- Anthropic’s Claude Mythos Preview autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser, including a 17-year-old FreeBSD remote code execution flaw.
- Project Glasswing unites 12 founding partners — AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike, and others — with $100M in compute credits to secure the world’s most critical software before attackers can exploit similar capabilities.
- Mythos achieved a 181-out-of-210 success rate on complex exploit development tasks where previous models scored near zero, marking an inflection point in AI-driven security research.
- Anthropic has no plans for general availability, restricting access to vetted defenders and open-source maintainers while new safeguards are developed.
On April 7, 2026, Anthropic pulled back the curtain on something unprecedented: an AI model that can hack better than most human security researchers. Claude Mythos Preview, a new tier above the Opus line, autonomously identified and exploited thousands of previously unknown software vulnerabilities — then Anthropic handed the keys to the defenders. The move represents one of the most consequential decisions in AI safety to date, and it has already reshaped the cybersecurity landscape.
What Claude Mythos Can Actually Do
Zero-Day Discovery at Machine Speed
Mythos Preview does not just find bugs. It chains multiple vulnerabilities together, writes functional exploits, and validates them — all without human intervention after the initial request. In internal testing, the model achieved 595 crashes at severity tiers 1-2 on OSS-Fuzz targets and reached tier 5 (full control flow hijack) on 10 separate targets. Previous Anthropic models managed only single tier-3 crashes on the same suite.
The headline result: Mythos developed working exploits 181 out of 210 times on Firefox JavaScript engine vulnerabilities, a task where Opus 4.6 scored near zero. It also found a 27-year-old OpenBSD SACK vulnerability, a 16-year-old FFmpeg H.264 codec bug, and a 17-year-old FreeBSD NFS remote code execution flaw (CVE-2026-4747) — all fully autonomously.
Cost-Effective at Scale
The economics are striking. An OpenBSD vulnerability discovery runs under $50. Scanning 1,000 repositories costs approximately $20,000. Developing an n-day exploit costs $1,000-$2,000 per exploit. For context, equivalent human penetration testing engagements run tens of thousands of dollars per target and take weeks, not minutes.
AI Biz Insider Analysis ― The cost differential is the real story. When finding a critical zero-day costs less than a dinner for two, the economics of software security fundamentally change. Every open-source maintainer can now afford nation-state-level vulnerability research. The question is no longer whether AI will transform cybersecurity, but whether defenders can deploy fast enough to stay ahead of attackers who will inevitably gain similar capabilities.
Project Glasswing: Defense Before Offense
A $100M Coalition of Tech Giants
Rather than releasing Mythos broadly, Anthropic launched Project Glasswing — a coordinated initiative to give defenders a head start. The 12 founding partners read like a who’s who of critical infrastructure: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. More than 40 additional organizations that build or maintain critical software have also been granted access.
Anthropic committed $100M in model usage credits to fuel the effort, covering substantial usage throughout the research preview period. All vulnerability findings go through professional human validation and follow responsible disclosure timelines of 90+45 days, with SHA-3 hashes for transparent accountability.
Why Limited Release Matters
Anthropic explicitly stated it has no plans to make Mythos Preview generally available. The company wants to safely deploy Mythos-class models at scale only when new safeguards are in place. This is a deliberate departure from the race-to-release dynamic that has defined the AI industry. As security researcher Bruce Schneier noted, the restricted approach “sounds necessary” given the model’s capabilities.
The Council on Foreign Relations called Mythos “an inflection point for AI — and global security,” noting that the model’s exploit-chaining ability (combining 2-4 separate bugs into a single attack path) puts it on par with capabilities previously reserved for well-funded government cyber units.
AI Biz Insider Analysis ― Anthropic’s playbook here is unusually smart. By restricting access to defenders first, they get to claim the safety high ground while simultaneously building the most powerful security partnerships in the industry. If Glasswing’s partners find and patch thousands of vulnerabilities before Mythos-class capabilities proliferate, Anthropic will have created a moat of goodwill that no competitor can easily replicate. It is a business strategy disguised as an act of responsibility — and it might actually work.
What This Means for the Industry
The implications extend far beyond Anthropic. If a single model can autonomously discover thousands of zero-days across every major platform, the entire vulnerability disclosure ecosystem needs to accelerate. Patching cycles measured in weeks or months become unacceptable when an AI can find and chain exploits in hours. Organizations that maintain critical open-source infrastructure, many of which are chronically underfunded, suddenly have access to Fortune 500-level security tooling through Glasswing’s credits.
For the broader AI industry, Mythos sets a precedent: some capabilities may be too dangerous for general release, at least initially. How OpenAI, Google, and others respond to this framework will define the next chapter of AI governance. The race is no longer just about building the most capable model — it is about building the most responsible deployment strategy for capabilities that could reshape geopolitics.
Related
- Anthropic ARR Triples to $30B in Four Months With Usage-Based Billing Pivot
- Adobe Just Turned Its Entire Creative Suite Into One AI Agent
- OpenAI and Google Ship Rival Agent SDKs on the Same Day
- AI Agent Success Rate Quadruples in One Year, Stanford Report Reveals
Sources
- Anthropic – Claude Mythos Preview (red.anthropic.com)
- Anthropic – Project Glasswing: Securing Critical Software for the AI Era
- Fortune – Anthropic Gives Firms Early Access to Claude Mythos
- Schneier on Security – On Anthropic’s Mythos Preview and Project Glasswing
AI Biz Insider · AI Trends EN · aibizinsider.com
댓글 남기기