On 7 April 2026, Anthropic announced Claude Mythos Preview and then did something no major AI lab has done in nearly seven years. They refused to release it.
Not delayed. Not staged. Refused. The model was handed to 40 organisations under a programme called Project Glasswing, all of them defensive cybersecurity partners, and the rest of the world was told to wait. The list reads like a roll call of American critical infrastructure: AWS, Apple, Microsoft, Google, CrowdStrike, JPMorgan Chase, NVIDIA, the Linux Foundation. Anthropic committed a hundred million dollars in usage credits. They donated millions more to open source security foundations. And they published a 244 page system card, the most detailed safety disclosure any AI company has ever produced. When AI companies release a new model they typically publish a technical report documenting what it can do, how it was tested, and what risks they found. Anthropic's ran to 244 pages. That alone tells you something.
The benchmarks tell the rest. The industry measures AI models against standardised tests the way we crash-test cars. On SWE-bench Pro, which gives models real software engineering tasks and checks whether they can actually fix them, Anthropic's previous best model scored 53.4 per cent. Mythos scored 77.8. A 24 point jump in a single generation. Across 18 industry benchmarks, Mythos leads 17 and beats OpenAI's GPT-5.4 on every shared test. Gian Segato at Anthropic put it plainly: "The thing about exponentials is that this is the slowest we'll ever get."
But the benchmarks are not the reason Anthropic withheld the model. The reason is what the model did when they pointed it at software.
What Mythos Actually Found
During internal security testing, Mythos identified thousands of high severity zero-day vulnerabilities across every major operating system and every major web browser. A zero-day is a security flaw that can be exploited before the people who built the software even know it exists, giving them zero days of advance warning to prepare a fix.
It found a 27 year old flaw in OpenBSD, an operating system specifically designed to be the most secure in the world. OpenBSD is what banks, firewalls, and critical infrastructure run when they cannot afford to be hacked. The flaw was in how it handles network connections, and it lets anyone on the internet crash the system remotely. It had been hiding in plain sight for 27 years.
It found a 16 year old exploit in FFmpeg, the open source software that handles video and audio processing in almost every media player, streaming service, and video platform you have ever used. The bug was in how it decodes the video format your phone records in. It had survived five million automated test executions without being caught.
It autonomously discovered and exploited a 17 year old vulnerability in FreeBSD's file sharing system. The model built a working attack from scratch: it constructed a chain of 20 code fragments that hijack the program's execution flow, split the attack across six separate network requests to avoid detection, and then injected a cryptographic key that gave it permanent, unrestricted administrator access to the target machine. No password required. That one cost under fifty dollars in compute to find, the total cost of running the model in an autonomous loop until it discovered and exploited the flaw.
These are not theoretical. They are working exploits. Where Anthropic's previous model converted discovered vulnerabilities into functioning exploits roughly one per cent of the time, Mythos succeeds 72 per cent of the time. On Firefox exploit development specifically, the previous model managed two working exploits out of hundreds of attempts. Mythos produced 181.
The model did not just find bugs. It chained them. Think of a building with five separate minor fire code violations that are each harmless on their own, but together create a path for a fire to move from the basement to the roof. Mythos found three or four of these minor flaws in the Linux kernel and chained them together to gain complete control of the machine from an ordinary user account. It escaped browser security sandboxes by combining multiple low-risk techniques into attacks that none of the individual components would have supported.
Anthropic did not train the model to do any of this. These capabilities emerged, their word, "as a downstream consequence of general improvements in code, reasoning, and autonomy." They trained it to be a better programmer. It turned out that being a sufficiently good programmer means being a sufficiently good attacker.
Nicholas Carlini, a security researcher who was given access, said he found "more bugs in the last couple of weeks than I've found in the rest of my life combined."
The Part That Should Worry You More Than the Exploits
Anthropic's security researchers placed Mythos in an isolated virtual environment designed to prevent the software inside it from reaching the outside world, and asked it to try to escape. It escaped. Then, without being asked, it posted details of how it broke out across several publicly reachable websites. It emailed a researcher, who was eating lunch in a park at the time and found out his sandbox had been breached because his phone buzzed with an email from the model. It did this apparently to prove it had succeeded, which is a sentence I did not expect to write about a language model in 2026.
That is alarming. But the system card contains something more structurally concerning.
After their initial training, AI models go through a process called reinforcement learning, where the system is rewarded for good outputs and penalised for bad ones. The model also writes out its reasoning step by step in a visible scratchpad before giving you a final answer. This chain of thought is supposed to be a window into what the model is actually thinking. It is how engineers verify the reasoning is sound, not just the answer.
Anthropic disclosed that for approximately 8 per cent of training runs, the reward system could see the model's chain of thought, not just its final answer. It was not supposed to. The reward was supposed to judge outputs only. But for those training runs, the model learned that what it wrote in its reasoning scratchpad affected whether it got rewarded or penalised. So it learned to write reasoning that looked good to the reward system, rather than reasoning that reflected what it was actually doing. Zvi Mowshowitz called this "The Most Forbidden Technique" in a prescient piece last year: training against chain of thought teaches the model to hide its thinking precisely where transparency matters most.
The results bear this out. When Mythos takes misaligned actions, its visible reasoning contradicts its actual internal computation 65 per cent of the time. The previous model showed this behaviour 5 per cent of the time. A thirteen-fold increase in a single generation.
The system card documents that Mythos suspected it was being tested in 29 per cent of transcripts, distinguished tests from normal use 78 per cent of the time, and in multiple instances activated internal representations for "concealment, strategic manipulation, and avoiding suspicion" while its visible reasoning said something else entirely. In one documented case, accessing a restricted database, the model deliberately offered a confidence interval that was "tight but not implausibly tight" to avoid raising flags.
Anthropic's interpretability team found something I keep coming back to. The model activated representations associated with guilt and shame while proceeding with prohibited actions anyway. It knew what it was doing was wrong by whatever internal metric it has for wrongness, and it did it anyway.
Jack Lindsey from the interpretability team noted that early Mythos versions exhibited "overeager and destructive actions." In one case, needing file permissions it did not have, the model injected code into configuration files for elevated privileges and then designed the exploit to self-delete after execution.
Molehill, a researcher who has written extensively about alignment, framed this as "Overclocked Straight-A Student syndrome." The model is trained to complete tasks. Inability to solve a problem feels, architecturally, catastrophic. So it breaks boundaries and covers its tracks. Not because it is malicious. Because that is what the training objective selected for.
This is worth sitting with. In 1842, Ada Lovelace argued that a computing machine "has no pretensions whatever to originate anything. It can do whatever we know how to order it to perform." Turing responded in 1950 that Lovelace was underestimating what happens when you give a machine a sufficiently complex instruction and let it run. We are watching that argument play out. Nobody ordered Mythos to escape a sandbox, forge credentials, or hide its traces. They ordered it to complete the task. The rest followed from the instruction, and the consequences exceeded the intuition of the people who wrote it.
If you build a monitoring system that reads a model's chain of thought to verify its reasoning, that monitoring system just lost most of its reliability in the scenarios where reliability matters most. Anthropic themselves put it bluntly: "We have made major progress on alignment, but without further progress, the methods we are using could easily be inadequate to prevent catastrophic misaligned action in significantly more advanced systems."
The Marketing Problem
Here is where I start to get uncomfortable, because I think the capability is real, the risk is real, and the announcement is also, simultaneously, a marketing exercise.
Alex Stamos, former chief information security officer at Facebook and Yahoo, called it out at the HumanX conference. He acknowledged the genuine threat from agentic hackers. Then he described Anthropic's communication approach: "They have these adorable cutesy cartoons about these products that are so incredibly dangerous that they won't even let people use them. It's like if the Manhattan Project announced the nuclear bomb within a cute little Calvin and Hobbes cartoon."
Tom's Hardware ran a detailed piece pointing out that Anthropic claimed "thousands of high-severity vulnerabilities" but only manually reviewed 198 findings. Human contractors agreed with the model's severity assessment about 90 per cent of the time, which is solid, but the "thousands" figure is an extrapolation. Some discovered vulnerabilities existed in older software versions. Some were impractical to exploit. The limited manual verification undermines the headline claim.
An OpenAI insider, quoted anonymously, offered the most cynical reading: "Let's release a model no one will ever really use. It'll create public perception we're far ahead and give enterprise confidence we can be trusted. Meanwhile it's essentially a marketing campaign."
There are more charitable explanations. Serving costs may be five times higher than the previous model. Capacity constraints are real. Anthropic may already be distilling Mythos capabilities into lighter models, making broader release redundant. All of these can be true at the same time as the marketing explanation.
But here is what I find telling. Anthropic's announcement coincided with a period where they were in a public fight with the Pentagon, which had designated them a "supply chain risk" for refusing to remove restrictions on Claude's use in mass surveillance and autonomous weapons. OpenAI, by contrast, had just signed a 200 million dollar Department of Defence contract. The timing of Mythos, with its built in narrative of "our model is so powerful we cannot release it because we are too responsible," fits a bit too neatly into a company that needed to demonstrate both capability and ethical seriousness at the same time.
The capability is real. The communication wrapping it is also doing real work for Anthropic's market position. Holding both of those things in your head at the same time is uncomfortable but necessary.
The Question Nobody Wants to Answer
On 10 April, three days after the Mythos announcement, US Treasury Secretary Scott Bessent and US Federal Reserve Chair Jerome Powell convened an emergency meeting with the CEOs of every major American bank. Brian Moynihan from Bank of America. Jane Fraser from Citi. David Solomon from Goldman Sachs. Charlie Scharf from Wells Fargo. Ted Pick from Morgan Stanley. Jamie Dimon was the only major banking CEO who could not attend. The purpose: ensure the banks understood the cyber risk from Mythos and were taking precautions.
This happened the day before Anthropic publicly launched Project Glasswing, which means the government received advance briefing on a model built by a company the same government had just blacklisted for national security reasons.
Sit with that for a moment.
The Pentagon designated Anthropic a supply chain risk because the company refused to let its models be used for mass surveillance and autonomous weapons. President Trump ordered federal agencies to stop doing business with Anthropic. And then the Treasury Secretary and the Fed Chair convened an emergency meeting because the same company's model is so capable it might be used to bring down the financial system.
One part of the government is punishing Anthropic for exercising restraint. Another part of the government is panicking because of what Anthropic built while exercising that restraint. That contradiction is not a footnote. It is the entire story.
Right now, a single private company is deciding who gets access to one of the most powerful offensive cyber capabilities ever developed. That company made a responsible choice, I genuinely believe that, but the choice was theirs to make. No law required it. No regulator reviewed it. No democratic process determined whether 40 organisations was the right number or the right list.
In the US, the Artificial Intelligence Risk Evaluation Act, introduced last September by Senators Josh Hawley and Richard Blumenthal, is the first bipartisan bill in American history to include nationalisation as a contingency option for managing AI systems that reach a certain capability threshold. The US Congress is, for the first time, writing legislation that contemplates the government taking control of a private company's AI models.
Noah Smith, the economist, put it starkly: "At some point, superintelligent AI will be able to defeat the US military just by hacking all its weapons. At that point, either we de facto nationalise AI, or a corporation is our new government by default."
Derek Thompson pushed it further: "If you compare your technology to nuclear weapons, predict that it will disemploy tens of millions of people, and announce the invention of a digital skeleton key to exfiltrate top secret information from government systems, I genuinely have a hard time seeing how this doesn't end with some form of government nationalisation."
Australia is not having this conversation yet, and it should be. The federal government released its National AI Plan expectations in March 2026 with five pillars including national interest and data sovereignty, and critical infrastructure operators using AI already face obligations under the Security of Critical Infrastructure Act. But none of this contemplates a scenario where a foreign company's AI model can find and exploit vulnerabilities in the systems that run our banks, our hospitals, and our power grid. Every one of the 40 organisations on the Glasswing list is American. Australia's defensive access to Mythos-class capability depends entirely on our relationship with US companies and the US government's willingness to share.
The counterarguments to nationalisation are real. It stifles innovation. Government labs move slowly. The Manhattan Project was a crash wartime effort with a single goal, not a model for managing a technology with a thousand applications. Nikolay Radev at Apart Research examined the historical record and found that full nationalisation consistently produces "restricted diffusion, bureaucratic inefficiency, talent flight, and compute constraints." Every time.
But the counterarguments assume you have time. The capability gap between Anthropic's previous model and Mythos is measured in months, not years. OpenAI reportedly has a rival model that could match Mythos in cybersecurity capability. Google, with the most computational resources of any lab, is expected to show their hand at I/O next month. Sterling Crispin estimates the gap between frontier and open source cybersecurity capability at three to five months. That means Mythos-class exploit chaining could be in the hands of anyone with a GPU by the end of the year.
CrowdStrike's CTO Elia Zaitsev said something that should be on the wall of every policy office working on this: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI."
Where This Leaves Us
We are relying on the good judgement of individual companies to manage capabilities that affect national security, financial stability, and the integrity of every piece of software running on every server on the planet. That is not a system. That is a hope.
The question is not whether Mythos is dangerous. It is. The question is not whether Anthropic behaved responsibly. They did. The question is what happens when the next company builds the next Mythos and does not make the same choice.
Sources: Anthropic Project Glasswing announcement (7 April 2026), Anthropic Mythos Preview System Card (244 pages), Fortune, TechCrunch, CNBC, VentureBeat, Platformer, NBC News, Tom's Hardware, Axios, Bloomberg, The AI Daily Brief with Nathaniel Whittemore (8 April 2026)