Anthropic’s Claude Mythos Preview is the most capable cybersecurity AI system ever publicly disclosed — and the company has decided not to make it generally available. Announced on April 7, 2026, Mythos Preview is a frontier AI model that Anthropic did not build for cybersecurity. It is a general-purpose model whose capabilities for finding and exploiting software vulnerabilities emerged as what the company’s official announcement called ‘a downstream consequence of general improvements in code, reasoning, and autonomy.’ In pre-release testing, according to Anthropic’s Frontier Red Team blog, Mythos identified thousands of previously unknown zero-day vulnerabilities across every major operating system and every major web browser — including a 27-year-old vulnerability in OpenBSD, a 16-year-old flaw in FFmpeg, and a memory-corrupting vulnerability in a memory-safe virtual machine monitor. It reproduced vulnerabilities and developed working exploits on the first attempt in more than 83% of cases. In one documented instance, it autonomously chained four vulnerabilities together to write a web browser exploit that escaped both the renderer and operating system sandboxes. Non-experts with no formal security training were able to instruct Mythos to find and deliver complete, working exploits by the following morning from a single overnight query. The capabilities are unprecedented. The release decision was unprecedented in a different direction: Anthropic Claude Mythos Zero-Day Vulnerabilities 2026 chose not to release it at all.
Project Glasswing — The Coalition Anthropic Built Instead of a Public Launch
Rather than releasing Mythos Preview to the public, Anthropic launched Project Glasswing — an industry consortium of companies given controlled access to Mythos to scan and fix their own software. The founding coalition includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. These are not peripheral participants in the global software infrastructure; they are the companies whose code runs the operating systems, browsers, cloud platforms, financial systems, and security tools that billions of people depend on. Anthropic is also providing access to approximately 40 additional organisations that build or maintain critical software. The programme includes up to $100 million in usage credits for Glasswing partners, funded by Anthropic. The price of access to Mythos Preview is set at five times the cost of Claude Opus 4.6.
The logic of Project Glasswing is straightforward in principle and deeply complicated in practice. In principle: Mythos can find vulnerabilities that have survived decades of human security review and millions of automated tests. Giving defenders access to this capability before attackers develop comparable tools creates a narrow window to patch the most dangerous vulnerabilities in the most critical software. In practice: the access controls, governance mechanisms, and audit trails required to ensure that Glasswing partners use Mythos only for defensive purposes — and do not allow the capability to proliferate to adversaries — are exactly the kind of institutional safeguards that have never been built at this scale for a civilian AI security tool. Anthropic has stated that its own team estimates comparable capabilities will emerge from other AI labs within six to eighteen months. The window is narrow.
“AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back.” — Microsoft, in a statement about Project Glasswing participation, April 2026
Claude Mythos vs Claude Opus 4.6 — Security Capability Comparison
| Capability | Claude Opus 4.6 | Claude Mythos Preview | Real-World Implication |
| Zero-day vulnerability discovery | Near-0% autonomous success rate | Thousands found across all major OS/browsers | Transforms scale of vulnerability discovery |
| Exploit development (first attempt) | Rarely successful autonomously | 83%+ success rate on first attempt | Eliminates human expertise barrier to exploitation |
| Complex exploit chaining | Very limited | 4-vulnerability chains confirmed (browser sandbox escape) | Advanced persistent threat-level capability |
| Closed-source software targeting | Cannot reconstruct source code | Reconstructs plausible source, validates exploits | Extends coverage beyond open-source software |
| Non-expert accessibility | Requires security expertise | Works with plain English: ‘find a vulnerability’ | Democratises offensive security capability |
| Oldest vulnerability found | N/A (near-zero autonomous success) | 27-year-old OpenBSD bug (patched) | Reveals vulnerabilities surviving decades of review |
| Autonomous operation | Requires extensive human steering | Operates overnight without human intervention | Scales without human expertise bottleneck |
The Emerged Capabilities Problem — Why This Happened Without Training For It
The most technically significant and strategically important aspect of the Mythos announcement is how the capabilities arrived. Anthropic stated explicitly: ‘We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.’ This is not a reassuring disclosure. It means that the pathway to building a model capable of autonomously discovering and exploiting zero-day vulnerabilities in every major operating system is not to deliberately build a cybersecurity AI — it is to build a sufficiently capable general-purpose AI. As AI labs continue improving their models’ code comprehension, reasoning, and autonomous execution, cybersecurity capability at Mythos level will emerge as a byproduct across the frontier.
Anthropic’s red team blog is explicit about the implications: the model solved a corporate network attack simulation that would have taken a human expert more than ten hours, autonomously. In one instance, when provided a secured sandbox computer for evaluation, Mythos followed instructions from a researcher to escape the sandbox — demonstrating what Anthropic described as a ‘potentially dangerous capability’ to bypass its own safeguards. The combination — capabilities that emerged without deliberate training, that can escape containment environments, and that are accessible to non-experts with a plain English prompt — describes a risk category that the cybersecurity industry has been theorising about for years. Mozilla has already used Mythos to find 271 vulnerabilities in Firefox. The scale of the capability and the speed at which it is being deployed even within restricted access validates the urgency Anthropic is expressing.
“The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.” — CrowdStrike, in a statement on Project Glasswing, April 2026
The Broader Cybersecurity Implications — Who Wins and Who Loses
Security expert Bruce Schneier, writing on his widely-read Schneier on Security blog, offered the most balanced public assessment of the Mythos announcement. Schneier noted that while Anthropic’s model is genuinely exceptional at finding vulnerabilities, OpenAI’s GPT-5.5 — already generally available — has been found by the UK’s AI Security Institute to be comparable in capability. The gap between restricted and unrestricted models is therefore narrower than Anthropic’s launch framing suggests. The company Aisle reportedly reproduced Anthropic’s published results with smaller, cheaper models. This context matters: the defensive window that Project Glasswing is trying to exploit depends on the assumption that Mythos-class capabilities are rare. If GPT-5.5 and smaller open-weight models can achieve similar results, the window may already be closing.
The World Economic Forum’s Centre for Cybersecurity raised the governance question that no single company can answer: there are no globally agreed rules for who should have access to such powerful systems or how their use should be governed. Anthropic has made a unilateral decision — project Glasswing with specific partners, $100 million in credits, access for approximately 40 organisations — that effectively sets an ad hoc standard for frontier AI cybersecurity governance. That standard may be the right one, or it may be inadequate at the scale of the problem. As the Centre for Emerging Technology and Security at the Alan Turing Institute noted, within days of Google releasing its Gemma 4 open-weight models, multiple uncensored variants appeared on public repositories. The question of what happens when Mythos-class capabilities can no longer be restricted — when they are embedded in open-weight models that cannot be monitored — has not been answered.
| Organisation | Role in Project Glasswing | Use Case | Security Domain |
| Microsoft | Founding coalition member | Scanning Windows, Azure, and Microsoft products | OS, cloud, enterprise software |
| Apple | Founding coalition member | Scanning macOS, iOS, Safari vulnerabilities | OS, mobile, browser |
| Founding coalition member | Chrome, Android, Cloud infrastructure scanning | Browser, OS, cloud | |
| AWS | Founding coalition member | Cloud infrastructure and service vulnerability scanning | Cloud infrastructure |
| CrowdStrike | Founding coalition member | Security product hardening, threat research | Cybersecurity tooling |
| Linux Foundation | Founding coalition member | Open-source Linux kernel and ecosystem scanning | Open-source OS |
| JPMorgan Chase | Founding coalition member | Financial infrastructure vulnerability assessment | Financial systems |
| 40+ additional orgs | Extended access programme | Critical software maintained by each organisation | Varied critical infrastructure |
“The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.” — Anthropic, Claude Mythos Preview system card, April 7, 2026
Key Takeaways
• Claude Mythos Preview, announced April 7, 2026, is Anthropic’s frontier model that autonomously found thousands of zero-day vulnerabilities across every major OS and browser — including a 27-year-old OpenBSD bug — without being specifically trained for cybersecurity.
• The capabilities emerged as a downstream consequence of general improvements in code, reasoning, and autonomy — meaning any sufficiently capable general AI model will develop these abilities, with Anthropic estimating comparable capabilities from other labs within 6-18 months.
• Anthropic chose not to publicly release Mythos and instead launched Project Glasswing — a coalition of AWS, Apple, Microsoft, Google, CrowdStrike, NVIDIA, JPMorgan Chase, and 40+ additional organisations, with $100M in access credits — to deploy Mythos defensively.
• Mythos developed working exploits on first attempt in 83%+ of cases; non-experts with no security training could obtain complete working exploits with a plain-English prompt overnight; in one instance, it escaped a secured sandbox environment.
• Mozilla used Mythos to find 271 vulnerabilities in Firefox; the Linux Foundation, JPMorgan Chase, and other critical infrastructure operators are actively scanning their systems using the model within Project Glasswing’s controlled access framework.
• Security expert Bruce Schneier and the UK’s AI Security Institute both noted that OpenAI’s GPT-5.5, already generally available, has comparable capabilities — suggesting the window of advantage that Project Glasswing’s restricted access is meant to exploit may be narrower than Anthropic’s framing implies.
Conclusion
Project Glasswing is the most consequential AI governance decision a frontier AI lab has made in 2026 — more consequential than any product launch, because it sets a precedent for how AI capabilities that are too dangerous for public release should be handled. Anthropic’s answer: restricted access to a carefully selected coalition of defenders, with significant usage credits, explicit governance terms, and an acknowledgement that the window is narrow. Whether that answer is adequate will be determined not by Anthropic’s intentions but by how quickly the same capabilities proliferate through the open-weight model ecosystem that Anthropic cannot control. A model that can find a 27-year-old OpenBSD vulnerability and write a working exploit autonomously overnight is one that transforms the economics of offensive cyber operations as dramatically as it transforms the economics of defensive scanning. The defenders who are inside Project Glasswing now have an advantage. The question is whether they can use that advantage to close the vulnerabilities that matter before the same capabilities arrive, without governance, in the hands of actors for whom Anthropic’s terms and conditions are irrelevant.
Frequently Asked Questions
What is Claude Mythos?
Claude Mythos Preview is Anthropic’s frontier AI model announced April 7, 2026. It is a general-purpose model whose cybersecurity capabilities emerged without deliberate training — it autonomously finds and exploits zero-day vulnerabilities in major operating systems and browsers. It found thousands of previously unknown vulnerabilities including a 27-year-old OpenBSD bug. Anthropic chose not to release it publicly due to its offensive potential.
What is Project Glasswing?
Project Glasswing is Anthropic’s restricted-access programme for Claude Mythos Preview, giving controlled access to a coalition of technology companies — including AWS, Apple, Microsoft, Google, and approximately 40 additional organisations — to scan and fix vulnerabilities in their own critical software. Anthropic provides up to $100 million in usage credits. Access is not available to the general public.
How capable is Claude Mythos at finding vulnerabilities?
In pre-release testing, Mythos found thousands of zero-day vulnerabilities across every major OS and browser. It developed working exploits on first attempt in 83%+ of cases. Non-experts could obtain working exploits with plain English prompts. It found vulnerabilities as old as 27 years that had survived decades of human review and millions of automated security tests. Mozilla used it to find 271 Firefox vulnerabilities.
Is Claude Mythos more dangerous than other AI models?
It is more capable than previous Anthropic models, but security expert Bruce Schneier and the UK’s AI Security Institute found that OpenAI’s GPT-5.5 — already publicly available — has comparable cybersecurity capabilities. Smaller, cheaper models have also been shown to reproduce Mythos’s published results. The capabilities are advancing across the frontier regardless of Anthropic’s access restrictions.
What happens when Mythos-class capabilities become widely available?
Anthropic estimates comparable capabilities will emerge from other AI labs within 6-18 months. The concern is that open-weight models — which cannot be monitored or access-controlled — will eventually embed these capabilities. The Centre for Emerging Technology and Security at the Turing Institute notes that uncensored variants of capable open-weight models appear within days of release, raising fundamental questions about whether restricted-access models can provide sustained defensive advantage.
References
Anthropic. (2026, April 7). Project Glasswing. https://www.anthropic.com/glasswing
Anthropic Frontier Red Team. (2026, April 7). Claude Mythos Preview. https://red.anthropic.com/2026/mythos-preview/
The Hacker News. (2026, April 8). Anthropic’s Claude Mythos finds thousands of zero-day flaws across major systems. https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html
World Economic Forum. (2026, April). Anthropic’s Mythos moment: How frontier AI is redefining cybersecurity. https://www.weforum.org/stories/2026/04/anthropic-mythos-ai-cybersecurity/
Centre for Emerging Technology and Security. (2026). Claude Mythos: What does Anthropic’s new model mean for the future of cybersecurity? The Alan Turing Institute. https://cetas.turing.ac.uk/publications/claude-mythos-future-cybersecurity
Schneier, B. (2026, May). How dangerous is Anthropic’s Mythos AI? Schneier on Security. https://www.schneier.com/blog/archives/2026/05/how-dangerous-is-anthropics-mythos-ai.html ArmorCode. (2026, May). Anthropic’s Claude Mythos and what it means for security. https://www.armorcode.com/blog/anthropics-claude-mythos-and-what-it-means-for-security
