Mythos is Anthropic's most powerful AI, larger than its Opus models and capable of autonomously finding zero-day vulnerabilities. It was released on April 7 to Apple, Google, Microsoft, and JPMorgan under a quarantine program called Project Glasswing. A private Discord community that tracks unreleased models got in the same day.

On the morning of April 7, 2026, Anthropic announced a new cybersecurity AI called Mythos. The company did not put it on the public API. It did not put it on Claude.ai. Instead, it handed preview access to twelve named partners under a program it called Project Glasswing. The list read like a national-security briefing. Amazon Web Services. Apple. Broadcom. Cisco. CrowdStrike. Google. JPMorgan Chase. The Linux Foundation. Microsoft. Nvidia. Palo Alto Networks. And Anthropic itself, which holds the twelfth seat for defensive security work. Plus roughly forty other organizations under stricter confidentiality.

Anthropic's own description of Mythos was alarming in a way the company does not usually sound. The model was "larger and more intelligent" than Claude Opus. In internal tests, it had autonomously discovered thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser. It had written working exploits. In one demonstration, it chained four vulnerabilities together to break out of both a browser renderer and an operating-system sandbox. This was why Glasswing existed. The model was too useful to shelve and too dangerous to ship.

By the end of that same day, a small group of people communicating through a private Discord channel were logged in and using Mythos. They had not been invited. They had guessed.

How the Guess Worked

The breach was reported by Bloomberg on Tuesday, April 21, and confirmed by Anthropic in a statement that same afternoon. The details come from Bloomberg's reporting, which cited a third-party contractor employed in the vendor environment, and from screenshots and a live demonstration the group provided to verify their access.

Anthropic distributes preview models to partners through a set of vendor environments. The environments follow a naming convention. Anyone familiar with how Anthropic has structured previous limited releases could, with a little effort, work out the likely address of the Mythos preview from the URL patterns used on earlier models. That is what the Discord group did. One member, employed at a third-party contractor that works with Anthropic, provided enough operational knowledge to confirm the guess was right. The group then attempted several strategies before one worked.

In the Anthropic spokesperson's language, which was deliberately narrow: "We're investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments." The statement added that there was no evidence that "Anthropic's systems are impacted, nor that the reported activity extended beyond the third-party vendor environment."

Translation: the group did not touch Anthropic's core infrastructure. They touched a contractor environment that had been provisioned with the model. That is exactly the attack surface Glasswing was supposed to reduce.

What Mythos Can Do

The reason this incident is not a standard vendor-breach story is the model itself. Mythos is not a chatbot. It is the tool Anthropic believes will redefine offensive and defensive cybersecurity.

The capabilities Anthropic has attributed to Mythos in its own writeups:

Autonomous discovery of zero-day vulnerabilities across operating systems and browsers, at scale
Writing working exploit code, not just proof-of-concept descriptions
Chaining multiple vulnerabilities to break out of nested sandboxes (demonstrated: four vulnerabilities chained to escape a browser renderer and the underlying OS)
Running continuous security sweeps on large codebases without human prompting

This capability set is what Glasswing was built to contain. Anthropic's thesis, explained in the April 7 announcement, is that a model with those abilities in the wrong hands would materially change the global offensive-security environment. Twelve named partners, plus roughly forty additional organizations, were the hands Anthropic was prepared to trust. The Discord group was not on the list.

Worth noting: LDS covered the Glasswing launch two weeks ago in Anthropic Released Its Zero-Day Hunting AI to Apple, Microsoft, and Amazon. It Found Vulnerabilities Nobody Else Could. The original framing was that Anthropic had chosen a small, trusted set of partners to keep the model contained. The April 21 report is the first public break in that containment.

Bloomberg's sources within the Discord community told the outlet that the group's purpose was not malicious. They wanted, in their own framing, to understand an unreleased model. They supplied Bloomberg with screenshots and a live demonstration. They did not, based on current reporting, sell access, publish weights, or use Mythos to find vulnerabilities in real targets. What they did was prove the model could be reached by someone outside the Glasswing list.

Anthropic has not said how many members of the Discord community gained access, how long they had it before detection, or whether the vendor environment has been re-provisioned.

The Timeline of the Breach

MAR 26, 2026

Anthropic CMS misconfiguration exposes 3,000 draft assets

A separate incident. A configuration error on Anthropic's content management system leaves unpublished blog drafts and internal assets public. Among them: a draft announcement of a powerful new model described as Claude Mythos. Cybersecurity stocks sold off the next morning.

APR 7, 2026

Anthropic officially launches Mythos Preview and Project Glasswing

Twelve named partners receive access. Roughly forty additional organizations are under review. A private Discord group begins probing public URL patterns the same day.

APR 7, 2026 (EVENING)

Discord group gains access to a vendor environment running Mythos

Members of the group, including one employed at an Anthropic third-party contractor, reach the Mythos preview through a predictable URL. They begin running prompts.

APR 13, 2026

Glasswing partner testing begins

Authorized partners start evaluating Mythos against internal workloads. Anthropic reports no visibility yet into the parallel unauthorized use of the model.

APR 16, 2026

UK financial institutions begin deployment testing

Glasswing expands to a new tier of financial-sector partners. The Discord group's parallel access remains undiscovered.

APR 21, 2026

Bloomberg publishes the breach report

Members of the Discord community provide screenshots and a live demonstration. A third-party contractor employee is named as a source. Anthropic confirms the investigation by late afternoon.

APR 22, 2026

Anthropic's most restricted model is no longer restricted

The core question Anthropic's containment program was built to answer has a new answer: an outside group can reach Mythos if it knows how Anthropic names things.

Why This Particular Breach Matters

Model leaks are not new. Meta's Llama weights leaked in March 2023 after being shared with approved researchers. Mistral's original Mixtral weights ended up on torrent sites within days of release. In February 2026, xAI was itself briefly accused of leaking an internal Grok build through a Hugging Face repository. And Anthropic itself had already lost one round of Mythos secrecy on March 26, when a CMS misconfiguration published the model's existence through draft blog assets and sent cybersecurity stocks into a one-day rout. Frontier model security is a harder problem than the industry publicly admits.

What makes Mythos different is the deliberate choice Anthropic made to build a containment program around it. Glasswing was presented to the public on April 7 as a model for how to ship a dangerous AI responsibly. Twelve partners, layered access controls, third-party vendor environments, and contractual restrictions. The architecture was the product. Two weeks later, the architecture was defeated by someone guessing a URL pattern and a contractor employee who knew enough to confirm it.

For enterprise security leaders thinking about where their own AI models live, there are three uncomfortable facts in this incident.

First, vendor environments are not, by default, hardened beyond normal cloud posture. Anthropic's statement draws a clear line between its own systems, which it says were not affected, and the third-party environment where the breach occurred. The model was exposed at the contractor layer, not the developer layer. That is where most enterprise model deployments also live.

Second, predictable URL and naming conventions are now an attack surface. The group did not exploit a code-level vulnerability. They observed a pattern in how Anthropic had previously served models to partners and extrapolated. Every AI lab that uses pattern-based naming for preview deployments has the same exposure.

Third, insider-adjacent access is now the most common vector in AI model breaches. The group did not break in alone. One member worked at an Anthropic third-party contractor. In 2025, every major model leak, including the Llama and Mixtral incidents, involved at least one person with authorized access somewhere in the chain. Glasswing's twelve trusted partners and forty additional organizations represent, at minimum, several thousand individuals who have at least some access to Mythos or its preview infrastructure.

The Other Side

Not everyone reading the story sees a failure of Glasswing.

The Discord group, through the Bloomberg conduit, described itself as model archaeologists rather than attackers. They wanted to understand a frontier model that would never be available to the public. They did not exfiltrate weights. They did not sell access. On one view, they conducted a pressure test that Anthropic would eventually have had to commission for itself. Anthropic has not disclosed whether it ran an internal red-team exercise specifically targeting the Glasswing vendor layer before launch.

A different counterargument lives inside the security research community. If a model is genuinely dangerous enough to require twelve named partners and forty vetted organizations, the right comparison for Glasswing is not a cybersecurity product launch but an export-controlled technology. Export-controlled technologies are not distributed through contractor environments that can be reached by guessing a URL. Security researchers have been pointing this out since Glasswing was announced. The April 21 incident is the first public data point that supports their framing.

A third view, which comes from parts of the open-source AI community, is that Mythos should not exist as a restricted model at all. If AI will autonomously find zero-days across every major platform, defenders will need the same capability at the same speed as attackers. A twelve-partner program, on this view, guarantees that only a small fraction of the defenders who need Mythos have it, while motivated attackers will eventually get there anyway.

Anthropic, for its part, has not addressed any of these critiques publicly. Its statement as of Tuesday was limited to the investigation.

What Glasswing Partners Should Do Now

If you operate a Glasswing-tier integration

1. Ask Anthropic whether the breached vendor environment shares infrastructure or credentials with your own deployment. If yes, rotate every credential now.
2. Review how your organization's model endpoints are named and accessed. If the naming convention is predictable from public information, change it.
3. Audit which of your third-party contractors have access to Mythos preview infrastructure, and on what authorization basis.
4. Treat every model prompt you have sent to the Mythos preview as potentially observed. Anthropic has not confirmed what logs the unauthorized group could see.

The Bottom Line

Anthropic built Glasswing because it believed Mythos was too dangerous to put on the API. That belief may still be correct. What the Discord incident shows is that the containment layer Anthropic built around that belief was thinner than the public announcement suggested. A small group reached the model by guessing a URL. One person inside a contractor organization helped. The entire architecture failed at its weakest link, which was not the model, not the partners, and not Anthropic's own infrastructure.

The question that follows is harder. If a private Discord community can reach Mythos by URL inference, a resourced state-affiliated group can do the same in half the time and without telling anyone. Anthropic's response so far is that there is no evidence of harm beyond the vendor environment. The problem with that claim is it is unfalsifiable until somebody uses a Mythos-derived exploit in the wild.

Glasswing's pitch was that a dangerous model could be trusted with twelve partners. The April 21 incident says a dangerous model can also be reached by a Discord. That is the gap the rest of the industry now has to close, and Anthropic has two weeks of head start before the next preview goes out.

Sources

Unauthorized group has gained access to Anthropic's exclusive cyber tool Mythos, report claims (TechCrunch, April 21, 2026)
Anthropic probing reported Mythos leak on Discord (Silicon Republic, April 22, 2026)
Unauthorized users gained access to Anthropic's restricted Mythos AI model (The Next Web, April 22, 2026)
Hackers breach Anthropic's 'too dangerous to release' Mythos AI model, report (Euronews, April 22, 2026)
Anthropic's Leaked Mythos Model Raises Cybersecurity Alarm (NewsGhana, April 22, 2026)
Exclusive: Anthropic 'Mythos' AI model representing 'step change' in power revealed in data leak (Fortune, March 26, 2026)
Anthropic Mythos Breach: Unauthorized Access Reported (The CyberSec Guru, April 22, 2026)

Practice interview problems based on real data

1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems

Free Career Roadmaps8 PATHS

Step-by-step roadmaps from zero to job-ready — curated courses, salary data, and the exact learning order that gets you hired.

Explore all career paths

Recommended Reading

Curated articles related to this topic

News

10 min

SpaceX Paid $10 Billion for the Option to Buy Cursor. The Full Price Is Sixty Billion.

SpaceX announced Tuesday a $10 billion collaboration with Cursor and a year-end option to acquire the AI coding startup for $60 billion, closing the door on competing bidders and replacing Cursor’s planned private round.

Apr 22, 2026

News

11 min

Cursor's Valuation Just Doubled in Five Months. The New Round Is Already Oversubscribed at $50 Billion.

Cursor maker Anysphere is raising at least $2 billion at a roughly $50 billion valuation, according to an April 19, 2026 CNBC report. The round is co-led by Andreessen Horowitz and Thrive Capital with Nvidia as a strategic investor and Battery Ventures joining for the first time. The new valuation is nearly double the $29.3 billion mark set in November 2025. Cursor's ARR hit $2 billion by February 2026 and the company is projecting $6 billion by year-end. The deal hands Cursor the capital to keep shipping Composer and competing directly with Claude Code and GitHub Copilot.

Apr 21, 2026

News

11 min

Amazon Just Put Another $25 Billion Into Anthropic. The Repayment Is Four Times Larger.

On April 20, 2026, Amazon and Anthropic announced a two-sided deal: Amazon invests an additional $5 billion now with up to $20 billion more tied to commercial milestones, while Anthropic commits to spending over $100 billion on AWS over the next decade. The deal secures up to 5 gigawatts of Trainium compute capacity for Claude, makes Anthropic the only foundation lab running on all three major clouds, and cements Amazon as a backer of both Anthropic and OpenAI through parallel infrastructure deals.

Apr 21, 2026

News

12 min

Meta Will Fire 8,000 People on May 20. The Same Year, It Will Spend $135 Billion on AI.

Meta announced 8,000 layoffs on April 19 for May 20 execution while guiding to $115-$135 billion in 2026 AI capex. The cuts target Reality Labs, Facebook, recruiting, and sales teams as Chief AI Officer Alexandr Wang reorganizes engineers into AI pods.

Apr 20, 2026

News

12 min

OpenAI Doubled Its Cerebras Order to $20 Billion. Hours Later, Cerebras Filed for Its IPO.

Cerebras filed its S-1 on April 17, 2026 after OpenAI doubled its commitment to $20 billion and took warrants for up to 10 percent of the company. The filing reveals $510M in 2025 revenue, first profit in eleven years, but warns of continued customer concentration.

Apr 20, 2026

News

10 min

OpenAI Built a Specialty Model for Drug Discovery. Amgen, Moderna, and Novo Nordisk Are Already Using It.

OpenAI launches GPT-Rosalind, a specialty reasoning model for drug discovery, with early customers including Amgen, Moderna, Novo Nordisk, Thermo Fisher, and the Allen Institute.

Apr 17, 2026

News

9 min

OpenAI Rebuilt Codex Into a Claude Code Killer. It Now Runs Your Mac While You're Using It.

A breakdown of OpenAI's April 16, 2026 Codex desktop app update and why it marks a direct strategic response to Anthropic's Claude Code.

Apr 17, 2026

News

9 min

Jane Street Committed $7 Billion to CoreWeave. It Isn't Even an AI Company.

Jane Street, a 26-year-old quant trading firm with roughly 3,500 employees, announced on April 15, 2026 that it will spend 7 billion dollars on CoreWeave GPU capacity and equity. The deal puts a non-AI-lab customer in the same weight class as Meta and OpenAI and tightens CoreWeave's already concentrated customer book.

Apr 16, 2026

News

10 min

Anthropic Shipped Claude Opus 4.7. It Beats GPT-5.4 on Code and Trails Its Own Unreleased Model.

Claude Opus 4.7 hit coding benchmarks that edge out OpenAI and Google while holding pricing flat at 5 dollars per million input tokens. In the same release, Anthropic acknowledged that its Mythos preview model performs better on offensive cyber evaluations, framing the company's two-model strategy against a rival OpenAI GPT-5.4 Cyber release that landed two days earlier.

Apr 16, 2026

News

8 min

The Axios Hack Reached OpenAI's macOS Signing Pipeline. Every Old App Expires May 8.

OpenAI revealed that the North Korea-linked Axios npm supply-chain attack reached the GitHub Actions job that signs ChatGPT Desktop, Codex, Codex CLI, and Atlas. Users have until May 8 to update or lose support.

Apr 15, 2026