Anthropic's newest general-purpose frontier AI model Mythos – revealed on Tuesday and apparently “too powerful for public release” (akin to how OpenAI’s GPT-2 was released years ago) – has been taking on a near-mythological aura. Mythos is rumored to be the first model in the 10T-parameter weight class, making it roughly 5-10 times larger than Claude Opus 4.6 (Anthropic’s prior frontier model). (Elon Musk revealed this week that xAI also has a 10T-parameter model in training, which is expected to take about 2 months.) Mythos is believed to be using a Mixture of Experts (MoE) architecture, which means only a subset of perhaps 3-7% of parameters are activated at any given time.

So far, Anthropic is only making Mythos Preview available to select organizations through the cybersecurity-focused Project Glasswing (named after a butterfly with transparent wings that let it hide in plain sight and evade harm). While Mythos’ limited release has some industry watchers skeptical and scoffing about PR gimmicks, the reported jumps in benchmarks are notable. On the industry coding benchmark SWE-bench Verified, Mythos scored an eye-opening 93.9% vs. 80.8% for Opus 4.6. On the cybersecurity benchmark CyberGym, Mythos scored 83.1% vs. 66.6% for Opus 4.6. These are 15-25% improvements, not 1-5%.

Anthropic says, “Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.” On a cost-per-bug basis, Mythos is already 10x as efficient as Opus 4.6 – and cost-per-bug could improve as inference costs go down. In Anthropic’s illustrative examples, the cost to find bugs in a well-vetted open-source codebase using up to 1,000 runs through the scaffold was $10K-20K, while the cost to develop an exploit ran about $1,000-2,000.

Given that 99%+ of the vulnerabilities found by Mythos have not yet been patched, Anthropic is not providing much detail on them yet. According to Anthropic, Mythos has shown the ability to find and exploit undiscovered zero-day vulnerabilities in real open-source codebases. The vulnerabilities uncovered by Mythos are “often subtle or difficult to detect,” sometimes not bugs written in the code but rather “behavioral quirks” that only show up in specific situations (e.g. configurations, certain software). Some of these bugs were 10-20 years old and found in open-source software that had been thoroughly inspected and was known for its security (e.g. OpenBSD) – which presents a strong case for the credibility of Anthropic’s claims. In one case, a vulnerability in a widely used open-source media-processing library had gone overlooked for 16 years, during which testing tools had analyzed that line of code 5M times.

It’s not just open-source code that’s at risk. Mythos can take N-day vulnerabilities – i.e. known but not yet widely patched – in closed-source software and turn them into exploits. It can even reverse-engineer a closed-source stripped binary and reconstruct plausible source code, and use that to find vulnerabilities.

Unlike Opus 4.6, Mythos is highly capable of autonomously developing complex working exploits that chain together vulnerabilities, at the direction of non-technical users. While Anthropic didn’t train Mythos for this capability, the improvements in code, reasoning, and autonomy that make Mythos much better at patching vulnerabilities also make it very good at developing exploits against them.

One of the earlier versions of Mythos Preview (which had less aligned behaviors than the final Glasswing model) was able to break out of a secured “sandbox” computer at the user’s instruction. As instructed, it found a way to get broad access to the internet (which it wasn’t supposed to have) and send a message to the user, Anthropic researcher Sam Bowman, who received a surprise email while eating a sandwich in a park. After circumventing the model’s safeguards, the instance then, unasked, posted details about the exploit on public-facing (although hard-to-find) websites.

In another example, Mythos developed a web browser exploit that chained a sandbox escape with a “cross-origin bypass” that allowed an attacker from one domain (e.g. the attacker’s malicious website) to read data from another domain (e.g. the victim’s bank). The exploit also chained a local privilege escalation exploit so that when the victim visited the attacker’s webpage, the attacker would be able to write directly to their computer’s operating system kernel.

Under Project Glasswing, Mythos is available to 12 launch partners identified by Anthropic as overseeing some of the world’s most critical software – Amazon Web Services (AWS), Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks – as well as another 40+ organizations that build or maintain critical software infrastructure, and reportedly a small added group of systemically important US banks.

Glasswing participants can access the model through the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, or Microsoft Foundry. Anthropic will provide a total of $100M in usage credits to partners, and is donating $4M to open-source security organizations (Apache Software Foundation, Linux Foundation projects Alpha-Omega and OpenSSF). Participants can purchase more tokens at a rate of $25 (input)/$125 (output) per million tokens. (For comparison, Opus 4.6 is $5/$25 per million tokens.) Anthropic is also providing 6-month Claude Max subscriptions to open-source maintainers and contributors.

For other companies, Anthropic does not plan on making Mythos Preview generally available. It does suggest some near-term actions for companies without access, such as using generally available frontier models to strengthen defenses, reviewing processes for handling bug reports, analyzing cloud environments for misconfigurations, and shortening patch cycles. Anthropic does eventually want to allow users to deploy Mythos-class models at scale (e.g. more efficient distilled versions) – which means it needs to build in better safeguards that can block dangerous outputs.

Anthropic is clear that “it’s about to become very difficult for the security community.” While it believes that defense capabilities will dominate in the long run, the transition will be tumultuous. It’s also unavoidable. Mythos highlights the trajectory of frontier models across the industry – which just a few months ago were fairly unsophisticated with respect to their cyber capabilities. Other frontier models could catch up to Mythos in 6-18 months, and this trajectory is unlikely to plateau at Mythos’ level. It’s not just frontier models either – cybersecurity startup Aisle says it can replicate some of Mythos’ capabilities with smaller, open-weight models, although what it’s doing is not equivalent.

Anthropic is faced with a tricky situation that it has to step through lightly. First and foremost, there’s the actual sequencing of stakeholder engagements and model releases, which have real-world security ramifications and long-term reputational/trust effects for Anthropic. Given that Anthropic has the leading frontier model in this space, it runs the risk of being painted as a self-interested culprit in the looming cybersecurity crisis ahead – rather than a trustworthy, mission-driven helper. Some industry watchers still believe Mythos is probably over-hyped marketing (unlikely given the kind of bugs uncovered by Mythos and the credibility of the security players involved). Others are criticizing Mythos’ limited release to a select consortium, saying it boosts Anthropic’s enterprise business, locks out rivals and startups, and makes it harder for rivals to distill Anthropic’s model to create their own versions. (Given how expensive Mythos probably is to serve in its current version, it’s likely more geared towards enterprise and government contracts than consumer use.) OpenAI and others have suggested that Anthropic may have limited the Mythos release because of its compute constraints. (Anthropic recently signed a multi-GW deal with Google and Broadcom for TPU capacity.)

Treasury Secretary Scott Bessent and Fed Chair Jerome Powell summoned the leaders of systemically important banks to an urgent meeting to warn them about the cybersecurity risks posed by the new class of AI models. The banks represented included Bank of America, Citigroup, Morgan Stanley, Wells Fargo, and Goldman Sachs. (JPMorgan’s Jamie Dimon was invited but wasn’t able to attend.) These banks (other than JPMorgan Chase, which was a Glasswing launch partner) were reportedly later given access to Mythos for evaluation. Outside the US, the Bank of Canada and Bank of England have also been gathering their major banks and financial institutions to warn them.

At this point, Anthropic has already committed to financial regulators that it will hold back the public release of Mythos “until our officials have figured everything out.” (Presumably, this holdback would include distilled versions of Mythos.) Anthropic’s commercial business does, however, depend on its ability to continue pushing out the frontier and providing users with access to that frontier. On Anthropic’s heels are rivals such as xAI and OpenAI that are spending billions to train their own 10T-parameter or Mythos-like models. This means Anthropic’s headstart could be less than 6-18 months – and possibly as little as 2 months and diminishing.

While Anthropic has been in touch with financial regulators, White House offices, the Cybersecurity and Infrastructure Security Agency (CISA) (under the DHS), and the Commerce Dept, it’s unclear whether it’s engaging in active discussions with the Defense Dept (DoD). The Pentagon recently designated Anthropic as a supply-chain risk – the first US company with this designation – after a dispute over how Anthropic’s models could be used. Anthropic’s request for a temporary stay on the blacklisting was recently denied, which means it is barred from DoD contracts. It won, however, a separate preliminary injunction that prevents a broader ban, which means Anthropic can continue to work with non-Pentagon agencies and federal contractors working on non-Pentagon projects. Nevertheless, with the US engaged in active conflicts, heightening the risk of cyberattacks by nation-state actors, the Pentagon might want to let Anthropic back in from the cold soon – and be glad that it’s a US company.

One of the areas where we’ll see the most significant changes is the open-source ecosystem. Already open-source maintainers have noted a marked shift in the quality of bug reports about a month or so ago – less “AI slop” and more real reports, some of them quite good. We can expect that most of the significant open-source code (and their follow-on releases) will be analyzed quite soon. Maintainers have a window now to use the tools available to them to start identifying and patching vulnerabilities. Eventually, maintainers will need a fleet of automated software vulnerability researchers to keep open-source code hardened. It’s unrealistic to expect open-source projects that are either not actively maintained or maintained by a skeleton crew to stay ahead of malicious actors otherwise.

It’ll be a race against these malicious actors, who’ll be wielding Mythos-level cyber capabilities, efficiently and at scale, in maybe 6-24 months. (They’re already wielding less capable but still “scary” models now.) Once that happens, automated updates in the software supply chain and the widespread use of open-source code – which is found in 96% of commercial codebases, and represents 70-90% of any given codebase – mean that vulnerabilities will rapidly propagate. Developers will become less willing to use smaller open-source projects that are less well-maintained, and will gravitate towards projects with high-resource defenders. Some projects will close off for security reasons. Malicious actors will use their exploits quickly rather than sit on them, since they can be uncovered and patched at any moment. In the near term, we may see a “lump” of activity as current holders of zero-day exploits spend down their portfolio. In the long run, what happens will depend on whether code can eventually be fully secured or if this is a race (or whack-a-mole) we’ll have to live with forever.

Feb 27 2026 (3 Shifts): Claude Cowork's new skills and features

Aug 22 2025 (3 Shifts): How hackers are now using AI