A model built to find exploits just went public. Unreviewed code is the target.

Claude Fable 5 went public today. It is the general-access version of Mythos, the model Anthropic held back through a restricted program since April for one specific reason: it was too capable at finding and chaining software vulnerabilities on its own. In the Glasswing preview, run with AWS, Microsoft, Apple, and CrowdStrike, the model discovered and strung together zero-days across operating systems and browsers, compressing work that took skilled researchers days into something far shorter.

Fable 5 is the realigned version, with added safeguards and a price near twice Opus. The safeguards limit misuse. They do not change the underlying fact: a model that can find exploitable bugs at scale is now something anyone can rent.

That cuts two ways, and only one of them is comfortable.

For two years the worry about AI coding tools was volume. Teams using Cursor and Claude Code write far more code, far faster, and more code means more defects slipping past a reviewer who never had time to read all of it. Real, but slow-moving. Today's release sharpens it. The same class of model that writes the code can now hunt the code, and the hunting version is public. A bug that reaches production is no longer a quiet liability waiting for a pentest that may never come. It is a target an adversarial model can find on the same day it ships.

Speed is the whole story. When vulnerability discovery was bound by human attention, a quiet flaw might sit for months before anyone noticed. When discovery is model-bound and cheap, the gap between shipped and found collapses. A review cadence built for the old clock, quarterly audits and a scanner that files findings into a backlog someone clears eventually, is calibrated to a threat that no longer moves at that speed.

Detection was always the easy half. The hard half is that a finding only matters if someone acts on it, and most teams do not have the time. The list grows, the backlog ages, and the exploitable line stays in the codebase for exactly as long as it takes a model on the other side to reach it. The teams that stay ahead of a Fable-class adversary are the ones that close findings on the same cadence an attacker can find them: continuously, per change, before code reaches the branch anyone outside can read.

Today did not make code review more important in the abstract. It moved the clock. The tools that find exploitable code are cheap, public, and fast now. How teams review and fix what they ship has to move to the same tempo, or the gap between the two becomes the attack surface.