Anthropic announced April 7 that Claude Mythos Preview, their most powerful AI model, will not receive a public release due to unprecedented cybersecurity risks. Instead, the model is being restricted to 40+ handpicked companies under Project Glasswing after autonomously discovering thousands of zero-day vulnerabilities across every major operating system and web browser. This marks the first time a frontier AI model has been intentionally withheld from the public for security reasons—and the evidence suggests it’s warranted.
The Vulnerability Discovery That Prompted Restriction
Claude Mythos found thousands of zero-day vulnerabilities in weeks, including bugs that survived decades of human review. A 27-year-old denial-of-service vulnerability in OpenBSD’s TCP SACK implementation. A 16-year-old FFmpeg flaw that automated testing tools hit five million times without catching. A 17-year-old FreeBSD remote code execution bug giving root access to unauthenticated attackers. Mythos found all of them autonomously.
The capability gap is stark. Claude Opus 4.6 turned vulnerabilities into working exploits twice out of hundreds of attempts. Mythos Preview? 181 times for the same Firefox task. Nicholas Carlini, an Anthropic security researcher, put it bluntly: “I’ve found more bugs in the last couple of weeks than I found in the rest of my life combined.”
The model can chain multiple vulnerabilities together without human guidance. In one case, Mythos autonomously created a browser exploit combining four separate flaws to escape both the renderer sandbox and the operating system sandbox. That’s not assisted vulnerability research—that’s autonomous offensive capability.
Project Glasswing: The Defensive Coalition
Anthropic didn’t release Mythos publicly. Instead, they created Project Glasswing: a defensive security coalition giving 40+ organizations exclusive early access to find and patch vulnerabilities before similar models become widely available.
The twelve founding partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Moreover, Anthropic committed $100 million in model usage credits for participants and donated $4 million to open-source security organizations including Alpha-Omega, the Open Source Security Foundation, and the Apache Software Foundation.
The goal is simple: give defenders a head start. Alex Stamos, chief product officer at cybersecurity firm Corridor and former Facebook CSO, estimates the window is narrow. “We only have something like six months before the open-weight models catch up to the foundation models in bug finding,” he said. This is a race against time, not a permanent solution.
The Security vs. Openness Debate
The restriction is controversial. Simon Willison, a security blogger and developer, supports the approach. “Restricting Claude Mythos to security researchers—sounds necessary to me,” he wrote. He points to the 90x improvement in exploit development capability as evidence this represents a genuine inflection point, calling it “a reasonable trade-off.”
However, critics argue this just delays the inevitable. Attackers will build similar models anyway—whether through Chinese AI labs, Russian state actors, or independent researchers. If the competitive advantage lasts only six to twelve months, what happens next? Will OpenAI restrict GPT-5.5? Will Google restrict Gemini 3.1? What about Meta’s Llama 4 if it reaches offensive capabilities?
The access question matters too. Only 40 companies get early access. What about independent security researchers who can’t get Glasswing partnerships? What about smaller companies maintaining critical infrastructure? One researcher captured the uncomfortable reality: “Glasswing is built on a deeply uncomfortable premise—that the only way to protect us from dangerous AI models is to build them first.”
There’s precedent for skepticism. OpenAI claimed GPT-2 was “too dangerous to release” in 2019, then eventually released it fully when concerns proved overblown. But this feels different. GPT-2 was theoretical risk. Claude Mythos has already found thousands of real vulnerabilities and demonstrated autonomous exploit development at unprecedented scale.
What Developers Should Know
AI vulnerability research crossed a threshold in March 2026. Greg Kroah-Hartman, the Linux kernel’s stable branch maintainer, noticed the shift. “Months ago we were getting ‘AI slop’—AI-generated security reports that were obviously wrong,” he said. “Something happened a month ago, and the world switched. Now we have real reports.”
Your systems likely have vulnerabilities AI can find but humans missed for years. The 27-year-old OpenBSD bug proves that. Software you rely on—Linux, Windows, macOS, Chrome, Firefox—is being scanned right now by Glasswing partners. Consequently, expect a surge of AI-discovered vulnerability disclosures over the coming months.
The timeline matters. You have six to twelve months before adversaries build equivalent tools. After that, offensive AI capabilities become democratized. The security landscape shifts from “humans vs. humans” to “AI vs. AI”—autonomous offensive systems probing for vulnerabilities against autonomous defensive systems patching them in real time.
Open-source maintainers can apply for access through Anthropic’s Claude for Open Source program. Security researchers will eventually be able to apply through a forthcoming Cyber Verification Program, though details remain unclear. For everyone else, Mythos isn’t available. The model will eventually be released in future Claude Opus versions after critical systems are patched, but there’s no firm timeline.
The industry is figuring out in real time how to handle dangerous AI capabilities. Anthropic restricted Mythos after empirical evidence—thousands of real zero-days—not theoretical concerns. The question now: what happens when OpenAI, Google, and Meta reach the same capability level?
