Claude Mythos: The Model Anthropic Built and Refused to Ship - Inside Project Glasswing

Anthropic announced Claude Mythos Preview. Not long after, it shipped Claude Opus 4.7 as the public flagship. The gap between those two models is the most interesting AI story this year, and almost nobody is writing about it correctly.

Mythos is a model Anthropic finished and then pulled from the public launch pipeline. It beats Claude Opus 4.7, GPT-5.4, and Gemini 3.1 Pro on every cybersecurity and advanced coding benchmark the company has published.

The capability claim that matters, in Anthropic's own words on the Project Glasswing page:

That is not marketing language. Anthropic's system card for Mythos says, bluntly, that releasing it broadly "would give attackers a cornucopia of zero-day exploits for essentially all the software on Earth, including every major operating system and browser."

The specific findings back this up. Mythos has already autonomously discovered thousands of high-severity vulnerabilities across production software, including flaws that had survived a combined 40+ years in OpenBSD, FFmpeg, and the Linux kernel.

Most coverage is getting this part wrong. The usual framing, "Anthropic built something too dangerous to release," isn't quite right. The sharper version is that Anthropic believes the offensive-defensive balance tips the wrong way if everyone gets Mythos at once.

The thinking runs like this. If a cybersecurity firm with Mythos can find a vulnerability in three hours, so can an attacker with Mythos. The defender then has to patch it before the attacker uses it. Hand both sides the tool at the same time and the attacker wins, because supply chains are slow and patching cycles take weeks.

So Anthropic's bet is to let the defenders run first. Give the Linux Foundation, the Apache Software Foundation, AWS, Apple, Microsoft, Google, and the major security vendors a 90-day head start. Let them find and patch the worst vulnerabilities while the model can't be rented by anyone with a credit card. Then, maybe, expand access.

Anthropic has not released a full head-to-head benchmark sheet alongside Mythos. What it has disclosed, combined with UK AISI's independent evaluation, points the same direction: Mythos sits above every shipped model on cyber-offensive tasks.

The clearest public data point comes from AISI. Mythos became the first AI model to clear expert-level capture-the-flag challenges at a 73% pass rate. No prior model had cleared 50% on that tier. It is also the first model to complete AISI's 32-step enterprise-network attack simulation end-to-end, which takes a skilled human red-teamer roughly 20 hours.

Anthropic has separately conceded that Claude Opus 4.7, its public flagship, trails Mythos on advanced coding and cybersecurity benchmarks. The exact spread is not public. What is public is the decision Anthropic made based on it: the partners who need to patch vulnerabilities get Mythos; the rest of us get Opus 4.7.

That gap is also the entire reason Project Glasswing exists.

Glasswing is structured as a 90-day defensive-first window. Anthropic published the full partner list and committed to publishing findings within 90 days of launch.

The 12 launch partners:

Another 40 organizations have access without being named publicly. Anthropic describes them only as entities that "build or maintain critical software infrastructure."

The financial structure matters. Anthropic is paying for the usage credits itself, $100 million committed, rather than charging Glasswing members. That's a notable departure from how every other frontier-AI lab handles high-capability access. On top of that, Anthropic donated $4 million in cash: $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5M to the Apache Software Foundation. Both are organizations that quietly maintain the open-source software stack most of the internet runs on.

The UK AI Safety Institute ran independent evaluations on Mythos Preview and published its findings. Two results matter.

On expert-level capture-the-flag challenges, Mythos cleared 73% of the hardest problems AISI could run against it. No model had cracked 50% on this tier before. Opus 4.6, the prior state of the art, was at a substantially lower pass rate.

On the "Last Ones" (TLO) corporate-network simulation, Mythos did something no model had done before. TLO is a 32-step attack run against a synthetic enterprise network. A skilled human red-teamer takes around 20 hours to complete it. Mythos finished the full chain in 3 out of 10 runs and averaged 22 of 32 steps. Opus 4.6 averaged 16.

AISI's caveat matters here:

Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened the CEOs of major US banks around the time Mythos was announced, according to CNBC and Bloomberg. The topic was Mythos specifically, not AI in general.

The concern isn't that Mythos itself will leak. Anthropic's access controls for Glasswing appear genuinely tight. The concern is about what comes next. If Mythos is the best offensive-cyber AI right now, the second-best is probably months away, not years. Open-weight frontier models from labs outside the Responsible Scaling Policy framework will catch up. US financial regulators are asking whether banks are ready for attacks that run at Mythos-level capability without Anthropic's safety layer.

The answer, judging by the Fed's willingness to hold an emergency briefing, is "not yet." Bloomberg reports that the administration is urging the largest Wall Street banks to voluntarily red-team their own infrastructure against Mythos through Glasswing before any adversary brings an equivalent capability online.

This is the first time a frontier AI lab has finished a model, benchmarked it at the state of the art, and refused to ship it through normal commercial channels on its own initiative. OpenAI has delayed releases for safety review. Google has gated specific capabilities. No lab had previously said, in public, "we built something, we think it's the best model we've ever trained, and no amount of safety scaffolding is enough to let the public use it."

Two things follow from that.

First, the Responsible Scaling Policy is now load-bearing. Anthropic's RSP framework classifies models into AI Safety Levels (ASL) and was designed for exactly this scenario. Whether Mythos formally crosses an ASL-3 threshold is actually disputed. Some alignment researchers argue it doesn't, and Anthropic withheld it anyway. Either way, the decision sets the precedent that a lab can go beyond its published thresholds if it thinks the situation warrants it. That flexibility cuts both ways.

Second, the public-versus-gated-access debate is no longer theoretical. Anyone who wants frontier cyber-offensive capability now has concrete proof that the capability exists and that Anthropic will not sell it to them. That changes the calculus for every other lab. OpenAI's GPT-5.4-Cyber moved in a similar direction with user-verification gating. Expect more of this, not less.

The open question, and nobody has a good answer to it yet: what happens when the next lab to build a Mythos-level cyber model is not based in a country that runs Responsible Scaling Policies?

What's the difference between Claude Mythos and Claude Opus 4.7?

Opus 4.7 is Anthropic's current public flagship. Anyone can use it through the API, Claude.ai, Amazon Bedrock, Google Vertex, or Microsoft Foundry. Mythos is not available publicly. It scores significantly higher on every advanced coding and cybersecurity benchmark. Mythos is available only to roughly 52 vetted organizations through Project Glasswing.

Can my company get Project Glasswing access?

Probably not unless you already build or maintain critical software infrastructure. Anthropic has not published application criteria, but the 40+ additional (unnamed) Glasswing members are reportedly concentrated among major open-source maintainers, critical-infrastructure operators, and financial institutions. Enterprise customers on AWS, Azure, and GCP have access pathways through those cloud partnerships.

Is "Mythos" the final name or a codename?

Anthropic is calling it "Claude Mythos Preview" in official communications, which suggests a successor under the Mythos name may come later. The "Preview" tag is meaningful: it signals an unfinished public strategy rather than a permanent shelf.

Will Claude Mythos ever be released publicly?

Anthropic has not committed to a public release. The Glasswing window is 90 days initially, with a published-findings report due at the end. A broader release depends on what that window surfaces, specifically whether the patching backlog from the zero-days Mythos is finding can be worked through faster than adversaries can build equivalent models.

How does this compare to OpenAI's GPT-5.4-Cyber?

GPT-5.4-Cyber has mandatory user verification for defense and cybersecurity professionals. It is gated but commercially available: customers who pass verification can rent it. Mythos is not rentable at all. Access is by invitation, not transaction. Mythos is also materially more capable on cybersecurity benchmarks.

What should I actually do about this as a non-Glasswing organization?

Three things. First, assume Mythos-level offensive capability will be commercially or illicitly available within 12 months, and price your security posture accordingly. Second, if you run critical software, prioritize reachability reduction and supply-chain hardening now; those are the defenses that work regardless of attacker capability. Third, watch Anthropic's 90-day Glasswing public report. The patching patterns it reveals will telegraph where the remaining soft surfaces are.

Keep Reading

Cybersecurity

The AI Cybersecurity Nightmare We Were Warned About Has Arrived

AI Tools

Anthropic Academy: All 13 Free Courses Ranked

Artificial Intelligence

Anthropic's Pentagon Ban and the AI Ethics Question