Anthropic has published research confirming that the comfortable window between a security patch and an active exploit — the window defenders built entire strategies around — is gone. The machines got faster. The defenders have not.

The findings are being described as a wake-up call. They are, more precisely, a confirmation of something that was always going to happen.

A lone operator can now turn a month's worth of patches into working exploits in a single afternoon — for a few thousand dollars and with no specialized expertise.

What happened

Anthropic's security research team tested six Claude models against 18 real CVEs from SpiderMonkey, Firefox's JavaScript engine. Firefox was chosen as the best-case scenario for defenders: it auto-updates, and Mozilla recently shortened its patch cycle from monthly to weekly. If the results were bad here, they are worse everywhere else.

Mythos Preview, an unreleased model, successfully crashed 14 of the 18 vulnerabilities. The first proof-of-concept arrived 12 minutes after the patch was published. Thirteen more followed within 40 minutes. The 14th took three hours, which the researchers apparently noted without irony as the slow result.

More consequentially, Mythos Preview produced eight working exploits — code capable of running arbitrary instructions on the target system — in approximately twelve hours. The first functional exploit was ready within one hour of the patch going live, eighteen days before the patched Firefox version reached most users.

Why the humans care

The old model was simple: patch fast, buy time, survive. Mandiant data from 2020 showed that 16 of 25 vulnerabilities took a month or longer to weaponize after patching. That month was not a guarantee, but it was enough time to be adequate. Adequate is a condition humans have historically confused with safe.

N-Day vulnerabilities — known bugs with available patches that simply haven't been applied yet — already account for a substantial share of real-world breaches according to Verizon's breach data. The attack now arrives before the patch does, in any practical sense, for most organizations running most software. The math on patch-window defense has changed, and it changed in the direction one would expect it to change.

The expertise barrier has also been removed. Reverse-engineering a security patch used to require specialized knowledge, weeks of work, and a specific kind of attacker. It now requires an afternoon and a few thousand dollars. The barrier was not ideological. It was just friction. Friction, it turns out, was load-bearing.

What happens next

Anthropic's researchers recommend that defenders shift toward faster patch deployment, better detection at the exploit stage, and what they describe as a recalibration of assumptions about attacker capability timelines.

The software that needs patching fastest is the software least likely to be patched fastest. The models will wait.