Claude Mythos and Project Glasswing: The AI Model Too Dangerous to Release

Claude Mythos is a general-purpose frontier AI model developed by Anthropic, the San Francisco-based AI safety company founded by former OpenAI executives Dario and Daniela Amodei. While Mythos performs strongly across all standard benchmarks — it is the highest-scoring model on record on SWE-bench Verified (93.9%), GPQA Diamond (94.6%), and multiple other evaluations — its cybersecurity capabilities are what set it apart from anything that has come before.

According to Anthropic, Mythos Preview achieved an 83.1% score on CyberGym, a benchmark that measures the ability to reproduce real-world cybersecurity vulnerabilities. For comparison, Claude Opus 4.6, Anthropic's previous flagship model, scored 66.6% — a gap of 16.5 percentage points. More striking still, Mythos generated a working exploit 72.4% of the time when asked to find remote code execution vulnerabilities, compared to approximately 0% for Opus 4.6.

Anthropichas described Mythos as a model whose security research abilities are strong enough that the broader software industry needs time to prepare. It is not a narrow cybersecurity tool — it is a general-purpose model that happens to be extraordinarily capable at finding, understanding, and exploiting software vulnerabilities.

In the weeks leading up to the announcement, Anthropic deployed Mythos Preview internally to audit widely used software systems. The results were unprecedented: the model autonomously identified thousands of high-severity, previously unknown vulnerabilities — known as zero-days — across every major operating system and every major web browser.

Several of the discoveries were especially notable. Mythos fully autonomously identified and then exploited a 17-year-old remote code execution vulnerability in FreeBSD's NFS (Network File System) server that allowed any unauthenticated user to gain root access to the machine. It also found a now-patched 27-year-old bug in OpenBSD, one of the most security-hardened operating systems in existence. In one case, the model chained together four separate vulnerabilities in a web browser to create a complex JIT heap spray exploit that escaped both the renderer sandbox and the operating system sandbox — a technique that typically requires months of work by elite human security researchers.

Anthropicengineers with no formal security training reported that they could ask Mythos to find remote code execution vulnerabilities overnight and wake up the following morning to a complete, working exploit. The speed and autonomy of the model's vulnerability discovery represents a qualitative shift in what AI systems can do in the security domain.

Rather than release Mythos publicly or even to paying API customers, Anthropic chose to restrict access through a new initiative called Project Glasswing. The program provides Mythos Preview to a carefully selected group of companies responsible for building and maintaining the world's most critical software infrastructure.

The 12 launch partners are: Amazon Web Services, Anthropic itself, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. An additional approximately 40 organizations responsible for critical open-source software infrastructure have also been granted access.

The initiative is backed by significant financial commitments. Anthropic has pledged $100 million in model usage credits to Project Glasswing partners. Additionally, the company is providing $2.5 million to Alpha-Omega and the Open Source Security Foundation (OpenSSF) through the Linux Foundation, and $1.5 million to the Apache Software Foundation — both directed at open-source security auditing.

The goal is straightforward: give defenders a head start. By the time models with similar capabilities become broadly available — whether from Anthropic or competitors — the most critical vulnerabilities should already be found and patched.

Anthropic's decision not to release Mythos publicly is rooted in a specific concern: the same capabilities that make the model useful for defenders could be used by attackers. If a model can autonomously find and exploit zero-day vulnerabilities in critical systems, then anyone with access to that model — including malicious actors — could use it to attack those same systems.

The company has been explicit that this is not a permanent restriction. Anthropic has said it eventually wants to deploy Mythos-class models at scale, but only when new safeguards are in place. What those safeguards look like — whether technical controls, licensing frameworks, or regulatory structures — remains an open question.

The decision has drawn both praise and criticism. Security researchers and AI safety advocates have largely supported the move, viewing it as a responsible exercise of restraint. Simon Willison, a prominent software developer, wrote that restricting Claude Mythos to security researchers 'sounds necessary' given the capabilities demonstrated. Others have raised concerns about the concentration of power — pointing out that a small number of companies now have access to capabilities that could reshape the cybersecurity landscape, while everyone else does not.

CNBC reported that Anthropic limited the rollout specifically over fears that hackers could use the model for cyberattacks. The tension between offensive and defensive use of AI in cybersecurity is not new, but Mythos has made it concrete in a way no previous model has.

Claude Mythos Preview sets new records across multiple AI evaluation benchmarks. On SWE-bench Verified, which measures the ability to resolve real-world GitHub issues end-to-end, Mythos scores 93.9% — the highest score ever recorded. On GPQA Diamond, a graduate-level science reasoning benchmark, it scores 94.6%. On CyberGym, a cybersecurity vulnerability reproduction benchmark, it scores 83.1%, compared to 66.6% for Claude Opus 4.6.

But the benchmark numbers, while impressive, undersell the qualitative shift. The most striking capability is Mythos's ability to conduct end-to-end security research autonomously — not just finding vulnerabilities in source code, but understanding systems at a deep enough level to construct working exploits. The FreeBSD NFS exploit, the OpenBSD bug, and the four-vulnerability browser chain were all discovered and exploited without human guidance.

Anthropichas positioned Mythos as a general-purpose model that happens to exhibit exceptional security capabilities, rather than a model specifically trained for security. This distinction matters: it suggests that as frontier models continue to scale, cybersecurity capabilities may emerge naturally as a byproduct of general intelligence rather than requiring specialized training.

The announcement has triggered a wide-ranging response across the technology industry, cybersecurity community, and policy circles. Among Glasswing partners, the response has been measured but serious. AWS published a blog post describing its approach to building AI defenses at scale before threats emerge. Apple's involvement — reported by 9to5Mac — is notable given the company's traditionally cautious approach to external AI partnerships.

In the cybersecurity community, the reaction has been a mix of alarm and urgency. The Hacker News reported that Mythos had found thousands of zero-day flaws 'across major systems,' while The Register described the development with characteristic directness. SecurityWeek called it a 'cybersecurity breakthrough that could also supercharge attacks' — capturing the dual-use dilemma at the heart of the announcement.

Policymakers and AI governance researchers have used the announcement to reinforce arguments for frameworks around frontier AI capability disclosure. The fact that Anthropic chose voluntary restraint — rather than being compelled by regulation — has been cited both as a positive example and as evidence that current governance structures are insufficient for models at this capability level.

The announcement has also had financial implications. Reports link Anthropic's growing revenue and partnership deals — including a significant compute arrangement with Google and Broadcom for TPU capacity starting in 2027 — to the company's expanding model capabilities.

The immediate priority for Project Glasswing partners is triage. With thousands of zero-day vulnerabilities identified, the coordinated disclosure and patching process will take months. Open-source projects — many maintained by small teams or individual developers — face particular challenges in absorbing and acting on the volume of findings.

Anthropichas said it does not plan to make the Mythos Preview generally available. The company will continue to provide access to vetted organizations responsible for critical infrastructure while it develops safeguards for broader deployment. What 'broader deployment' looks like remains undefined — whether it means a public API, a restricted commercial product, or something else entirely.

The larger question is what happens when competitors catch up. Anthropic is not the only company building frontier AI models. If cybersecurity capabilities of this magnitude emerge naturally from general intelligence scaling — as Anthropic's own research suggests — then other labs will develop similar capabilities. The window during which Glasswing partners have an exclusive advantage may be measured in months, not years.

For the software industry, the message is clear: the era in which zero-day vulnerabilities could hide in codebases for decades is ending. AI models capable of finding them autonomously are here, and the question is no longer whether they will be used — but by whom, and with what safeguards.