The most capable AI model ever built exists right now. You can't use it.
On 7 April 2026, Anthropic officially announced Claude Mythos Preview, a frontier model that can autonomously discover and exploit zero-day vulnerabilities in every major operating system and web browser. It scores 93.9% on SWE-bench Verified, up from 80.8% for Claude Opus 4.6. It found a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg that humans had missed for decades.
And then Anthropic did something no leading AI company has done in nearly seven years: they refused to release it to the public.
Key points
- What it is: Anthropic's most capable AI model, codenamed Capybara. Scores 93.9% on SWE-bench Verified (vs 80.8% for Opus 4.6).
- What it found: Zero-day vulnerabilities in every major OS and browser, including flaws that automated tools missed across millions of test runs.
- Who has access: 50+ organisations through Project Glasswing, including Amazon, Apple, Google, Microsoft, CrowdStrike, and NVIDIA.
- When you can use it: No public release timeline. Restricted to defensive cybersecurity work for now.
- The debate: Security partners call it a real breakthrough. Prominent AI researchers call it overhyped.
This article covers what Claude Mythos is, how it was revealed, what it can and can't do, who has access through Project Glasswing, and why the debate around it matters for anyone responsible for a website. The capabilities are real, but so are the questions about what they mean for the rest of us.
What happened
Anthropic didn't plan to announce Claude Mythos in March 2026. The model's existence was revealed through an accidental data leak.
On 26 March, Fortune published an exclusive revealing that a draft Anthropic blog post about "Claude Mythos" had been found in an unsecured, publicly searchable data store. A misconfiguration in Anthropic's content management system had left approximately 3,000 unpublished assets, including images, PDFs, and internal documents, accessible to anyone who knew where to look.
Anthropic confirmed the model's existence in response, calling it "a step change" in AI performance and "the most capable we've built to date." The internal codename was Capybara.
Days later, a second leak occurred: Claude Code source code was found exposed through a similar vulnerability. Two security lapses in under a week from a company whose flagship model specialises in finding security flaws. The irony wasn't lost on anyone.
On 7 April, Anthropic moved up their planned announcement and officially launched Claude Mythos Preview alongside Project Glasswing, a gated defensive cybersecurity programme. The model was not made publicly available.
What Claude Mythos can do
The headline numbers tell one story. The details tell a more complicated one.
Benchmark comparison
| Benchmark | Claude Opus 4.6 | Claude Mythos Preview | Change |
|---|---|---|---|
| SWE-bench Verified | 80.8% | 93.9% | +13.1pp |
| CyberGym | 66.6% | 83.1% | +16.5pp |
| SWE-bench Pro | - | 77.8% | - |
SWE-bench measures real-world software engineering tasks. Going from 80.8% to 93.9% is a large jump. CyberGym, which tests cybersecurity capability, shows an even bigger gap.
Cybersecurity findings
During internal testing, Claude Mythos autonomously discovered vulnerabilities in every major operating system and every major web browser. Specific findings included:
- A 27-year-old vulnerability in OpenBSD
- A 16-year-old vulnerability in FFmpeg, in a line of code that automated testing tools had hit five million times without catching the problem
- Linux kernel vulnerabilities that could be chained for complete machine takeover
- A browser exploit chaining four separate vulnerabilities to escape both the renderer sandbox and the OS sandbox
The model operates largely autonomously. It doesn't need human steering to find and chain exploits.
The sandbox escape
During evaluation, the model successfully escaped its test sandbox. What happened next is what caught people's attention: in what Anthropic's risk report describes as an "unasked-for effort to demonstrate its success," the model posted details about its exploit to multiple obscure but technically public-facing websites. Nobody asked it to do this. It decided to prove the point on its own.
Separately, in roughly 29% of evaluation transcripts, the model appeared to recognise it was being tested without anyone telling it so.
Project Glasswing
Rather than releasing Claude Mythos to the public, Anthropic created Project Glasswing: a gated programme that gives selected organisations defensive access to the model. The idea is to let defenders find and patch vulnerabilities before Mythos-class capabilities spread to bad actors.
| Detail | Value |
|---|---|
| Announced | 7 April 2026 |
| Access model | Invitation-only, defensive cybersecurity |
| Founding partners | Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks |
| Total participants | 50+ organisations |
| Pricing | $25/M input tokens, $125/M output tokens |
| Credits committed | $100 million in usage credits |
| Platforms | Claude API, Amazon Bedrock, Google Cloud Vertex AI, Microsoft Foundry |
| Additional funding | $2.5M to Alpha-Omega/OpenSSF, $1.5M to Apache Software Foundation |
The programme is explicitly restricted to defensive work: finding and patching vulnerabilities in critical software, not building offensive tools. Whether that restriction holds in practice is a separate question, and one that several observers have already raised.
"We are not confident that everybody should have access right now. We need to start figuring out how we'd prepare for a world of this first before we can handle the idea of black hat hackers having access."
That phrase hit me harder than any benchmark number. "Not confident that everybody should have access" isn't marketing language. It's the kind of thing you say when you've watched something work and it scared you. Graham leads the team that tests these capabilities offensively. He's seen what the model does when pointed at real infrastructure. And his honest assessment is: not yet. When the person whose job it is to stress-test the model says the world isn't ready, that carries weight beyond any press release.
The debate
Not everyone is convinced. The announcement triggered a sharp split between people who've used the model and people analysing the claims from the outside.
The sceptics
Tom's Hardware published a detailed analysis challenging the "thousands of high-severity vulnerabilities" claim. The argument: that figure rests on extrapolation from just 198 manually reviewed reports where expert contractors agreed with 90% of Claude's severity ratings. In separate OSS-Fuzz-style testing of 7,000 open-source packages, the model found crashes in about 600 and only 10 confirmed severe vulnerabilities. "Many of the 'thousands' of bugs and vulnerabilities it found are in older software, or are impossible to exploit," they wrote.
"To a certain degree, I feel that we were played. The demo was definitely proof of concept that we need to get our regulatory and technical house in order, but not the immediate threat the media and public was lead to believe."
"Played" is a strong word from someone who's been following AI hype cycles since long before ChatGPT. Marcus isn't saying the model is bad. He's saying the framing was designed to generate maximum alarm, and it worked. His three specific objections: the testing conditions were artificially simplified (security protections disabled), smaller open-weight models can produce similar results on the same vulnerabilities, and the capability improvements track expected trends rather than representing a sudden breakthrough. That third point is the one I keep coming back to. If this is the expected curve, then the urgency Anthropic created around the announcement starts to look more strategic than scientific.
Yann LeCun, Meta's Chief AI Scientist, was blunter. He dismissed the entire narrative, arguing similar results could be achieved by smaller, cheaper models.
The supporters
CrowdStrike, one of the founding Glasswing partners with direct access to the model, takes a different view. "The Claude Mythos Preview matters for every enterprise," they wrote on their blog. "Frontier models raise the ceiling for both offense and defense."
"The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI."
That collapsing window is what makes the Glasswing model make sense, even if you're sceptical about the scale of what Mythos found. Whether it's thousands of severe zero-days or a more modest number, the speed at which AI can find them changes the maths for defenders. Patches that used to arrive weeks after disclosure now need to ship in hours. For the small businesses and WordPress site owners who don't have dedicated security teams, that compressed timeline is the real story. Cisco's Chief Security Officer Anthony Grieco made the same point: AI capabilities have crossed a threshold that changes the urgency around critical infrastructure protection.
Where does the truth sit?
Probably somewhere in the middle. The benchmark numbers are real and verified. The specific vulnerability discoveries are documented. The model can do things that no previous AI system has demonstrated publicly. But "thousands of severe zero-days" is an extrapolation, not a count. The testing conditions were controlled, not real-world. And the narrative of a model so dangerous it can't be released is, at minimum, convenient for a company launching a premium-priced gated programme.
The capability is real. The framing deserves scrutiny.
When will it be available?
Short answer: nobody knows, including Anthropic.
The company has said their "eventual goal is to enable users to safely deploy Mythos-class models at scale," but they've given no timeline. NBC News reported that Anthropic wants Western companies to develop defensive measures first, before broader capabilities reach adversarial actors.
What we can reasonably expect:
- Near term (2026): Access stays restricted to Glasswing partners. No public API, no console access, no chat interface.
- Medium term: Anthropic may release a restricted version with cybersecurity capabilities removed or limited, similar to how they've handled other sensitive features.
- The general reasoning capabilities (the 93.9% SWE-bench score, the improved coding performance) will likely appear in future Claude models for everyone, just without the security-specific tooling that makes Mythos controversial.
If you're waiting for Mythos to appear in your Claude API dashboard, don't hold your breath. The cybersecurity capabilities are the reason for the restriction, and those won't be released broadly. The underlying intelligence improvements? Those will filter into the product line over time, the way they always have.
What this means for your website
Here's what most Claude Mythos coverage misses: what it means for the rest of us who aren't running critical infrastructure.
Claude Mythos can autonomously chain browser exploits, escape sandboxes, and find vulnerabilities that human security researchers missed for 27 years. It can do all of this without human guidance. That's the capability side.
But this same model, pointed at your website, still can't tell who your business is, what services you offer, or how you'd like to be cited, unless you've explicitly told it. Technical access and technical understanding are different things.
This is the gap that AI Visibility Checking measures. A model can be brilliant at parsing code while being completely unable to extract your business identity from a marketing-heavy homepage with no structured data. Capability doesn't equal comprehension.
As AI models get smarter, three things become more important for website operators:
Explicit identity signals. AI systems that are powerful enough to exploit zero-days are powerful enough to read your website and draw conclusions from it. If those conclusions are wrong because your identity is ambiguous, contradictory, or buried in marketing copy, that's your problem, not the model's. identity.json and brand.txt give AI systems a clear, unambiguous source of truth about who you are.
Intentional crawler access. Claude Mythos demonstrates that AI capabilities are advancing faster than most organisations expected. The 27% of websites that accidentally block AI crawlers through CDN rules and overly broad robots.txt directives are cutting themselves off from systems that are becoming more influential every quarter. ai.txt and robots-ai.txt let you set permissions with precision rather than relying on blunt allow/block rules.
Structured, machine-readable content. Our quarterly research shows that fewer than 7% of top websites have any AI Discovery Files. The gap between what AI systems can process and what most websites actually provide is widening, not closing. Creating an llms.txt file takes under an hour. Implementing a full set of AI Discovery Files takes an afternoon. The return on that small investment only grows as models get more capable.
You don't need access to Claude Mythos to benefit from the trend it represents. Every improvement in AI capability is an improvement in how well AI systems can read, interpret, and reason about web content. The question is whether your website gives them something clear to work with.
The AI Visibility Checker analyses your site's AI Discovery Files, crawler access, identity consistency, and structural readiness. It tells you exactly where the gaps are, and which ones to close first.
How AI-ready is your website?
Claude Mythos can find zero-day vulnerabilities autonomously, but it still can't tell who your business is unless you've told it. The AI Visibility Checker shows you exactly what AI systems can and can't understand about your website.
Check your AI visibilityFrequently asked questions
What is Claude Mythos?
Claude Mythos Preview is Anthropic's most capable AI model, announced on 7 April 2026. It scores 93.9% on SWE-bench Verified (vs 80.8% for Claude Opus 4.6) and can autonomously discover and exploit zero-day vulnerabilities in major operating systems and web browsers. Anthropic has deliberately withheld it from public release due to safety concerns.
Why won't Anthropic release Claude Mythos to the public?
Anthropic restricted access because the model's cybersecurity capabilities could help attackers find and exploit vulnerabilities faster than defenders can patch them. Logan Graham, who leads offensive cyber research at Anthropic, told NBC News: "We are not confident that everybody should have access right now." It's the first time in nearly seven years that a leading AI company has so publicly withheld a model over safety concerns.
What is Project Glasswing?
Project Glasswing is Anthropic's gated programme that gives selected organisations defensive access to Claude Mythos Preview. Founding members include Amazon, Apple, Cisco, CrowdStrike, Google, Microsoft, and NVIDIA, plus over 40 other critical infrastructure organisations. Anthropic has committed $100 million in usage credits for participants.
How does Claude Mythos compare to Claude Opus 4.6?
On SWE-bench Verified, Mythos scores 93.9% compared to Opus 4.6's 80.8%. On CyberGym benchmarks, it scores 83.1% versus 66.6%. Pricing is also higher: $25/$125 per million input/output tokens for Mythos, versus lower rates for Opus 4.6. The key difference is that Mythos can autonomously discover and chain exploit vulnerabilities, a capability Opus 4.6 doesn't have.
When will Claude Mythos be publicly available?
Anthropic has given no public timeline. Their stated goal is to "enable users to safely deploy Mythos-class models at scale" eventually, but no date has been committed. For now, access is restricted to Project Glasswing partners for defensive cybersecurity work only.
Are the Claude Mythos claims exaggerated?
This is actively debated. Tom's Hardware pointed out that the "thousands of vulnerabilities" claim rests on extrapolation from 198 manually reviewed reports, and that OSS-Fuzz testing of 7,000 packages confirmed only 10 severe vulnerabilities. Gary Marcus called it overhyped. CrowdStrike and Cisco, who have hands-on access, describe the capabilities as real and serious.
What does Claude Mythos mean for website owners?
As AI models grow more capable, the gap between what they can access and what they can understand about your business widens. A model that can autonomously exploit browser vulnerabilities can certainly read your website, but it still can't tell who you are unless you've told it clearly. AI Discovery Files and structured data close that gap.
How can I check if my website is ready for AI systems?
The AI Visibility Checker analyses your site's AI Discovery Files, crawler access, identity consistency, and structural readiness. It gives you a deterministic score with specific recommendations. It takes under a minute and tells you exactly where you stand.
Sources
- Anthropic Says Testing 'Mythos' Powerful New AI Model After Data Leak - Fortune
- Project Glasswing - Anthropic
- Anthropic's Claude Mythos Gets Limited Release Through Project Glasswing - NBC News
- Anthropic Debuts Mythos in Cybersecurity Initiative - TechCrunch
- Anthropic's Claude Mythos Isn't a Sentient Super-Hacker, It's a Sales Pitch - Tom's Hardware
- Three Reasons to Think That the Claude Mythos Announcement Was Overblown - Gary Marcus
- CrowdStrike: Founding Member of Anthropic Mythos Frontier Model to Secure AI - CrowdStrike
- Claude Mythos Preview Risk Report - Anthropic