X POST https://api.botoi.com/v1/ssl-cert/expiry \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com"}'{
"success": true,
"data": {
"domain": "your-app.com",
"issuer": "Let's Encrypt",
"valid_from": "2026-02-01T00:00:00.000Z",
"valid_to": "2026-05-02T00:00:00.000Z",
"days_remaining": 23,
"expired": false,
"expiring_soon": true
}
}
The expiring_soon flag flips to true when the certificate is within 30 days of
expiration. Pipe this into a Slack alert or a CI check.
Check 2: SPF record validation
A misconfigured SPF record means attackers can spoof emails from your domain. The Mythos announcement reminded everyone that security goes beyond code: your DNS configuration is an attack surface too.
curl -s -X POST https://api.botoi.com/v1/dns-security/spf-check \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com"}'{
"success": true,
"data": {
"domain": "your-app.com",
"has_spf": true,
"record": "v=spf1 include:_spf.google.com ~all",
"issues": [
"SPF record uses ~all (softfail) instead of -all (hardfail)"
],
"score": "B"
}
}
Common issues the endpoint catches: ~all instead of -all, too many DNS lookups
(exceeding the 10-lookup limit), and missing include: directives for third-party senders.
Check 3: DMARC policy
Without DMARC, your SPF and DKIM checks have no enforcement. Attackers pass spoofed emails to inboxes that skip verification.
curl -s -X POST https://api.botoi.com/v1/dns-security/dmarc-check \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com"}'
Look for policy: "reject" in the response. Anything less (none or
quarantine) means spoofed emails from your domain can still reach inboxes.
Check 4: DKIM selector
DKIM signs outgoing emails with a cryptographic key. Without it, receiving servers can't verify that email content wasn't tampered with in transit.
curl -s -X POST https://api.botoi.com/v1/dns-security/dkim-check \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com", "selector": "google"}'
Pass the selector your email provider uses (Google uses google, Microsoft uses
selector1 and selector2). The endpoint validates the public key exists and is correctly
formatted.
Check 5: HTTP security headers
Missing headers like Strict-Transport-Security, X-Content-Type-Options, and
Content-Security-Policy leave your app open to downgrade attacks, MIME sniffing, and XSS.
curl -s -X POST https://api.botoi.com/v1/headers \
-H "Content-Type: application/json" \
-d '{"url": "https://your-app.com"}'
The response includes a security_headers object showing which headers are present, which are missing,
and what values they contain. Add this check to your deployment pipeline to catch regressions.
Check 6: Uptime and response time
If your site is down, nothing else matters. A quick uptime check confirms your app responds, measures latency, and catches redirect loops or unexpected status codes.
curl -s -X POST https://api.botoi.com/v1/uptime/check \
-H "Content-Type: application/json" \
-d '{"url": "https://your-app.com"}'Combine all six into one audit script
Run all six checks against any domain with a single bash script. Save it as audit.sh, make it
executable, and pass your domain as an argument.
#!/bin/bash
# Domain security audit using Botoi API
DOMAIN=${1:-"your-app.com"}
API="https://api.botoi.com/v1"
echo "Security audit for $DOMAIN"
echo "=========================="
# 1. SSL certificate
echo "\n[SSL Certificate]"
SSL=$(curl -s -X POST $API/ssl-cert/expiry \
-H "Content-Type: application/json" \
-d "{\"domain\": \"$DOMAIN\"}")
echo $SSL | jq '.data | {issuer, days_remaining, expired, expiring_soon}'
# 2. SPF record
echo "\n[SPF Check]"
SPF=$(curl -s -X POST $API/dns-security/spf-check \
-H "Content-Type: application/json" \
-d "{\"domain\": \"$DOMAIN\"}")
echo $SPF | jq '.data | {has_spf, score, issues}'
# 3. DMARC record
echo "\n[DMARC Check]"
DMARC=$(curl -s -X POST $API/dns-security/dmarc-check \
-H "Content-Type: application/json" \
-d "{\"domain\": \"$DOMAIN\"}")
echo $DMARC | jq '.data | {has_dmarc, policy, score}'
# 4. HTTP security headers
echo "\n[Security Headers]"
HEADERS=$(curl -s -X POST $API/headers \
-H "Content-Type: application/json" \
-d "{\"url\": \"https://$DOMAIN\"}")
echo $HEADERS | jq '.data.security_headers'
# 5. Uptime and response time
echo "\n[Uptime Check]"
UPTIME=$(curl -s -X POST $API/uptime/check \
-H "Content-Type: application/json" \
-d "{\"url\": \"https://$DOMAIN\"}")
echo $UPTIME | jq '.data | {status_code, response_time_ms, is_up}'
echo "\nAudit complete."Node.js with the Botoi SDK
If you prefer TypeScript, the @botoi/sdk package runs all checks in parallel with full type safety.
import Botoi from "@botoi/sdk";
const botoi = new Botoi(); // no key needed for free tier
async function auditDomain(domain: string) {
const [ssl, spf, dmarc, headers] = await Promise.all([
botoi.sslCert.expiry({ domain }),
botoi.dnsSecurity.spfCheck({ domain }),
botoi.dnsSecurity.dmarcCheck({ domain }),
botoi.headers.check({ url: `https://${domain}` }),
]);
const issues: string[] = [];
if (ssl.data.days_remaining < 30) {
issues.push(`SSL expires in ${ssl.data.days_remaining} days`);
}
if (!spf.data.has_spf) {
issues.push("Missing SPF record");
}
if (!dmarc.data.has_dmarc) {
issues.push("Missing DMARC record");
}
if (spf.data.score !== "A") {
issues.push(`SPF score: ${spf.data.score} (issues: ${spf.data.issues.join(", ")})`);
}
return { domain, issues, passed: issues.length === 0 };
}
const result = await auditDomain("your-app.com");
console.log(result);Automate with GitHub Actions
Run these checks on every push to main and on a weekly schedule. The action fails the build when
the SSL certificate is within 14 days of expiry or the SPF score drops below A.
name: Security Audit
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9 AM
push:
branches: [main]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Check SSL expiry
run: |
RESULT=$(curl -s -X POST https://api.botoi.com/v1/ssl-cert/expiry \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com"}')
DAYS=$(echo $RESULT | jq '.data.days_remaining')
if [ "$DAYS" -lt 14 ]; then
echo "::warning::SSL certificate expires in $DAYS days"
exit 1
fi
- name: Check DNS security
run: |
SPF=$(curl -s -X POST https://api.botoi.com/v1/dns-security/spf-check \
-H "Content-Type: application/json" \
-d '{"domain": "your-app.com"}')
SCORE=$(echo $SPF | jq -r '.data.score')
if [ "$SCORE" != "A" ]; then
echo "::warning::SPF score is $SCORE, not A"
fiWhat Mythos changes for security teams
Mythos found 595 crash-inducing inputs across the OSS-Fuzz corpus, compared to roughly 150 from Opus 4.6. It developed 181 working Firefox exploits where Opus 4.6 managed 2. Anthropic committed $100 million in API credits and $4 million to open-source security organizations through Project Glasswing.
The takeaway: AI-driven vulnerability discovery works. The scale and speed will only increase. Attackers will get access to similar capabilities. Your defense can't rely on manual audits alone.
The six checks in this post won't find a 16-year-old buffer overflow in your dependencies. But they catch the low-hanging failures that cause real incidents: expired certificates, spoofable email domains, missing security headers, and silent downtime. Automate them today. Fix what comes back. Then worry about the deeper stuff.
Frequently asked questions
- What is Claude Mythos and can I use it?
- Claude Mythos Preview is Anthropic's newest AI model, announced April 7 2026. It found over 500 high-severity vulnerabilities in open-source projects like FFmpeg, OpenBSD, and FreeBSD. Anthropic has no plans for a public release. Access is restricted to Project Glasswing partners including AWS, Apple, Google, Microsoft, Nvidia, and CrowdStrike.
- What kind of vulnerabilities did Claude Mythos find?
- Mythos found memory corruption bugs, buffer overflows, stack overflows, and logic flaws. Notable examples include a 16-year-old out-of-bounds write in FFmpeg's H.264 codec, a 27-year-old denial-of-service bug in OpenBSD's TCP stack, and a 17-year-old remote code execution vulnerability in FreeBSD NFS (CVE-2026-4747).
- Can I check my domain's SSL and DNS security with an API?
- Yes. Send a POST request to https://api.botoi.com/v1/ssl-cert/expiry with your domain to check certificate validity. Use /v1/dns-security/spf-check, /v1/dns-security/dmarc-check, and /v1/dns-security/dkim-check to audit email authentication records. All endpoints work without an API key at 5 requests per minute.
- How do I automate security checks in a CI pipeline?
- Call the security endpoints from any CI system using curl or an HTTP client. Check SSL expiry, DNS security records, HTTP security headers, and site availability on every push or on a cron schedule. The Botoi API returns structured JSON, so you can parse results and fail the build when a check returns a warning.
- What is Project Glasswing?
- Project Glasswing is Anthropic's initiative to use Claude Mythos for defensive security. Partners include AWS, Apple, Google, Microsoft, Nvidia, CrowdStrike, Cisco, Broadcom, JPMorganChase, Palo Alto Networks, and the Linux Foundation. Anthropic committed up to $100 million in API credits and $4 million to open-source security organizations.
Try this API
Password Breach Check API — interactive playground and code examples
More guide posts
Start building with botoi
150+ API endpoints for lookup, text processing, image generation, and developer utilities. Free tier, no credit card.