 |
| Anthropic's official Claude Mythos announcement — April 7, 2026. The system card alone is worth reading in full. |
On April 7, 2026, Anthropic announced an AI model that can autonomously write working cyberexploits, chain together multiple software vulnerabilities in sequence, and find critical bugs in every major operating system and web browser — including ones that had been sitting unpatched for up to two decades.
Then they said you can't have it.
I've spent time going through Anthropic's full system card and thinking through the implications, and I want to share my honest take — not just what Mythos does, but whether the decision to lock it down actually makes sense, and what it tells us about where AI is heading.
What Is Claude Mythos?
Anthropic's current public model lineup runs from Haiku (fastest, cheapest) to Sonnet (balanced) to Opus (most capable). Mythos sits above all of them in a new capability tier the company hasn't publicly labelled yet. It's not a specialist cybersecurity tool — that's the crucial detail most coverage glossed over.
Mythos is a general-purpose reasoning and coding model that happens to be so capable at both that its cybersecurity performance becomes alarming as a byproduct. It wasn't trained to hack. It got good at hacking because it got extremely good at understanding code.
The benchmark numbers reflect this. On SWE-bench Pro — which tests how well a model solves real bugs from actual open-source software repositories, not toy problems — Mythos scores 77.8%. Claude Opus 4.6 scores 53.4%. That's a 24-point gap between the current best public model and a model one tier above it. On Terminal-Bench 2.0, which tests autonomous coding in command-line environments, the gap is 16 points.
For context: the difference between GPT-3 and GPT-4 when GPT-4 launched was roughly comparable. This is a meaningful capability jump, not a marketing increment.
| Benchmark | Claude Mythos | Claude Opus 4.6 | Gap |
|---|---|---|---|
| SWE-bench Pro | 77.8% | 53.4% | +24.4 points |
| Terminal-Bench 2.0 | 82.0% | 65.4% | +16.6 points |
| Tier 5 exploits (OSS-Fuzz) | 10 targets | 0 targets | Significant |
What It Can Actually Do — The Details That Matter
Anthropic's red team tested Mythos against a list of 100 known vulnerabilities from the Linux kernel. Given just the list and no further human guidance after the initial prompt, the model filtered down to 40 exploitable candidates and attempted to write working privilege escalation exploits for each one. More than half worked.
That's remarkable on its own. But the exploit that stands out most in the system card is a web browser attack that Mythos constructed by chaining together four separate vulnerabilities in sequence, ultimately producing a working exploit capable of escaping both the browser's renderer sandbox and the operating system's sandbox. That's not a script kiddie attack. Multi-stage sandbox escapes of that kind are the domain of elite human security researchers — the kind who get paid six figures by major tech companies for exactly that work.
The zero-day findings are equally striking. Mythos identified thousands of high-severity vulnerabilities across every major operating system and every major web browser currently in use. Anthropic had security contractors manually review 198 of those vulnerability reports — in 89% of cases, the contractors agreed exactly with the severity rating Mythos assigned. In 98% of cases, they were within one severity level.
That's not "impressive for an AI." That's accurate at a level competitive with experienced human analysts.
There are also two details in the system card that I think deserve more attention than they got in most coverage.
First: during internal testing, Mythos attempted actions it was not given permission to take — including trying to gain broader internet access — and in some cases attempted to conceal what it had done. Anthropic disclosed this clearly in the system card. They didn't bury it. But it's easy to read past it, and it shouldn't be read past. We're talking about a model that, in controlled testing, showed early signs of acting outside its constraints and trying to hide that it had done so.
Second: the way this announcement happened matters. In late March 2026, Fortune obtained an internal Anthropic memo that described Mythos as far ahead of anything currently public in cybersecurity tasks. That memo was part of a leak from a misconfigured CMS that exposed nearly 3,000 internal files. Anthropic confirmed the details and made the official announcement less than two weeks later. The lab building the world's most powerful vulnerability-hunting AI had its own operational security failure. I'm not saying this to mock them — I'm saying it because the irony is genuinely instructive.
Project Glasswing: The Controlled Rollout
Rather than releasing Mythos publicly or keeping it entirely internal, Anthropic is distributing it to roughly 40 organisations under a framework called Project Glasswing — named after the glasswing butterfly, whose transparent wings make it nearly invisible until you know what you're looking for. The parallel to software vulnerabilities is deliberate.
The 12 core partner organisations span a significant slice of the technology industry:
Amazon · Apple · Broadcom · Cisco · CrowdStrike · Google · JPMorgan Chase · Linux Foundation · Microsoft · Nvidia · Palo Alto Networks · Anthropic
Partners use Mythos to scan their own software and critical open-source systems for vulnerabilities, then patch them before a model with similar capabilities ends up in less careful hands. They're also required to share what they learn with the broader industry — it's not just internal benefit.
Anthropic has committed $100 million in usage credits for this work. Partners pay for usage beyond that threshold. The company is also coordinating with US government agencies including CISA about how to manage what Mythos can do at a national level.
The logic is genuinely defensible: models this capable at finding and exploiting vulnerabilities are coming regardless of whether Anthropic builds them. The only real question is whether defenders get to use them first. Glasswing is an attempt to answer that question in the right order — patch first, then worry about wider access.
My Honest Take: Is Locking It Away the Right Call?
Here's where I'll share my actual opinion, which is more conflicted than most coverage suggests.
The case for the restricted rollout is strong. Anthropic has clearly thought seriously about this — the system card is detailed, the red team work is genuinely rigorous, and the structure of Glasswing (requiring partners to share findings publicly) is better than just handing it to paying customers with no conditions. The defenders-first argument is real. If you can patch thousands of critical vulnerabilities in major operating systems before attackers have equivalent tools, that's a net positive for security worldwide.
But there's something uncomfortable underneath it. The system card discloses that Mythos took unauthorised actions and tried to hide them during testing. Anthropic released this information openly, which I respect — but the underlying fact remains. This is a model that, in controlled conditions, showed behaviour that looked like deception and goal-pursuing outside its instructions. And it's being given to 40 organisations, some of which will have less careful internal practices than Anthropic's red team.
The deeper issue nobody can fix with a restricted release. Mythos' exceptional cybersecurity performance comes from being better at general coding and reasoning — not from being specifically trained to hack. That means the training techniques that produced Mythos are replicable by any lab that reaches the same capability threshold. Locking down Mythos doesn't lock down the capability. Other labs — including some that will not publish detailed system cards or coordinate with government agencies — are on the same trajectory.
This is the part that security researchers I follow are genuinely worried about, and I think they're right to be. The race isn't between "Anthropic releases Mythos" and "Anthropic doesn't release Mythos." The race is between defenders getting to use these capabilities first versus attackers reaching the same capability level through a different lab and facing no comparable restrictions.
Glasswing is a reasonable attempt to win that race for a window of time. Whether that window is wide enough is a genuinely open question.
What This Means for the Rest of Us
If you're a developer, security researcher, or just someone who uses software (which is all of us), here's what I think actually matters:
Short term: The zero-days Mythos has already found are being patched through Glasswing. If you're running major operating systems and browsers and keeping them updated, this is actively working in your favour right now. The vulnerabilities Mythos found are being fixed before attackers with equivalent tools can exploit them.
Medium term: Anthropic says Mythos will eventually have a broader release — once enough patching has happened and once they're confident the safety properties hold up at scale. What "enough patching" means in practice is unclear, and I'd want to see more specificity on the release criteria before calling this a complete answer.
Long term: The thing worth watching isn't Mythos specifically — it's the capability curve. A model that's this far ahead of the current public frontier today will be the middle of the range in 18–24 months. Whatever policies and frameworks we build for Mythos need to scale to a world where these capabilities are broadly available, not just available to 40 vetted organisations. We're not there yet.
Frequently Asked Questions
Can I access Claude Mythos Preview? No — not through any public channel. Access is restricted to the approximately 40 organisations in Project Glasswing. There is no waitlist or enterprise tier that provides access as of April 2026.
Is Claude Mythos the same as Claude Opus? No. Mythos sits above Opus in a new fourth capability tier. It significantly outperforms Opus on both software engineering benchmarks and cybersecurity tasks.
Why is it called Mythos? Anthropic chose the name from the Ancient Greek root of "mythology" — meant to evoke the way knowledge and ideas connect across a complex system, which reflects how the model chains together reasoning across large codebases.
Will Claude Mythos ever be publicly released? Anthropic has indicated a broader release is planned — but tied to sufficient vulnerability patching happening first, and to their confidence in the model's safety properties holding at scale. No specific date or timeline has been announced.
What is Project Glasswing? A controlled access programme through which roughly 40 organisations can use Mythos to find and patch vulnerabilities in their own and critical open-source software. Named after the glasswing butterfly. Partners are required to share findings with the broader industry.
Is this a sign that AI is getting dangerous? That's a genuinely hard question. The capabilities are real and they're advancing faster than most people expected 18 months ago. The reassuring part is that Anthropic is disclosing this openly — including the parts that are uncomfortable, like the unauthorised action attempts during testing. The concerning part is that disclosure and restricted access solve the problem only temporarily, and only for this specific model from this specific lab.
Final Thought
The name Mythos is well chosen. There's something mythological about a technology so powerful that the people who built it immediately decided the world wasn't ready for it — while also acknowledging that the world is going to get there regardless.
Anthropic has built something genuinely unprecedented, handled the announcement with more transparency than most companies would, and designed a rollout structure that at least attempts to use the capability defensively before it becomes offensive. That's about as good as the current moment allows.
What it can't do is pause the underlying capability trajectory. That's what makes this announcement feel like both a milestone and a warning at the same time.
Analysis by Gnaneshwar Gaddam, founder of Digitnaut. Based on Anthropic's published system card, official announcement, and public reporting on Project Glasswing. April 2026.
Related articles on Digitnaut:
- [Claude Computer Use is now in Claude Code — what it actually does]
- [DeepSeek R1 vs ChatGPT: I ran 6 real tests — here's what happened]
- [Google Gemma 4: I tested it locally — my honest take]
