Anthropic Open-Sources the Harness Behind Its Bug-Hunting Agent
Anthropic just put the recipe for an autonomous security researcher on GitHub. The repo is called defending-code-reference-harness, and it is the reference implementation behind the vulnerability work in Project Glasswing and the Mythos model.
What is inside is the whole loop, not a demo. There is an autonomous pipeline that goes recon, find, verify, report, patch, configured out of the box to hunt C and C++ memory bugs using Docker and ASAN. There is a harness that maps a codebase, spins up scanning subagents, triages what they find, and writes the reports. And there is a threat-model builder that looks at a codebase, figures out the likely attack targets, and tells the model where to spend its time first. They also shipped the skills, the reusable instruction packs, that Anthropic and its partners built for this.
The scale context is why people care. Mythos has scanned more than 1,000 open-source projects and surfaced 23,019 issues, of which 6,202 were high or critical severity. Now the scaffolding that produced those numbers is public.
One caveat worth being clear about. This is explicitly a reference, not a maintained product. The repo is not taking contributions and Anthropic is not promising to keep it updated. But that is almost the point. The interesting thing is not the code, it is that the blueprint for pointing an agent at a codebase and having it autonomously find and patch real bugs is now something anyone can read and copy. https://github.com/anthropics/defending-code-reference-harness
← Back to all articles
What is inside is the whole loop, not a demo. There is an autonomous pipeline that goes recon, find, verify, report, patch, configured out of the box to hunt C and C++ memory bugs using Docker and ASAN. There is a harness that maps a codebase, spins up scanning subagents, triages what they find, and writes the reports. And there is a threat-model builder that looks at a codebase, figures out the likely attack targets, and tells the model where to spend its time first. They also shipped the skills, the reusable instruction packs, that Anthropic and its partners built for this.
The scale context is why people care. Mythos has scanned more than 1,000 open-source projects and surfaced 23,019 issues, of which 6,202 were high or critical severity. Now the scaffolding that produced those numbers is public.
One caveat worth being clear about. This is explicitly a reference, not a maintained product. The repo is not taking contributions and Anthropic is not promising to keep it updated. But that is almost the point. The interesting thing is not the code, it is that the blueprint for pointing an agent at a codebase and having it autonomously find and patch real bugs is now something anyone can read and copy. https://github.com/anthropics/defending-code-reference-harness
Comments