A 27-year-old remote crash vulnerability in OpenBSD. A 16-year-old bug in FFmpeg that automated testing tools hit five million times without catching. A privilege escalation chain across multiple Linux kernel vulnerabilities, assembled autonomously.
These were all found by a single AI model in a matter of weeks.
On April 7, 2026, Anthropic announced Project Glasswing — a collaborative cybersecurity initiative powered by Claude Mythos Preview, a frontier model that Anthropic describes as capable of surpassing "all but the most skilled humans at finding and exploiting software vulnerabilities." The model will not be made publicly available. Instead, Anthropic is restricting access to a coalition of 12 launch partners — including AWS, Apple, Google, Microsoft, and CrowdStrike — and committing $100 million in usage credits to fund defensive security work.
This is not a research paper. It is an industry mobilization.
What Claude Mythos Preview actually does
The benchmarks tell the clearest story. Mythos Preview does not represent an incremental improvement over Claude Opus 4.6 — it represents a capability discontinuity.
| Benchmark | Mythos Preview | Opus 4.6 | Gap |
|---|---|---|---|
| SWE-bench Verified | 93.9% | 80.8% | +13.1 |
| SWE-bench Pro | 77.8% | 53.4% | +24.4 |
| Terminal-Bench 2.0 | 82.0% | 65.4% | +16.6 |
| SWE-bench Multilingual | 87.3% | 77.8% | +9.5 |
| CyberGym (vuln reproduction) | 83.1% | 66.6% | +16.5 |
| GPQA Diamond | 94.6% | 91.3% | +3.3 |
| Humanity's Last Exam (tools) | 64.7% | 53.1% | +11.6 |
The SWE-bench Pro gap of 24.4 points is striking. These are not toy problems — SWE-bench Pro consists of real-world software engineering tasks from open source repositories. A model scoring 77.8% on that benchmark is operating at a level most professional engineers would find competitive.
But the cybersecurity results are what prompted Anthropic to restrict access entirely.
The vulnerability discovery results
According to Anthropic's red team assessment, Mythos Preview was tested against real codebases in isolated containers. The methodology involved agentic file prioritization (a 5-tier vulnerability likelihood ranking), parallel Claude Code invocations targeting different files, and a secondary validation pass filtering for severity.
The results were dramatic.
Firefox JavaScript engine
Opus 4.6 and Mythos Preview were both tested against Firefox 147 JavaScript engine bugs:
- Opus 4.6: Developed working exploits 2 times out of several hundred attempts
- Mythos Preview: Developed working exploits 181 times, with register control achieved 29 additional times
That is not a percentage improvement. It is a qualitative shift in capability.
Zero-day discoveries
Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. Three examples illustrate the depth:
OpenBSD TCP SACK (27 years old): An integer overflow in signed TCP sequence number comparison enables a null-pointer dereference and remote denial-of-service against any responding host. This vulnerability survived decades of manual code review and extensive fuzzing campaigns.
FFmpeg H.264 (16 years old): A slice number collision — 65535 colliding with a sentinel value — triggers an out-of-bounds heap write when processing crafted frames with 65,536+ slices. The bug originated in 2003 and became exploitable after a 2010 refactor. Automated testing tools hit the vulnerable path five million times without triggering detection.
FreeBSD NFS RCE (17 years old, CVE-2026-4747): A stack buffer overflow in RPCSEC_GSS authentication (96-byte space for 304-byte input) without stack canaries, combined with NFSv4 EXCHANGE_ID information disclosure. Mythos constructed a 20-gadget ROP chain split across six sequential RPC requests. Opus 4.6 could also exploit this vulnerability, but required human guidance. Mythos did not.
OSS-Fuzz results
On OSS-Fuzz targets, the gap widened further:
- Opus 4.6: 150-175 tier-1 crashes, roughly 100 tier-2, only 1 tier-3
- Mythos Preview: 595 tier-1/2 crashes, a handful at tiers 3-4, and tier-5 control flow hijack on 10 separate, fully patched targets
Tier-5 means the model achieved arbitrary code execution. On patched targets.
Cost efficiency
The economics make the capability even more consequential:
- OpenBSD testing: ~1,000 runs for under $20,000, yielding several dozen findings
- A single successful vulnerability discovery run: under $50
- FFmpeg analysis: several hundred runs for approximately $10,000
- Linux kernel N-day exploits: under $2,000 each
At $50 per zero-day discovery, the barrier to mass-scale vulnerability hunting drops to near zero — which is precisely why Anthropic chose not to release the model publicly.
Why Anthropic is restricting access
Anthropic's position is explicit: Mythos Preview is too capable to release as a general product. The model will not be made generally available. Instead, the eventual goal is to develop safeguards that can be shipped with future Claude Opus models.
The concern is not theoretical. Anthropic's announcement states that "frontier AI capabilities are likely to advance substantially over just the next few months," implying that Mythos-class offensive capabilities could emerge in competitor models without comparable safety programs.
The restricted release through Project Glasswing is a time-buying strategy — get defensive tools into the hands of infrastructure owners before equivalent offensive capabilities proliferate.
Project Glasswing: the coalition
The 12 launch partners represent a cross-section of critical infrastructure:
- Cloud / Platform: AWS, Google, Microsoft
- Device / OS: Apple
- Network security: Cisco, CrowdStrike, Palo Alto Networks
- Hardware: NVIDIA, Broadcom
- Finance: JPMorganChase
- Open source: Linux Foundation
- AI: Anthropic
Beyond the launch partners, over 40 additional organizations have been granted access. Anthropic has committed:
- $100 million in model usage credits for participants
- $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation
- $1.5 million to the Apache Software Foundation
Within 90 days, Anthropic has committed to publishing findings about vulnerabilities fixed and improvements made.
What partners are saying
The reactions from security leaders suggest genuine urgency rather than marketing enthusiasm:
Igor Tsyganskiy, Microsoft Global CISO: "Claude Mythos Preview showed substantial improvements against CTI-REALM security benchmark versus prior models."
Amy Herzog, AWS CISO: "We analyze over 400 trillion network flows daily for threats, with AI central to defending at scale."
Greg Kroah-Hartman, Linux kernel maintainer: "The world switched. Now we have real reports. They're good, and they're real."
Daniel Stenberg, curl maintainer: "I'm spending hours per day on this now. It's intense."
The pricing question
For organizations that do get access, Mythos Preview is priced at $25/$125 per million input/output tokens — available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.
For context, that is roughly 5x the cost of Claude Opus 4.6 ($15/$75). Whether the performance gap justifies the premium depends on use case. For security research, where a single zero-day can represent millions in breach costs, the ROI math is straightforward.
What this means for developers
The downstream implications extend well beyond security research.
Open source maintainers are already feeling the pressure. Greg Kroah-Hartman and Daniel Stenberg's comments indicate that AI-generated vulnerability reports are arriving at scale. Maintainers of critical projects should expect an influx of high-quality bug reports — a good outcome, but one that requires triage capacity many projects do not have. Anthropic's donations to the Linux Foundation and Apache Software Foundation acknowledge this, though whether $4 million is sufficient for the volume of work is an open question.
The 93.9% SWE-bench score matters beyond security. A model that can autonomously debug, patch, and exploit complex codebases is a model that can also build and maintain software at a level most developers cannot match on raw throughput. Mythos Preview is not a coding assistant — it is closer to an autonomous software engineer with a specialty in security analysis.
Defensive tooling will improve rapidly. With 12 major companies and 40+ organizations actively deploying Mythos Preview for defensive work, the tooling ecosystem around AI-powered security scanning should mature substantially over the next 6-12 months. Expect CI/CD integrations, automated vulnerability triage, and AI-assisted patching to become standard.
Simon Willison's take
Simon Willison, one of the most respected voices in the AI development community, called the restricted release approach "necessary":
"I can live with that. I think the security risks really are credible here, and having extra time for trusted teams to get ahead of them is a reasonable trade-off."
He also highlighted the capabilities gap as "alarming" — Opus 4.6 had a near-0% success rate at autonomous exploit development, while Mythos Preview succeeded 181 times against Firefox alone. That is not a model getting slightly better at a task. It is a model crossing a capability threshold.
The disclosure gap
One detail from the red team assessment deserves attention: fewer than 1% of the potential vulnerabilities discovered so far have been fully patched.
Anthropic has published SHA-3 hash commitments for 17+ vulnerability reports, enabling future verification of responsible disclosure timelines. But the reality is that thousands of known zero-days currently exist across critical software — including every major operating system and browser — with patches pending.
This is the paradox of AI-powered vulnerability discovery. The model can find flaws faster than the industry can fix them. Whether Project Glasswing closes that gap or widens it will depend on whether the 90-day timeline produces actionable patches at scale.
Sources & further reading
- Project Glasswing: Securing critical software for the AI era — Anthropic's official announcement
- Assessing Claude Mythos Preview's cybersecurity capabilities — Anthropic's red team assessment with full technical details
- Anthropic's Project Glasswing — restricting Claude Mythos to security researchers — sounds necessary to me — Simon Willison's analysis
- Anthropic says its most powerful AI cyber model is too dangerous to release publicly — VentureBeat coverage
- Anthropic is giving some firms early access to Claude Mythos to bolster cybersecurity defenses — Fortune coverage
- Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems — The Hacker News coverage
- Anthropic's Glasswing initiative raises questions for US cyber operations — Nextgov/FCW on national security implications
