In early April 2026, artificial intelligence (AI) company Anthropic announced a development that had almost no parallel in the history of the tech industry. They had built something extraordinary. But, they refused to let anyone use it.
The model is called Claude Mythos Preview. By every available metric, it is the most capable AI system ever evaluated. It can find hidden flaws in software that human programmers missed for decades. It can break into computer systems the way a seasoned hacker would, step by step, adapting as it goes. It can chain together multiple separate vulnerabilities to seize complete control of a server. And it can do all of this faster, cheaper, and at a scale that no team of human experts could match.
Anthropic decided that releasing this to the public would be, in their own estimation, too dangerous. Anthropic warned: “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” adding that such advances could pose significant threats to economic stability, public safety, and national security.
Instead, they handed access to a closed group of roughly 40 of the world’s largest corporations, gave them USD 100 million worth of computing credits, and called the whole thing Project Glasswing. The stated goal is to use Mythos to find and fix security flaws in the world’s most critical software before someone with bad intentions gets their hands on similar technology.
What follows is an attempt to explain what exactly Mythos can do, why it was locked away, who got the keys, and why none of this is quite as clean as Anthropic would like you to believe.
What Makes Mythos Different
To understand the alarm, you have to understand how AI models are normally tested. Researchers use benchmarks, essentially standardised tests, to compare one model against another. Most previous AI models were good at solving packaged coding problems neatly, the kind you might find in a textbook.
Mythos operates differently. It excels at the messy, poorly documented, real-world environments that software engineers and hackers actually deal with. On a benchmark called SWE-bench Pro, which assesses a model’s capacity to autonomously complete complex software engineering tasks through multiple steps, Mythos achieved a score of 77.8%. The previous best model scored 53.4%. That’s not a small jump.
On a benchmark called Capture the Flag, which simulates the kind of adversarial hacking challenges used to train professional cybersecurity researchers, the previous best AI model scored below 1%. Mythos scored 73%. That is not an incremental improvement. That is a different category of capability.
“AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back. Our foundational work with these models has shown we can identify and fix security vulnerabilities across hardware and software at a pace and scale previously impossible. That is why Cisco joined Project Glasswing: this work is too important and too urgent to do alone,” explains Anthony Grieco, SVP & Chief Security & Trust Officer at Cisco.
The benchmark that made people most uneasy is called CyberGym. It measures a model’s ability to reproduce and trigger known cybersecurity vulnerabilities, flaws in real software that real attackers exploit. Mythos scored 83.1%. The world’s existing security scanning tools didn’t just fall behind. They became, overnight, dramatically less relevant.
What It Found During Testing
Benchmark scores are abstract. The actual discoveries Mythos made during internal testing are not.
The first was a 27-year-old security flaw in OpenBSD, an operating system that has a global reputation for being exceptionally secure. OpenBSD is used to protect critical network infrastructure around the world. This flaw had been sitting there since the late 1990s, invisible to every human auditor and automated tool that ever looked at it.
The second was a 16-year-old flaw in FFmpeg, a piece of open-source software embedded in a staggering number of applications that handle video, from streaming platforms to video editing tools. Automated testing tools had run through the relevant code pathway over five million times without triggering the flaw. Mythos found it by understanding the logic of the code, not just running tests until something broke.
The third, and the most troubling, was something more than an isolated bug. Mythos found multiple separate vulnerabilities in the Linux kernel and connected them into a chain. Starting with zero special access, it escalated its own privileges step-by-step until it had root control of a server. Complete control. This is the kind of attack that typically requires months of work by a skilled human team. Mythos did it autonomously.
This is where the alarm becomes existential rather than technical. The traditional timeline for a cyberattack involves extensive reconnaissance, careful planning, and skilled human labour at every step. Mythos compresses that timeline to minutes. It doesn’t just assist attackers. It could, in the wrong hands, replace them entirely.
The Government Weighed In
Before any of the Project Glasswing decisions were made, Anthropic allowed the United Kingdom’s AI Safety Institute, a government body set up precisely to evaluate these kinds of risks, to put Mythos through its paces independently.
The institute used a simulation called The Last Ones, a 32-step corporate network attack that starts with a hacker on the outside and ends with them in complete control of a company’s entire digital infrastructure. For a skilled human expert, completing this simulation takes roughly 20 hours.
Mythos became the first AI system in history to complete it from start to finish on its own. In their final report, the institute said the model ‘could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously’.
To be fair, the institute included important caveats. Mythos was tested against small, lightly defended networks. No active human defenders were watching for intrusions.
In a simulation involving industrial control systems for physical infrastructure, Mythos got confused and failed.
An AI that makes a lot of noise and triggers every alarm is more like a sledgehammer than a scalpel. Against a hardened, actively monitored enterprise network, its real-world effectiveness remains unproven.
Who Gets The Keys
Anthropic named the initiative after the glasswing butterfly, a species with transparent wings that allow you to see flaws hiding in plain sight. The metaphor is deliberate. The idea is to use Mythos to illuminate vulnerabilities before attackers can exploit them.
The company explained on its blog, “The same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws in important software. Project Glasswing is an important step toward giving defenders a durable advantage in the coming AI-driven era of cybersecurity.”
The launch partners include Amazon Web Services, Google, Microsoft, Apple, Cisco, Broadcom, NVIDIA, CrowdStrike, Palo Alto Networks, JPMorganChase, and the Linux Foundation. These are not scrappy startups. They are the companies that own the infrastructure on which the internet runs.
Anthropic also donated $4 million in cash directly to open-source software foundations. This matters because the most vulnerable part of the internet isn’t Google or Microsoft. It’s the small, underfunded volunteer teams maintaining foundational open-source libraries that billions of devices quietly depend on.
The logic Anthropic is working from is fairly straightforward. Offensive AI capabilities will proliferate. The only viable response is to arm defenders first, patch as many vulnerabilities as possible before attackers arrive, and hope the window of advantage holds long enough to matter.
The Problem Nobody Wants To Say Aloud
Here is the uncomfortable truth sitting under all of this. Finding vulnerabilities is not the hard part anymore. Fixing them is.
Mythos can surface thousands of previously unknown security flaws in a very short time. The Linux kernel alone has millions of lines of code, and patches to foundational code have to be written carefully and deployed across millions of systems. That work is slow and manual. Within the security community, the consensus is grim. Finding vulnerabilities is no longer the hard part. The bottleneck is now human. If Mythos floods the pipeline with thousands of flaws, we simply don’t have enough qualified humans to fix them before attackers reverse-engineer the public patch notes.
The $4 million in donations helps, but it’s a bandage on a structural wound. There’s also a harder question buried here. Who decided that Google, Microsoft and JPMorganChase should be the guardians of the world’s digital security? Handing them exclusive access means they can protect their own products first, their competitors last, and everyone else not at all.
The Anti-Trust Problem
Legal scholars noticed immediately. By restricting access to Mythos to a hand-picked group of 40 corporations, Anthropic has created what critics are calling the “AI Avengers,” a private club with an insurmountable competitive advantage.
Section 1 of the Sherman Antitrust Act prohibits agreements between competitors that restrain trade. Madhavi Singh, Deputy Director of the Thurman Arnold Project at Yale, warns, “While the cybersecurity risks are serious, we must ensure that the consortium doesn’t become a front for a cartel, or entrench incumbents by gatekeeping access to advanced AI capabilities.”
Take browsers as a concrete example. Google’s Chrome and Apple’s Safari are inside the consortium. Their teams can use Mythos to patch vulnerabilities before those flaws are public. Independent browser developers are not in the consortium. Their products will objectively be less secure, not because their engineers are worse, but because they were not invited to the party.
Sam Altman Calls It Fear Marketing
Not everyone accepts Anthropic’s framing. OpenAI CEO Sam Altman has been the most public and blunt critic. On a podcast, he described the strategy in terms that didn’t leave much room for ambiguity: “It’s like telling someone you’ve built a bomb, you’re about to drop it on their head, and you’re now selling them a USD 100 million bomb shelter.”
Altman argues that Anthropic is deliberately inflating the perceived danger of Mythos to create artificial scarcity and sideline independent developers. Safety, in this reading, is a marketing strategy.
Anthropic CEO Dario Amodei has not been quiet in response. Internal communications leaked to the press showed Amodei describing OpenAI’s criticisms as tactics designed to undermine Anthropic’s regulatory standing. His core argument is that these dangerous capabilities emerged as a by-product of the model becoming generally smarter. If that’s true, then restricting the model isn’t theatre. It’s the only rational response.
The Breach
None of this discussion about containment has aged especially well, because the model was breached within weeks of the announcement.
Bloomberg reported that a small group of unauthorised users on a private Discord server had successfully accessed Claude Mythos Preview. They used the credentials of a contractor working for a third-party data labelling firm, cross-referenced with data leaked from a staffing startup called Mercor.
The group hasn’t used Mythos to hack anything yet. According to Bloomberg, they are more interested in ‘playing around’ with the tech than causing trouble. A claim that has been corroborated via screenshots and a live demonstration of the model.
“We’re investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments,” stated Anthropic.
But the symbolic damage is significant.
The chain is only as strong as its weakest link, and the weakest link is not Google’s security team. They’re low-paid freelancers in third-party companies who may not even know how valuable the access they hold actually is.
What Comes Next
The Mythos situation is a preview of a structural shift that’s accelerating. State-of-the-art AI is becoming a national security infrastructure. The hardware required to run models of this complexity costs billions. The economics are pushing toward a world where the most powerful AI is available only to sovereign governments and a small number of hyperscale corporations.
For everyone else, the model announced for public use is Claude Opus 4.7, a capable but deliberately restricted system. Anthropic has promised a Cyber Verification Programme that would give vetted security professionals access to more capable models, but that’s still a gatekeeping system based on institutional affiliation.
The window to patch the world’s software before AI-powered attacks become routine is real, but it’s narrow and currently controlled by a small group of private corporations. What Project Glasswing represents is the first serious attempt to answer the question of who governs the most dangerous software ever built. The answer, for now, is not you.