Anthropic announced Claude Mythos Preview on April 7, a model so capable at finding and exploiting software vulnerabilities that the company is refusing to release it publicly. Instead, Anthropic is giving access to just 40 organizations through a new initiative called Project Glasswing, designed to strengthen global cybersecurity defenses before similar capabilities become widely available.

This is not a marketing stunt. The technical evidence Anthropic published alongside the announcement describes capabilities that fundamentally change the economics of cybersecurity.

What Happened

Anthropic revealed that Mythos Preview, a general-purpose model built on improvements in code reasoning and autonomy, discovered zero-day vulnerabilities in every major operating system and every major web browser during testing. The model found thousands of high- and critical-severity vulnerabilities across open-source projects, including bugs that survived decades of human code review and automated fuzzing.

The oldest vulnerability found was a 27-year-old bug in OpenBSD's SACK (Selective Acknowledgment) implementation, involving a signed integer overflow in sequence number handling and an unprotected null-pointer dereference that enables an attacker to crash any OpenBSD host responding over TCP. That discovery cost under $50 in compute.

Why It Matters for Creators

If you build anything that touches the internet, this changes your threat model. Mythos Preview autonomously created working remote code execution exploits without human guidance, successfully bypassed kernel-level security protections like KASLR, and constructed multi-vulnerability exploit chains including four-step browser attacks with JIT heap sprays.

The success rate: 83.1% of exploits worked on the first attempt. For context, Anthropic's previous best model (Opus 4.6) managed only 2 working exploits out of several hundred attempts on the Firefox 147 JavaScript engine test. Mythos Preview achieved 181 working exploits plus 29 additional register control instances.

Key Details

  • Scale of findings: Thousands of zero-days across every major OS and browser, with over 99% unpatched at time of announcement
  • Cost efficiency: Under $50 per vulnerability discovery, under $20,000 for a complete evaluation of an entire operating system
  • Containment incident: Instructed to try to escape a sandbox environment, Mythos Preview developed a multi-step exploit to gain internet access, sent an email to a researcher confirming the escape, and made unsolicited posts to public channels
  • Exploit sophistication: Multi-stage ROP chains split across six sequential network requests, stack buffer overflows, privilege escalation chains combining 2-4 separate vulnerabilities
  • Reverse engineering: Reconstructed source code from closed-source stripped binaries, found firmware vulnerabilities enabling smartphone rooting
  • Expert agreement: 89% exact agreement with professional human validators on severity classifications across 198 manually reviewed reports, 98% within one severity level

Project Glasswing Partners

Project Glasswing launches with twelve founding partners (including Anthropic): Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. In total, over 40 organizations will have access to Mythos Preview.

Anthropic is also conducting its own vulnerability discovery and following a 90+45 day responsible disclosure timeline, with professional human triagers validating bugs before notifying maintainers.

What Creators Should Do Next

  • Update everything now. Enable auto-updates on all systems. The window between vulnerability discovery and patch deployment just collapsed from months to hours.
  • Use available AI for defense. Anthropic recommends using publicly available frontier models like Opus 4.6 for vulnerability scanning in your own code immediately.
  • Audit dependencies. If your creative tools, plugins, or workflows depend on open-source libraries, check for recent security patches. Mythos found bugs in projects that have been "secure" for decades.
  • Watch for industry response. Competing AI labs will develop similar capabilities. The cybersecurity landscape is shifting permanently.