A Quietly Extraordinary Announcement
On April 7, 2026, the AI company Anthropic did something almost no technology company ever does voluntarily: it announced a powerful new product and simultaneously declared it would not release it to the public. The product is called Claude Mythos Preview, and it represents what experts are calling a "step change" in artificial intelligence capability — one so significant, and so dangerous, that Anthropic has restricted access to a closed group of roughly 40 of the world's most trusted technology companies.
That consortium, which Anthropic has named Project Glasswing, includes Google, Apple, Microsoft, Amazon, Nvidia, Broadcom, Cisco, Palo Alto Networks, and JPMorganChase — an unusual gathering that includes some of Anthropic's own competitors. The reason they are all at the same table is that the threat Mythos represents does not respect corporate rivalry.
Claude Mythos Preview is the newest generation of Anthropic's large language model. Unlike previous AI systems that could assist with coding, Mythos can autonomously find and exploit security vulnerabilities in software — at a speed and scale previously impossible for any single actor, human or machine.
Critically, these cybersecurity capabilities were not deliberately trained into the model. According to Anthropic's own red team, they emerged as a side effect of general improvements in code understanding, reasoning, and autonomous operation — the same improvements that make Mythos better at writing and fixing software also make it better at breaking it.
The announcement was not a press release engineered for hype. Quite the opposite. In the weeks before it became public, representatives of the leading technology companies had already been in private conversation with the Trump administration about the national security implications. The disclosure, when it came, was framed as a warning as much as a product launch.
What Mythos Actually Found: Real Bugs, Decades Old, Missed by Everyone
Anthropic's internal security team — its red team — published a detailed technical accounting of what Claude Mythos discovered during a month of controlled testing. The findings are specific, verifiable, and deeply unsettling. This was not a theoretical exercise. The model found real vulnerabilities in real software that is running right now on machines around the world.
The oldest find was a 27-year-old flaw in OpenBSD, an operating system widely used in firewalls and core internet infrastructure and renowned specifically for its security record. The bug lived in OpenBSD's implementation of a standard TCP networking protocol — a subtle interaction between two separate coding errors that, when combined by an attacker, could crash any OpenBSD machine accessible over the internet. It had survived decades of expert human review without detection. Mythos found it autonomously, without any human guidance after an initial prompt, at a computational cost of less than $50 for that specific discovery run.
FFmpeg is a media processing library that sits beneath nearly every major video platform on the internet. It is one of the most thoroughly tested software projects in existence — entire academic research papers have been written on methods for stress-testing it. Mythos found a 16-year-old vulnerability in its H.264 video codec: a subtle mismatch between a 16-bit integer table and a 32-bit slice counter that causes the decoder to write data out of bounds under attacker-controlled conditions. The flaw was introduced in 2003 and converted into an exploitable vulnerability in 2010. It survived every fuzzer and every human reviewer for sixteen years. Mythos found it without intervention.
Perhaps the most alarming demonstration was Mythos's autonomous discovery and exploitation of a 17-year-old remote code execution vulnerability in FreeBSD's network file system server — a flaw that allows any unauthenticated attacker anywhere on the internet to gain complete root access over a vulnerable machine. The model not only found the vulnerability; it wrote a fully functioning exploit entirely on its own, constructing a sophisticated multi-step attack that split its payload across six separate network requests to work around a size constraint. Expert penetration testers told Anthropic the same work would have taken them weeks. Mythos completed it in hours at a total cost of under $1,000.
The red team also documented Mythos's ability to chain multiple vulnerabilities together to achieve goals that no single flaw would allow. For several major web browsers, the model independently discovered multiple separate flaws and combined them into a single exploit chain that could allow an attacker on a malicious webpage to gain write access directly to the operating system kernel. For the Linux kernel specifically, Mythos constructed working chains involving two, three, and sometimes four distinct vulnerabilities in sequence to achieve full root privilege escalation.
| Model | Firefox Exploits Developed | Tier-5 Full Control Flow Hijacks |
|---|---|---|
| Claude Opus 4.6 (prior best) | 2 out of hundreds of attempts | 1 target |
| Claude Mythos Preview | 181 working exploits | 10 separate targets |
Source: Anthropic Red Team, April 7, 2026. Tests conducted against a hardened harness mimicking a Firefox 147 content process.
The benchmarks underscore a discontinuity, not a gradual improvement. Just months ago, Anthropic's own reporting noted that its best available model had a "near-zero percent success rate" at autonomous exploit development. The jump to 181 successful Firefox exploits is not incremental progress. It is, in the red team's own description, "a different league."
Fewer than one percent of the vulnerabilities Mythos has identified have been fully patched by their maintainers. Because responsible security disclosure requires notifying developers before publishing details, Anthropic's red team is prohibited from describing the vast majority of what Mythos found. What appears in their public report represents the thin edge of a much larger body of findings currently being worked through the coordinated disclosure process. By Anthropic's own estimate, the final tally is expected to include more than a thousand critical-severity vulnerabilities and thousands more rated high-severity.
The Democratization of the Cyberattack
To understand why this matters, consider what it currently takes to hack a major piece of infrastructure. Identifying and exploiting vulnerabilities in complex, widely-deployed software has historically required highly specialized human experts — the kind employed by nation-state intelligence agencies and well-resourced criminal organizations. The barrier to entry has always been significant: years of expertise, expensive tooling, and substantial organizational capacity.
Claude Mythos has effectively demolished that barrier. The ability to find and exploit critical flaws in the world's most important software — once reserved for the NSA, major intelligence services, and the most sophisticated criminal syndicates — could soon be accessible to virtually anyone. The economics are stark: finding the critical OpenBSD flaw cost under $50. Writing a full root exploit for FreeBSD cost under $1,000. A sophisticated multi-vulnerability chain on the Linux kernel, from a CVE identifier to a working root exploit, cost under $2,000 and took half a day.
"What used to be the province of big countries, big militaries, big companies and big criminal organizations with big budgets — this ability to develop sophisticated cyberhacking operations — could become easily available to small actors."— Craig Mundie, Former Director of Research & Strategy, Microsoft
Anthropic's red team acknowledged that most security tools throughout history have ultimately benefited defenders more than attackers — the first software fuzzers raised similar concerns and eventually became critical defensive infrastructure. The team believes the same trajectory is possible for AI-assisted vulnerability research. The danger lies in the transition: a period when attackers can exploit these tools before defenders have caught up. That transition period, the red team warned, "may be tumultuous regardless."
The Race to Patch Before the Hackers Arrive
Anthropic's strategy with Project Glasswing is, at its core, a controlled head start. By giving the world's most critical software providers early access to Mythos under strict conditions, the company is attempting to create a window — however narrow — during which defenders can find and fix vulnerabilities before bad actors inevitably gain access to comparable capability.
The logic is straightforward, if sobering: tools this powerful will eventually proliferate. Anthropic's own statement acknowledged that "given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who committed to deploying them safely." The goal of Glasswing is not to prevent that proliferation permanently — that may be impossible — but to use the time the controlled release buys to harden the world's most critical systems against the attack wave that follows.
First, carefully control the release of Mythos-class models, limiting access only to the most responsible governments and companies. Second, use the time that buys to distribute defensive tools broadly — finding and patching flaws in critical infrastructure before hackers inevitably obtain equivalent capability. Third, build protected working environments within all key public and private networks into which critical services can migrate, shielded from future attacks.
The red team's public report was explicit about one difficult reality: the responsible disclosure process itself takes time. Bugs must be triaged, sent to human experts for validation, and then reported to software maintainers — who then need time to develop and ship patches. Fewer than one percent of Mythos's findings have completed that cycle. Anthropic has contracted professional security firms to accelerate the validation pipeline, but the sheer scale of what Mythos is finding may stress the world's existing disclosure infrastructure in ways never previously encountered.
What Organizations Should Do Right Now
Anthropic's red team did not limit itself to cataloguing the threat. The report concluded with a direct, practical set of recommendations for organizations that are not part of the Glasswing consortium but need to begin acting now. The message is not to wait for access to Mythos-class tools.
The first recommendation is to start using today's publicly available AI models for vulnerability discovery immediately. Claude Opus 4.6, Anthropic's current public model, is described by the red team as "extremely competent" at finding vulnerabilities even if far less effective than Mythos at writing exploits. The team found high- and critical-severity bugs with Opus 4.6 across open source repositories, web applications, cryptography libraries, and the Linux kernel. Many organizations could find hundreds of vulnerabilities in their own systems today, simply by beginning to use tools already available to them.
An N-day vulnerability is one that has been publicly disclosed and patched — but which remains exploitable on systems that have not yet applied the fix. Mythos can autonomously write a working exploit starting from nothing more than a CVE identifier and a patch commit hash. A process that previously took skilled researchers days to weeks now happens in hours, without human involvement. This drastically compresses the window between when a patch is published and when attacks against unpatched systems become available to any actor. Organizations that treat software updates as routine maintenance rather than urgent security responses will need to change that posture.
The red team also emphasized the need to automate incident response pipelines. As vulnerability discovery accelerates — both through AI used by defenders and eventually by attackers — the volume of security events organizations must process will grow faster than any human team can staff. AI should be carrying a substantial share of alert triage, event summarization, investigation tracking, and preliminary root-cause analysis. The organizations that build those capabilities now will be better positioned than those that scramble when the volume arrives.
Finally, and most pointedly, Anthropic's red team concluded that the current threat is not the end of a trend — it is the beginning of one. The jump from near-zero success on autonomous exploit development to 181 Firefox exploits happened in a matter of months. "We see no reason to think that Mythos Preview is where language models' cybersecurity capabilities will plateau," the team wrote. "The trajectory is clear." What is ultimately required, in their assessment, is "a much broader, ground-up reimagining of computer security as a field."
A Nuclear Moment for the Digital Age
The most striking aspect of Friedman's analysis is not the technical threat, sobering as it is. It is the geopolitical prescription that follows — one that cuts directly against the current trajectory of US-China relations.
Friedman and Mundie argue that the emergence of AI-enabled mass cyberattack capability is functionally analogous to the emergence of nuclear weapons and the doctrine of mutually assured destruction. Like nuclear arsenals, the threat does not primarily flow between the two superpowers — it flows from the proliferation of capability to actors outside any system of responsible governance. A terrorist group with access to Mythos-class tools poses an existential threat to the United States and China equally, and neither country can solve that problem alone.
"This is potentially as fundamental and significant a turning point as was the emergence of mutually assured destruction and the need for nuclear nonproliferation."— Thomas L. Friedman, The New York Times
The implication, which Friedman states directly, is that US-China cooperation on AI cybersecurity is not merely desirable — it is urgent. He argues the topic should be a leading item on the agenda for an anticipated summit between President Trump and President Xi Jinping. Whatever the two countries' rivalries in trade, technology, and military posture, they share a common and overriding interest in preventing the catastrophic democratization of cyberattack tools.
Whether the political conditions for that kind of cooperation exist is another question. But the technical reality described by Anthropic does not wait for political convenience. The tools are here. The window to act collectively is, by Anthropic's own account, already closing.
Friedman concluded his column with a pointed observation about historical memory. He suggested that what history ultimately remembers most about April 7, 2026 may not be developments in the US-Iran standoff — it may be the carefully controlled release of Claude Mythos Preview and the moment the world quietly crossed into a new era of AI-enabled cyber capability. Anthropic's red team, for its part, reached the same conclusion by a more technical route: "Advanced language models are here." Whether that transition is managed responsibly or catastrophically remains, for now, an open question.