What Claude Just Did Is Insane (Investors Aren't Ready)

An AI model just found serious security flaws in every major operating system and web browser on Earth. One flaw was hiding for 27 years inside one of the most secure systems ever built. Automated Tools scanned that code 5 million times, and they never caught it. But here's where things get really crazy. The company that built this AI decided that it was too dangerous to release. So instead, they gave it to 12 of the most powerful companies on the planet, almost all of which we can invest in. My name is Alex, and I spent 8 years as a radar engineer and AI researcher at MIT. And I've never seen AI do anything like this. So, subscribe to the channel, and let me show you what just happened and how I'm investing in it. Your time is valuable, so let's get right into it. There's a piece of software that's so foundational that it powers almost every video you've ever watched online, including this one. It's called FFmpeg, and it had a bug. It used two different kinds of counters that didn't quite line up under one very specific condition. A frame carefully split into exactly 65,536 tiny pieces. That's 2 to the 16th power. Those counters would collide when that happens. And when that happened, the software could write data outside of the memory it was allowed to touch, which opens the door for attackers to take control of the machine running the video. That's your PC or your smartphone if you're the one playing that video. But it's also the enterprise servers that are processing it. Netflix, Apple, YouTube. That bug was introduced in 2010. For 16 years, automated testing tools saw that same line of code. 5 million scans. Every single one missed it. And the reason is simple. Traditional tools throw random inputs at software and wait for it to crash. But this bug only triggers at one specific number. A random number tester would almost never find it. But this AI read the code, found the flaw, generated a custom test for it, and confirmed the bug on its very first try. This isn't a specialized cyber security tool. It's not a model that's trained to hunt vulnerabilities. It's a generalpurpose language model called Claude Mythos built by a company called Anthropic. And here's why that matters for investors. Anthropic didn't set out to build a hacking tool. They better coding assistant. But the model got so good at reading code and so good at understanding what a programmer intended as well as spotting the difference between the two that it could find the flaws that human experts have been missing for decades. So anthropic trained Claude Mythos to be really good at code. But as a side effect, it got really good at securing code as well. To understand why this is such a huge deal for software stocks, you need to understand how Mythos actually finds these issues. The model is placed in an isolated environment with access to a specific codebase. It reads through the source files, which is millions of lines of code, and finds the parts most likely to be hiding serious bugs. Then it writes and runs test programs against that code to confirm or disprove each potential bug. When it finds one, it writes a formal vulnerability report with a small example that recreates the flaw in practice. That's exactly what a professional security researcher does today. The difference is speed and scale. A human analyst might take weeks to audit a single block of code, especially if it's missionritical. Mythos processes an entire codebase in hours. And it doesn't just find bugs. It understands them. It reads the code the way an engineer reads a blueprint, understanding intent, spotting where the code doesn't match that intent, and reasoning about what would trigger the failure. What's even crazier is just how fast this happened. Cyberjimy is a UC Berkeley benchmark that throws over 1,500 real world software bugs from almost 200 open- source projects at different AI models. The current Claude model, Opus 4. 6, scored a 66%. Claude Mythos scored an 83. That's a 16point lead in one model generation. The difference between a D and a B on a test. That's the jump from occasionally finding bugs to finding bugs in every major operating system and web browser on Earth. That's what makes this model so dangerous. But it didn't stop there. It found a 27-year-old bug in OpenBSD, which is an operating system that prides itself on being almost impossible to hack. This one matters to investors for two reasons. First, we talk a lot about AI networking, but not the code that makes it possible. And second, this wasn't a single bug. It was two bugs that chained together. The first was a missing safety check, and the second was a number rolling back to zero at the wrong time. When combined, they could purposely crash a machine from anywhere

on the internet with no authentication required. Governments have trusted this system to run their firewalls since 1998. Mythos found this bug in 2026. It also found flaws in FreeBSD, which is how Firefox runs JavaScript. It found over 180 different bugs in everything from cryptography libraries to virtual machine monitors and turn them all into functional attacks. Previous models found just two of these bugs. And on Linux, which runs most of the world's servers, Android phones, and cloud infrastructure, it chained four separate vulnerabilities together. On their own, each bug looked pretty insignificant, but combined, they let an attacker jump from an ordinary user account to full control of the Linux machine. Mythos is not a proof of concept. Mythos is a weapon, and that's why it scared the market. But there's something else on the market that you need to know about, and that's your private data. There are hundreds of online data brokers making big money by collecting and selling your personal information. That's why I've been using this video sponsor, Delete Me, for over 2 years now, and I really can't recommend them enough. Delete Me is a hands-free subscription service that will remove your personal information from those online data brokers. They give you a quarterly privacy report showing everything they've done, and they reviewed over 55,000 listings for me so far. But what really surprised me is these data brokers had way more than just my private data. They had my wife's and my entire family's, too. That's another reason I really like Delete Me. They have a family plan so we can all have more control over our personal data. So, if you care about your data and your family's privacy, you can get 20% off any consumer plan with my code symbol 20 by going to joindeleteme. com/syol20 or with my link in the description. And a big thank you to Delete Me and to you for supporting the channel. All right, the AI arms race is moving fast. In 2024, Google's project Big Sleep found a single new vulnerability in SQL Lite. In 2025, a DARPA competition threw 54 million lines of code at competing systems that collectively found 18 bugs. In April of 2026, Mythos found thousands across every major operating system, every major browser, and every major code library on the planet. And it didn't just find bugs, it built working attacks around them. Anthropic says that over 99% of these bugs are still unpatched because the fixes just haven't been deployed yet and that should have the market's full attention. And it did, but probably not the way Anthropic wanted. 2 weeks before they were ready to announce Mythos, a blog misconfiguration leaked it to the public and the market was very quick to react. Cyber security stocks tanked. Crowdstrike, PaloAlto Networks, everyone. The logic was obvious. If an AI model can find bugs, exploits, and vulnerabilities faster than any human, then why do we need a4 trillion dollar cyber security industry in the first place? The market didn't see mythos as a competitive threat. It saw it as a meteor and expensive cyber security consultants were the dinosaurs. And for a few days, it looked like the market was right. The question was, which company would use these capabilities first? And that's where the next phase of this AI arms race begins. Alex Stamos is the former chief security officer at Facebook and Yahoo. Today, he's the chief product officer at Corridor, an AI security startup. Alex put a number to the timeline, 6 months. That's how long before small open- source models can find bugs as well as Mythos. And once that happens, every cyber crime syndicate, every state sponsored spy, and every individual hacker on the planet gets access to AI powered exploit discovery. And here's the uncomfortable truth for this entire industry. The bottleneck was never finding the exploits. It was never about bug discovery. Arctic Wolf's threat report found that 76% of actual compromises, the real breaches, the real data being stolen, the real ransomware being deployed involved one or more of just 10 known already patchable vulnerabilities. The flaws were already found. The patches already existed. Organizations just could not move fast enough to deploy them. AI just removed the speed limit, not for cyber security companies, but for the attackers. When every bad actor on the planet can find bugs at AI speeds, the gap between this bug exists and this bug was exploited collapses from months to hours. The entire defensive model of the cyber security industry, find it, report it, patch it, and deploy it, assumes humans are the bottleneck on both sides of the equation. That assumption just broke since attackers can sit at home and point AI models at public software

pretty much as fast as they can type while defenders have to fix the code, test it, get approvals, schedule maintenance windows, and avoid breaking their customer deployments. That means tickets, meetings, and manual reviews. On top of that, attackers benefit from automation, scanning for weaknesses, writing fishing emails, exploring attack paths, and generating exploit code, while defenders have to slow down to make sure they meet regulatory requirements, work with legacy systems, check with multiple vendors, and have compliances that they need to uphold. You can't just let an AI patch a problem at a bank or a hospital and hope for the best. But you definitely can attack them that way. And that six-month window is actually shrinking. Isle, an independent security research lab, tested eight smaller, cheaper, publicly available models to see if they could reproduce Mythos's findings. All eight models found the same exploits that Mythos did. One of those models had 3. 6 billion parameters and cost 11 cents per million tokens. For investors, that means it's not about the model itself. It's about the systems built around it. The targeting, the validation, the triage, the relationships with maintainers. But the raw capability is spreading fast. In fact, Palo Alto Networks' chief security intelligence officer said open models are only weeks or months away from matching Mythos. Cyber security trainers at the SANS Institute say that capability exists now for finding and exploiting basic vulnerabilities. So 6 months is the optimistic estimate and the clock started on April 7th. Now let me say the quiet part out loud. The AI model finding bugs to patch is the same AI model that's exploiting them. There's no architectural difference. There's no switch you flip from offense to defense. It's the exact same capability that makes mythos a shield that also makes it a sword. Anthropic's own red team said it best. The same improvements that make the model substantially more effective at patching vulnerabilities also make it exploiting them. Before going public with Mythos, Anthropic briefed senior officials at two agencies responsible for defending America's digital infrastructure. NSA analysts were already discussing what Mythos means for cyber operations. And as an investor, think about what this means for the market. Anthropic, a private company valued at $380 billion after the second largest venture capital raise in history, is sitting on software exploits for almost every major company on Earth. Over 99% of the vulnerabilities that Mythos found are still unpatched, which means Anthropic is effectively deciding what gets fixed first, how much information to release, when, and to who. This is not a product launch. It's a national security threat. And the real question is who ultimately controls this capability? Who gets access besides Anthropic? And what happens when open models start finding these same exploits all over the internet? Those aren't questions you're going to get answers to on an earnings call. And this is where Enthropic made a big decision that affects the entire stock market. They didn't sell Mythos to the government. They didn't license it to the highest bidder. And they didn't open source it to level the playing field. They formed a defensive coalition called Project Glasswing and gave early access to some of the most powerful publicly traded companies on the planet. Amazon, Apple, Broadcom, Cisco, Crowdstrike, Google, JP Morgan Chase, Microsoft, Nvidia, PaloAlto Networks, and more than 40 other organizations. The cyber security stocks that went down on the leak surged on the announcement. Crowdstrike jumped over 6% in a single session. Palo Alto rose almost 5%. The Mythos model went from being a sword pointed at the industry to the shield protecting it. And now that you understand what just happened, here's exactly how I'm investing in it. The biggest thing for investors to understand is that the cyber security industry is about to undergo a massive shift from detecting and responding to threats to predicting and preventing them. The cyber security industry spent the last two decades building tools to catch attackers after they got in. Glasswing is the first serious attempt to find every flaw before the attackers do. And the cyber security companies inside this coalition are not being disrupted by mythos. They're being armed with it. If it works, this will be the single biggest shift in cyber security since the invention of the firewall. And if it doesn't, every enterprise on Earth just entered an arms race. They have no way to win. But let's talk about who wins from this today. The obvious winners are the companies inside Project Glasswing. the ones with direct access to Mythos and the infrastructure to deploy what it finds. Crowdstrike focuses on endpoint detection and response. So, securing desktops, laptops, and smartphones. Really, any device that connects to a

company network. Their Falcon platform has three parts. A suite of cloud-based modules that do things like run virus scans, manage firewalls, and detect malware. They have a separate threat graph that maps out a company's networks, the devices on it, the users, and the permissions to make sure all the network traffic is legit. And then their Falcon agent is a lightweight agent that runs on each device to send security data back for analysis. Charlotte AI is their AI assistant layer and Agent Works is their agentic automation platform. Being armed with Mythos means that Crowdstrike can use their Falcon platform to proactively patch vulnerabilities across their entire customer base before attackers find them. Crowd Strike's revenue came in at $1. 31 billion for their latest quarter, which is up 23% year-over-year. Annual recurring revenue came in at $5. 25 billion, which is up 24%. Net new ARR came in at $331 million, up 47%. And if you think you missed the boat on Crowdstrike, they just posted their first ever GAP profitable quarter and their gross customer retention sits at 97%. Crowdstrike stock is not cheap. A hundred billion dollar market cap means roughly 20 times price to sales. But now that they're armed with Mythos, we could see their revenues, their profits, and their overall growth continue to accelerate while their competition still waits for access. PaloAlto Networks is the other pureplace cyber security company in Project Glasswing. Their strategy is convincing enterprises to consolidate their security spending onto a single platform, network security, cloud security, access protection, and so on. Cortex, their AI powered security operations platform, integrates directly with Mythos for proactive threat detection and response. Palo Alto's annual recurring revenue from next generation security grew by 33% year-over-year and their guidance implies more than 50% growth in nextgen security for the rest of this fiscal year. Their total annual revenue is approaching 11 billion which makes Powell Alto Networks the cheaper stock. They trade at roughly 14 times sales compared to Crowdstrike's 20 mostly because Crowdstrike is growing significantly faster. The hyperscalers, Microsoft, Google, and Amazon, form the platform layer of Anthropics Project Glasswing. They host Mythos. They use it internally, and they'll probably add it to their serverside security offerings over time. Microsoft alone runs the largest cloud security business on the planet, bringing in roughly $28. 5 billion a year. These companies aren't using Mythos to sell more cloud access. They're using it to manage risk across the entire infrastructure powering AI and the internet. The best way to find great investments is understanding a company's products, not just their profits. And the best companies have perfect products for quickly growing markets. Nvidia, Broadcom, Apple. These companies armed with Mythos will define the next era of digital security while everyone else is effectively defending against tomorrow's attacks with yesterday's tools. And AI is already making the global cyber security market grow fast from $380 billion in 2026 to $1. 2 trillion in 2034. That's a 15. 5% compound annual growth rate for the next 8 years, faster than the growth of the S& P 500. And I expect it to accelerate as more crime syndicates, more spies, and more hackers in general start using more advanced AI for their attacks. So the question for investors isn't whether cyber security spending will keep climbing. It's which companies will capture it. That's why the ones in Project Glasswing are the ones that I'm investing in. But here's the part we can't model in our spreadsheets. Less than 1% of the thousands of vulnerabilities that Mythos has discovered have actually been patched. Less than 1%. Anthropic promised a public report in the next 90 days. That's July 2026. And in it, they're going to spell out what they found, what's been fixed, and who is still exposed. If that report shows 10 to 20% of the bugs have been fixed, then the defenders really do have an edge. But if it only shows 1% of the bugs have been fixed and the vulnerabilities have been closed, then the critics will be right. Attackers will move as fast as AI, while defenders will stay at the speed of tickets, the speed of meetings, and manual reviews. Remember, finding bugs can be automated, but fixing them can't, especially for banks, for hospitals, and for other regulated industries. That's why I think Palanteer will play an important role here, too. But there's one last conflict that I'm not sure how Anthropic will overcome, or if they even can. Anthropic is reportedly considering an IPO in October of 2026. That means that the company that decided Mythos was too dangerous to sell will also need to justify a half trillion dollar valuation

to public market investors. The conflict between cyber safety and shareholders is very real. Anthropic 90-day security report will land in July. Open models are improving every single month. The clock is ticking. But whether Anthropics bet that 6 months of Mythos running defense can outpace AI powered offense will pay off for the companies in Project Glass Wing, for their stocks, and for the security of every data center on the planet. That's something the market hasn't priced in yet. Let me know what you think in the comments. Is Mythos a temporary edge for the defenders, or is this AIdriven arms race the start of a new era of cyber security? And if you want to see more science behind the stocks, check out this video next. Either way, thanks for watching and until next time, this is Tickerol U. My name is Alex, reminding you that the best investment you can make is in you.