BM
Bhavik Mehta
Contact Me
Back to Blog
{ 07 } — AI

Claude Mythos: The Model Anthropic Won't Release

2026-04-1311 min read
#AI#Anthropic#Cybersecurity#Claude Code#Frontier Models

Anthropic Built the Most Capable AI Model to Date — Then Locked It Away

On April 7, 2026, Anthropic published a technical report for Claude Mythos Preview and simultaneously announced that it would not be made generally available. No API access. No waitlist. No enterprise tier at any price. This was a deliberate choice, and understanding why Anthropic made it tells you more about where AI is headed than any benchmark number does.

The short version: Claude Mythos is a general-purpose frontier model with a 93.9% score on SWE-bench Verified — the highest ever recorded by any model — and it autonomously discovers and chains zero-day exploits across every major operating system and browser. It found thousands of high-severity vulnerabilities before Anthropic even began coordinating disclosure. The company concluded that releasing this model into the open would hand a weapon of asymmetric scale to every threat actor who could afford an API call.

What followed is one of the most interesting governance experiments in the history of AI deployment: Project Glasswing, a controlled consortium of eight major technology and cybersecurity companies that get access to Mythos specifically to fix what it finds, before anyone else can exploit the same findings. This post is about what Mythos actually is, what it can do when used through Claude Code as an autonomous security agent, why the hype is both warranted and misplaced, and what it means that one of the most capable models ever built is being deliberately kept from public hands.

The Problem Mythos Was Built to Illuminate

The fundamental claim behind Claude Mythos is this: software security has always been an asymmetric game, but the asymmetry is about to flip in a way the industry isn't ready for.

Historically, finding vulnerabilities required rare expertise. A skilled security researcher might spend weeks auditing a codebase to find a single exploitable memory corruption bug. Attackers could buy or steal those findings, but the bottleneck was always human time — there simply weren't enough researchers to audit all the software that needed auditing. Defenders had coverage gaps because the labor cost of finding every bug was prohibitive.

What Mythos Preview revealed is that this bottleneck is gone. Not diminished — gone. A model running autonomously through Claude Code can read a stripped binary, hypothesize what the source code likely looked like, simulate runtime behavior, generate a proof-of-concept exploit, test it, and emit a detailed vulnerability report. It can do this continuously, in parallel, across every major codebase, without fatigue, and at a cost that makes human security research look economically inviable by comparison.

The threat model that keeps security teams up at night is not "a skilled attacker finds a zero-day." It's "a moderately resourced attacker spins up a Mythos-class model, points it at their target, and wakes up the next morning with a ranked list of exploitable vulnerabilities." Claude Mythos made that threat model concrete.

Anthropic's transparency report is unusually direct about this: they built the model, they confirmed the capabilities, and they chose not to release it because the offensive utility was too high and the defensive infrastructure to absorb that asymmetry doesn't yet exist at scale.

What Makes Mythos Different From Every Previous Model

The performance numbers for Claude Mythos are striking even if you've been following AI benchmarks closely. A 93.9% score on SWE-bench Verified is not an incremental improvement over Claude Opus 4.6's already-strong performance — it's a qualitative shift in what the model can sustain over long, multi-step agentic tasks. The 97.6% on USAMO 2026 puts it at or above the level of the very best human mathematical olympiad competitors. These are not the kinds of numbers that result from better training data or architecture tweaks at the margin.

The key architectural insight Anthropic has published about Mythos is its handling of what they call "extended reasoning chains under uncertainty." Previous frontier models, including the Claude 4.x family, would degrade in reliability when forced to maintain a complex hypothesis across many sequential tool calls. They would lose track of intermediate conclusions, contradict earlier reasoning, or fail to integrate new evidence correctly against a prior model of the system.

Mythos maintains coherent hypothesis tracking across hundreds of sequential steps without this degradation. In the security context, this means it can read a kernel subsystem, form a theory about how a particular memory allocation pattern might be exploitable, probe that theory through a series of targeted experiments, update its confidence correctly when the probe results come back ambiguous, and still arrive at a working exploit chain — exactly as a senior security researcher would, but without the cognitive overhead that caps human throughput.

This isn't just important for security. The same capability that makes Mythos dangerous for vulnerability discovery makes it dramatically more capable at any domain requiring extended, empirically grounded chains of reasoning — differential diagnosis in medicine, mathematical proof construction, long-horizon software engineering tasks, and complex system debugging. The security angle is where Anthropic has chosen to be transparent about the capability level, but the general reasoning improvement is the underlying fact.

How Claude Code Uses Mythos for Security Research

Anthropic's technical report is specific about how Mythos is actually deployed through Claude Code for the Project Glasswing consortium. The workflow is more sophisticated than "read the code and find bugs."

Claude Code running on Mythos starts with static analysis — reading the source or reconstructing it from a binary — and generates a ranked list of candidate vulnerability hypotheses. These are not rule-based pattern matches. Mythos reasons about the semantic intent of the code: what this function was supposed to do, what invariants the surrounding code assumes it maintains, and where the gap between intended and actual behavior might exist.

From there, it runs the actual project. It compiles, sets up the runtime environment, and begins probing its hypotheses dynamically, watching how the system behaves under edge-case inputs. When behavior deviates from the expected model, it treats that as a signal — not necessarily a confirmed bug, but evidence that the hypothesis deserves more attention. It adjusts its testing accordingly.

The output for confirmed vulnerabilities is a structured report: the vulnerability description, a proof-of-concept exploit with reproduction steps, an assessment of severity and exploitability under realistic attacker constraints, and a suggested fix. In Anthropic's evaluation, Mythos generated working exploit code in 83.1% of confirmed cases, compared to 66.6% for Claude Opus 4.6. The gap between those numbers is what makes Mythos qualitatively different from the previous generation — it's not just finding more bugs, it's completing the attack chain more reliably.

What the consortium companies receive through Project Glasswing is essentially an autonomous security audit at a scale that would be cost-prohibitive with human researchers alone. CrowdStrike, for example, can point Mythos at the Linux kernel and receive a prioritized list of vulnerabilities with working exploits — not to use those exploits offensively, but to understand which patches need to ship first.

The Failure Modes Nobody Is Talking About Loudly Enough

The coverage around Claude Mythos has focused heavily on the offensive capability question — what happens if this model leaks, if someone trains a comparable model independently, if the consortium has a breach. These are real concerns, but they're being discussed at the level of "this is scary" rather than at the level of operational specificity.

The failure modes that deserve more attention are subtler.

False confidence in reported vulnerabilities. Mythos achieves 83.1% exploit generation accuracy. That means 16.9% of the cases where it reports a confirmed vulnerability and provides a proof-of-concept are wrong — either the vulnerability is unexploitable in practice, the exploit chain breaks under realistic conditions, or the severity assessment is inflated. For a human security researcher, a false positive costs them credibility. For an automated system producing thousands of reports, a 16.9% false-positive rate means that the remediation teams receiving these reports need significant independent verification capacity. The risk is that organizations treat Mythos output as ground truth and allocate engineering resources to fix things that aren't actually the most critical issues, while real critical vulnerabilities sit in the queue.

Coordination overhead for responsible disclosure. The whole premise of Project Glasswing is that Anthropic finds vulnerabilities and discloses them to maintainers before releasing the findings to the public or the consortium. But the disclosure pipeline for a model that finds "thousands of high-severity vulnerabilities" across every major OS and browser is a different operational problem than traditional responsible disclosure. The Linux kernel security team, Apple's security engineering team, and the Chromium security team all have to be able to absorb and patch findings at a rate that matches what Mythos can generate. If the disclosure pipeline backs up, vulnerabilities sit in a limbo state — known to Anthropic and eventually the consortium, unknown to the public, but potentially discoverable by someone else with a sufficiently capable model.

Model-specific blind spots that get institutionalized. Mythos finds vulnerabilities the way Mythos finds vulnerabilities. Its training shapes what categories of bugs it's likely to hypothesis-generate first, what code patterns it treats as suspicious, and what runtime behaviors it probes for. The consortium companies building their security practices around Mythos output will become systematically good at finding Mythos-visible vulnerabilities and potentially systematically blind to the category of bugs that Mythos consistently misses. That category is currently unknown because we don't have a comparably capable independent system to cross-check against.

The Tradeoff Anthropic Made — And What It Actually Costs

The decision to withhold Mythos from general availability is worth examining as a strategic and ethical choice, not just a PR posture.

The straightforward case for withholding is that offensive utility exceeds defensive utility at the current moment. The cybersecurity industry doesn't have the remediation bandwidth to absorb a world where every security team can run autonomous vulnerability discovery at Mythos scale. The patches would need to ship faster than the industry can currently ship them, which means the net effect of general availability in the short term is probably more exploits in the wild, not fewer.

The case against withholding — or at least against this specific form of withholding — is harder to make publicly, but it exists. Limiting access to a consortium of eight large tech companies means the organizations that benefit from Mythos-level security tooling are the ones that already had the most security resources. Open-source projects, small organizations, governments of developing countries, and independent researchers don't get access. The security gap between large tech companies and everyone else gets wider, not narrower. The model's findings will eventually shape which vulnerabilities get patched first, and that prioritization will reflect the consortium's interests.

Anthropic has been transparent that Project Glasswing is designed with the intent of eventually expanding access as the remediation infrastructure matures. What "matures" means in practice — what threshold of industry patching velocity, disclosure pipeline capacity, or defensive tooling justifies broader access — hasn't been specified publicly. That ambiguity is the honest cost of the current approach.

The tradeoff, stated plainly: concentrated access to Mythos makes the software that large tech companies maintain more secure, faster, at the cost of leaving the rest of the software ecosystem to catch up through traditional means. Whether that's the right call depends on whether you believe the primary threat is mass exploitation by sophisticated actors (in which case the consortium model helps) or widespread exploitation by moderately capable actors who gain access to a leaked or independently-trained equivalent (in which case the lead time Project Glasswing buys is limited).

What This Actually Means for the Industry Over the Next 18 Months

Fortune published a piece today — April 13, 2026 — featuring a veteran security industry voice making the point that Anthropic has "caused panic about Mythos exposing cybersecurity weak spots, but the real problem is fixing, not finding, them." That framing is correct and underappreciated.

The limiting factor in software security has never been the ability to find vulnerabilities. Skilled researchers have always been able to find more bugs than the industry could patch. What changes with Mythos is the scale at which that discovery operates and the economics that make it accessible — eventually — to anyone. The hard constraint is engineering capacity to patch, test, and ship fixes without introducing regressions, at a rate that outpaces adversarial discovery.

For organizations thinking about this practically: the first-order implication of Mythos is not "we need access to Mythos." It's "we need to be able to receive and act on a higher-volume, higher-quality stream of vulnerability reports than we currently have capacity for." That means investing in the remediation pipeline: automated regression testing, faster code review cycles for security patches, better tooling for assessing CVSS severity in context, and clearer escalation paths for coordinated disclosure.

Claude Code as a tool for security analysis will continue to improve as Anthropic's models improve — even without Mythos-level access, the current Claude Opus 4.6 running in Claude Code is already capable of sophisticated security analysis for teams willing to invest in the prompting and tooling infrastructure. The gap between what's publicly available and what Mythos can do is real, but it shouldn't obscure the fact that the publicly available models already represent a meaningful step change in security tooling accessibility compared to two years ago.

The hype around Mythos is warranted insofar as it represents a genuine capability threshold being crossed. It's misplaced insofar as it focuses on the model as the story, rather than on the harder, slower, less exciting work of building the infrastructure that makes high-velocity vulnerability discovery actually net-positive for software security.

Anthropic built a model that finds what can be exploited faster than the industry can fix it. The question isn't whether that's impressive — it is. The question is whether the industry spends the next 18 months getting better at fixing, or whether it waits for Mythos-class access to arrive and then discovers it wasn't ready for what that access implies.

References

I use AI tools to help research and draft posts. The ideas, opinions, and takes are mine. Verify anything technical or time-sensitive before acting on it.