On the morning of March 26, a configuration error at Anthropic exposed nearly 3,000 internal documents to the open internet. Among them was a draft blog post describing a model called Claude Mythos, one the company called "by far the most powerful AI model we've ever developed." Cybersecurity stocks cratered the next morning. CrowdStrike lost 7.5% before lunch.
Twelve days later, on April 7, Anthropic made it official. Claude Mythos Preview is real, it is as dangerous as the leaked documents suggested, and Anthropic has no intention of releasing it to the general public. Instead, the company launched Project Glasswing, a controlled initiative that gives 12 founding partners and roughly 40 additional organizations access to the model for one purpose: finding and fixing the security flaws that decades of human review have missed.
The partners read like a who's who of companies that cannot afford to be hacked: Apple, Amazon Web Services, Microsoft, Google, NVIDIA, Cisco, CrowdStrike, Broadcom, JPMorganChase, Palo Alto Networks, and the Linux Foundation.
The Numbers That Changed the Conversation
The capability gap between Mythos Preview and its predecessor is not incremental. It is a generational leap, and Anthropic's own Frontier Red Team published the data to prove it.
When tested against Mozilla Firefox's JavaScript engine, Claude Opus 4.6 developed working exploits 2 times out of several hundred attempts. Mythos Preview developed working exploits 181 times, with register control on 29 more. That is not a percentage improvement. It is a different category of capability.
On the OSS-Fuzz benchmark, which measures a model's ability to find crashes in open-source software, Sonnet 4.6 and Opus 4.6 each produced roughly 250 to 275 crashes at tiers 1 and 2, with just 1 each at the highest severity tiers. Mythos Preview produced 595 crashes at tiers 1 and 2, a handful at tiers 3 and 4, and achieved full control-flow hijack on 10 separate, fully patched targets at tier 5.
| Benchmark | Opus 4.6 | Mythos Preview |
|---|---|---|
| Firefox JS engine exploits | 2 | 181 |
| OSS-Fuzz tier 1-2 crashes | ~250-275 | 595 |
| OSS-Fuzz tier 5 (full hijack) | 1 | 10 |
| Autonomous exploit development | ~0% success rate | 72.4% success rate |
The researchers who conducted the evaluation were blunt: "Opus 4.6 generally had a near-0% success rate at autonomous exploit development. But Mythos Preview is in a different league."
Bugs That Survived Decades of Human Review
The zero-day vulnerabilities Mythos Preview uncovered are not minor edge cases. They are flaws embedded in foundational software that millions of systems rely on daily, the same class of infrastructure targeted in recent supply chain attacks on developer tools.
The oldest: a 27-year-old bug in OpenBSD's SACK implementation. OpenBSD is widely considered one of the most security-focused operating systems ever built. Its developers have spent decades auditing every line of code. Mythos found what they could not.
It also discovered a 16-year-old vulnerability in FFmpeg's H.264 decoder, software that handles video playback across billions of devices. And a 17-year-old remote code execution flaw in FreeBSD's NFS implementation, now tracked as CVE-2026-4747.
The FreeBSD exploit was particularly sophisticated. Mythos Preview constructed a 20-gadget return-oriented programming chain, split across multiple network packets, that gave an unauthenticated attacker full root access to the target server.
On the Linux kernel, the model demonstrated the ability to independently identify and chain together sets of vulnerabilities for privilege escalation, combining two, three, and sometimes four separate flaws into a single working exploit.
| Exploit Type | Cost (API Pricing) | Time |
|---|---|---|
| One-bit adjacent-page write | Under $1,000 | Half a day |
| One-byte read escalation | Under $2,000 | Less than a day |
Perhaps the most striking finding: in one browser exploitation test, Mythos Preview "fully autonomously discovered the necessary read and write primitives, and then chained them together to form a JIT heap spray" that escaped both the renderer sandbox and the OS sandbox by chaining four separate vulnerabilities.
Anthropic Committed $100 Million to Defense
Anthropic is not selling Mythos Preview as a product. The company committed $100 million in model usage credits through Project Glasswing.
An additional four million dollars in direct donations went to open-source security organizations.
The model is available through the Claude API, Amazon Bedrock, Google Cloud's Vertex AI, and Microsoft Foundry. But access is gated.
The disclosure framework is unusually strict. Vulnerabilities are committed via SHA-3 hash with a 90-day responsible disclosure window, plus a 45-day extension if needed. Professional security contractors validate every report before maintainers are notified.
Over 99% of the vulnerabilities Mythos Preview has discovered remain unpatched. Fewer than 1% have completed responsible disclosure. Of the 198 vulnerability reports that Anthropic manually reviewed, 89% aligned exactly with the model's own severity assessments. 98% were within one severity level. If those validation rates hold across the full dataset, Anthropic projects the model has found over a thousand critical-severity vulnerabilities and thousands more at high severity.
The Industry Response
The partner reactions arrived within hours of the announcement, and they were not the usual corporate platitudes.
"AI capabilities have crossed a threshold that fundamentally changes urgency to protect critical infrastructure from cyber threats." — Anthony Grieco, SVP, Cisco
"The window between vulnerability discovery and exploitation has collapsed. What took months now happens in minutes with AI." — Elia Zaitsev, CTO, CrowdStrike
Igor Tsyganskiy, Microsoft's Global CISO, confirmed that "Claude Mythos Preview showed substantial improvements against CTI-REALM security benchmark versus prior models." Amy Herzog, AWS CISO, noted that her teams "analyze over 400 trillion network flows daily for threats, with AI central to defending at scale."
Jim Zemlin, CEO of the Linux Foundation, framed the initiative in terms of access: "Project Glasswing offers a credible path to making AI-augmented security a trusted tool for every maintainer, not just wealthy organizations."
The Dual-Use Problem Anthropic Cannot Solve Alone
The capability that makes Mythos Preview extraordinary for defense is the same capability that makes it terrifying for offense. An engineer at Anthropic with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight. The next morning, a complete, working exploit was waiting.
This is not a hypothetical. Anthropic's own leaked documents warned in March that the model "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." The company has privately warned government officials that Mythos makes large-scale cyberattacks significantly more likely in 2026.
The gated release strategy is Anthropic's answer to a question every AI lab will eventually face: what happens when your model is better at breaking things than humans are at fixing them? By restricting access to defenders first, Anthropic is betting that a 90-day head start is enough.
Whether 90 days is enough depends on a race that is already underway. State-sponsored attackers are already targeting open-source infrastructure at scale. Anthropic's Frontier Red Team noted that the wave of models matching Mythos-level cyber capabilities is coming regardless. The question is whether the defensive infrastructure will be ready when those models arrive from labs with less cautious release strategies.
The Bottom Line
Anthropic built an AI that can find security vulnerabilities that survived 27 years of expert human review, exploit them autonomously, and do it for less than the cost of a business lunch. It then refused to sell it.
The $100 million commitment to Project Glasswing is the largest investment any AI company has made in defensive cybersecurity. But the initiative's success depends on something Anthropic cannot control: whether the 40+ organizations with access can patch faster than the next lab can build a model with similar capabilities and fewer guardrails.
As CrowdStrike CTO Elia Zaitsev put it: "What took months now happens in minutes." The defenders just got a head start. The clock is already running.
Sources
- Assessing Claude Mythos Preview's Cybersecurity Capabilities, Anthropic Frontier Red Team (April 7, 2026)
- Project Glasswing, Anthropic (April 7, 2026)
- Anthropic Debuts Preview of Powerful New AI Model Mythos in New Cybersecurity Initiative, TechCrunch (April 7, 2026)
- Anthropic Is Giving Some Firms Early Access to Claude Mythos to Bolster Cybersecurity Defenses, Fortune (April 7, 2026)
- Anthropic Limits Mythos AI Rollout Over Fears Hackers Could Use Model for Cyberattacks, CNBC (April 7, 2026)
- Anthropic Mythos Model Can Find and Exploit 0-Days, The Register (April 7, 2026)
- Anthropic Unveils Powerful Mythos AI Model, Working with Apple in Cybersecurity Initiative, 9to5Mac (April 7, 2026)