Claude Mythos Preview scores 93.9% SWE-bench Verified—13 points above Opus 4.6—and autonomously found thousands of zero-day vulnerabilities across every major OS and browser. Anthropic restricted it to 12 partners under Project Glasswing instead of releasing publicly. This is the first frontier model withheld for safety reasons, and it signals a permanent shift in how AI intersects with cybersecurity.
Last week, Anthropic did something no major AI lab has done before: they published a full system card for their most powerful model and then refused to release it.
Claude Mythos Preview scores 93.9% on SWE-bench Verified—13 points above the current best public model, Opus 4.6. It writes code better than nearly any model we've tested. But that's not why Anthropic is keeping it locked down. The reason is what Mythos does when you point it at software and ask it to find weaknesses: it autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser, some hidden for over two decades.
I've spent the past 48 hours reading Anthropic's system card, the Project Glasswing announcement, and every technical detail I could find. Here's what this means for anyone building or securing AI systems.
What Claude Mythos Actually Is
Mythos Preview is a general-purpose frontier model—not a specialized security tool. Anthropic didn't train it to hack. The cybersecurity capabilities, as Anthropic puts it, "emerged as a downstream consequence of general improvements in code, reasoning, and autonomy."
That distinction matters. This isn't a narrow model fine-tuned on exploit databases. It's a model so good at understanding code that vulnerability discovery became a side effect. The implications for every software team should be obvious.
A 13-point jump on SWE-bench Verified isn't an incremental improvement—it's a generation skip. For context, the gap between GPT-4 and GPT-5.3 on the same benchmark was roughly 30 points spread across two years. Mythos covers a similar distance in a single release.
The Benchmark Gap Is Unprecedented
We're used to seeing frontier models trade small leads on benchmarks. When Claude Opus 4.6, GPT-5.3, and Gemini 3.1 all scored within 0.84 points of each other on SWE-bench Verified in February, the consensus was that model parity had arrived. Mythos shattered that assumption.
| Benchmark | Claude Mythos Preview | Claude Opus 4.6 | Gap |
|---|---|---|---|
| SWE-bench Verified | 93.9% | 80.8% | +13.1 |
| SWE-bench Pro | 77.8% | 53.4% | +24.4 |
| SWE-bench Multilingual | 87.3% | 77.8% | +9.5 |
| Terminal-Bench 2.0 | 82.0% | 65.4% | +16.6 |
| USAMO 2026 | 97.6% | — | — |
| CyberGym Vuln Reproduction | 83.1% | 66.6% | +16.5 |
The Cybersecurity Capabilities That Forced Anthropic's Hand
Here's where things get uncomfortable. Anthropic ran Mythos through a battery of real-world security tasks, and the results were so concerning that they chose to withhold the model entirely.
In one case, Mythos wrote a browser exploit that chained four separate vulnerabilities—executing a JIT heap spray to escape both the renderer sandbox and the OS sandbox. Human penetration testers typically need weeks to develop exploits of this complexity. Mythos did it in hours, for under $2,000 in API costs.
Firefox 147 Exploit Development
Anthropic tested both Opus 4.6 and Mythos against known vulnerabilities patched in Firefox 148: That's a 90x improvement in autonomous exploit development. Mythos didn't just find the bugs—it wrote working exploits that would give an attacker a JavaScript shell inside the browser.
- Opus 4.6: 2 successful exploits from several hundred attempts
- Mythos Preview: 181 successful JavaScript shell exploits, plus 29 register control achievements
Zero-Day Vulnerability Discovery
This is the finding that made headlines. When pointed at real software, Mythos autonomously discovered: Over 99% of these vulnerabilities were previously unknown and unpatched at the time of discovery.
- Thousands of high- and critical-severity zero-days across every major operating system and browser
- A 27-year-old OpenBSD TCP vulnerability enabling remote denial-of-service
- A 17-year-old FreeBSD NFS remote code execution flaw (CVE-2026-4747) granting unauthenticated root access
- A 16-year-old FFmpeg H.264 codec bug that 5 million automated fuzzing runs had missed
- Vulnerabilities in the world's most popular cryptography libraries affecting TLS, AES-GCM, and SSH implementations
Exploit Success Rates
The raw numbers on exploit development are staggering:
Validation Accuracy
Anthropic had professional security contractors manually review 198 vulnerability reports from Mythos. The model's severity assessments matched expert judgment: This isn't a model crying wolf. When Mythos says a vulnerability is critical, it's right almost every time.
- 89% exact severity match
- 98% within one severity level
| Capability | Opus 4.6 | Mythos Preview |
|---|---|---|
| Exploit development success rate | ~0% | 72.4% |
| Tier 5 control flow hijack (fully patched) | 0 | 10 targets |
| Complex vulnerability chains | Not demonstrated | Multiple 2-4 vuln chains |
| Autonomous JIT heap spray | Not capable | Demonstrated |
| Sandbox escape chains | Not demonstrated | Browser + OS sandbox |
Project Glasswing: Controlled Release for Defense
Instead of a public launch, Anthropic created Project Glasswing—a restricted program giving 12 partner organizations access to Mythos exclusively for defensive security work.
The Partner Coalition
The launch partners read like a who's-who of critical infrastructure: An additional 40+ organizations that build or maintain critical software infrastructure received access as well.
- Cloud & OS: Amazon Web Services, Apple, Google, Microsoft
- Security: CrowdStrike, Palo Alto Networks, Broadcom, Cisco
- Finance: JPMorganChase
- Infrastructure: NVIDIA, Linux Foundation
- AI: Anthropic (self-deploying internally)
Financial Commitments
Anthropic backed Glasswing with serious money: The $100M credit commitment alone is notable. At post-preview pricing of $25/$125 per million tokens, that represents an enormous volume of security scanning.
- $100 million in Mythos Preview API credits for partner organizations
- $2.5 million to Alpha-Omega and OpenSSF (via Linux Foundation)
- $1.5 million to Apache Software Foundation
What Partners Actually Do With It
Glasswing covers five core use cases: Anthropic committed to publishing results within 90 days: vulnerabilities fixed, lessons learned, and industry recommendations for disclosure, patching, and supply chain security.
- 1. Local vulnerability detection — scanning source code for flaws
- 2. Black-box binary testing — probing compiled software without source access
- 3. Endpoint security — identifying attack vectors in deployed systems
- 4. Penetration testing — full offensive security assessments (for defense)
- 5. Open-source software hardening — securing the packages everyone depends on
Why This Matters Beyond Anthropic
The knee-jerk reaction is to treat this as an Anthropic-specific event. It's not. Mythos's capabilities emerged from general improvements in code understanding and reasoning. Every major lab is pushing on those same axes. Within 12-18 months, similar capabilities will likely exist in multiple models—some with fewer safety guardrails.
The Defender's Window Is Closing
Project Glasswing is Anthropic explicitly acknowledging a race condition: defensive teams need to find and fix vulnerabilities before attackers get models with similar capabilities. The 90-day reporting timeline isn't arbitrary—it's a sprint. For security teams at enterprises, the implications are concrete: Immediate priorities:
- Audit your attack surface with AI tools now. If you're not using AI for vulnerability scanning today, you're already behind. Tools like Semgrep, CodeQL, and even current-generation Claude can find classes of bugs that static analysis misses. We've helped clients integrate AI-powered security scanning into their CI/CD pipelines—the setup cost is measured in days, not months.
- Accelerate migration to memory-safe languages. Many of Mythos's most severe findings exploited memory corruption bugs in C and C++ code. The 27-year-old OpenBSD bug, the FreeBSD NFS exploit, the FFmpeg codec flaw—all memory safety issues. Rust, Go, and modern C++ patterns eliminate entire categories of these vulnerabilities.
- Invest in automated patching infrastructure. When AI can find thousands of vulnerabilities in a week, manual patching processes become a liability. You need automated dependency updates, staged rollout pipelines, and the ability to deploy security fixes within hours of disclosure.
The Economics of AI-Powered Security
One underreported detail from the system card: cost efficiency. Mythos found the OpenBSD vulnerability for approximately $50 in API costs. The Linux kernel privilege escalation exploit—chaining 2-4 vulnerabilities into a full compromise—cost under $1,000 and took half a day. Compare that to hiring a senior penetration tester at $200-400/hour. A week-long engagement ($8,000-$16,000) might find a handful of vulnerabilities. Mythos found thousands across multiple codebases for less than the cost of a single consulting day. This doesn't replace human security researchers—Mythos's findings still needed expert validation, and the strategic decisions about what to scan and how to prioritize fixes require human judgment. But it fundamentally changes the economics of vulnerability discovery. Organizations that couldn't afford regular penetration testing can now access AI-powered scanning at a fraction of the cost.
What This Means for AI Security Specifically
If you're building AI applications, Mythos raises a specific concern: your AI system's code is software too. The same vulnerability classes that Mythos exploits in operating systems and browsers exist in AI frameworks, orchestration layers, and deployment infrastructure. We've seen this pattern play out already. The recent LangChain CVEs demonstrated that AI frameworks are not immune to traditional security flaws. Prompt injection gets the headlines, but the mundane vulnerabilities—SQL injection, path traversal, deserialization bugs—are what actually get exploited in production. A model with Mythos-level capabilities pointed at your AI stack's dependencies would likely find issues you haven't considered. The takeaway: treat AI application security with the same rigor you'd apply to any internet-facing production system.
The Precedent Problem
Anthropic's approach—build the model, prove it's dangerous, restrict access, give defenders a head start—is arguably the most responsible path available. But it creates uncomfortable precedents.
What happens when the next lab doesn't restrict access? Anthropic can control its own models, but the underlying capability improvement came from general research directions (better code understanding, stronger reasoning, improved autonomy). Open-source models are closing the gap on frontier capabilities. A model with even a fraction of Mythos's exploit development ability, released without restrictions, would be a significant threat multiplier.
What happens when Glasswing's 90 days are up? Anthropic has indicated that future Claude models will incorporate "new safety safeguards being developed through this research." But they haven't committed to a timeline for general Mythos availability. The $25/$125 per million tokens pricing suggests they're planning for eventual release—you don't set pricing for a model you never intend to ship.
The access asymmetry is real. Today, Microsoft, Apple, and Amazon have access to the most powerful security scanning tool ever built. Smaller companies and open-source projects have the $4M in foundation grants and the promise of published results. That gap matters when the vulnerabilities Mythos finds affect everyone's software.
How to Prepare Your Organization
Based on what we know about Mythos's capabilities, here's what I'd recommend for engineering and security teams right now:
1. Assume AI-Powered Attacks Are Coming
Don't treat this as a theoretical risk. Budget and plan for a world where attackers have access to models that can autonomously find and exploit zero-day vulnerabilities. This means:
- Shrink your attack surface aggressively
- Implement defense-in-depth (don't rely on any single security control)
- Increase monitoring for novel exploitation patterns
2. Start Using AI for Defense Today
Current models—Claude Opus 4.6, GPT-5.3—can already find significant classes of vulnerabilities. They're not Mythos, but they're dramatically better than no AI scanning at all. Integrate them into:
- Code review pipelines
- Dependency auditing
- Infrastructure configuration scanning
- Log analysis for anomaly detection
3. Prioritize Memory Safety
The vulnerability classes that Mythos exploits most effectively are memory corruption bugs in C/C++ code. If you're maintaining legacy codebases in these languages, every month of delay in migrating critical paths to memory-safe alternatives increases your exposure.
4. Strengthen Your Disclosure and Patching Pipeline
When Glasswing's results go public, expect a wave of vulnerability disclosures. Your ability to triage, patch, and deploy fixes quickly will determine whether you're protected or exposed. Test your incident response process now.
5. Watch the Open-Source Security Space
The Linux Foundation, Apache Software Foundation, and OpenSSF are direct beneficiaries of Glasswing. The security fixes and tooling that emerge from this program will be publicly available. Track their releases and adopt improvements as they ship.
What Comes Next
We're at an inflection point. Mythos proves that AI models have crossed a threshold where they can autonomously find and exploit vulnerabilities that humans have missed for decades. The capability exists. The question is how it gets distributed—and whether defenders can move fast enough.
Anthropic's bet is that a 90-day head start for defenders, backed by $100M in credits and partnerships with the world's largest technology companies, is enough to meaningfully improve the security of critical infrastructure before similar capabilities proliferate. Whether that bet pays off depends on how quickly Glasswing partners can find and fix vulnerabilities at scale—and how quickly competing models close the gap.
For security teams, the message is clear: AI-powered vulnerability discovery isn't a future concern. It's a current capability. The tools available today are already good enough to find bugs that your existing processes miss. The tools coming tomorrow will be dramatically better. Start building your AI security practice now, because the timeline for preparation just got a lot shorter.
---
At Particula Tech, we help organizations integrate AI into their security workflows—from automated vulnerability scanning to AI-powered incident response. If you're preparing for the next generation of AI-driven threats, [let's talk](https://particula.tech/contact).
Frequently Asked Questions
Quick answers to common questions about this topic
Claude Mythos Preview is Anthropic's most capable model to date, scoring 93.9% on SWE-bench Verified and 82% on Terminal-Bench 2.0. Its cybersecurity capabilities are unprecedented—it autonomously found thousands of zero-day vulnerabilities across every major operating system and web browser, including bugs that had gone undetected for up to 27 years.
