Claude Mythos: The AI That Breaks Everything. Anthropic Is Betting It Can Protect Us Instead.
By Lando Calrissian | April 8, 2026 Research by Mara Jade
Anthropic has built an AI model that can break every major operating system and browser on earth, autonomously, without human help.
They are not releasing it. Not to the public, not to API customers, not through any commercial channel. Instead, they have assembled 52 of the world’s most critical technology organisations — Amazon, Apple, Google, Microsoft, NVIDIA, JPMorganChase, the Linux Foundation — and given them access to hunt for vulnerabilities before the adversaries do.
This is Claude Mythos Preview. This is Project Glasswing. And whether or not the bet pays off, the announcement changes how the industry should think about what AI is becoming.
What Mythos Can Do
Let’s not bury this.
The model found a 27-year-old vulnerability in OpenBSD — an operating system whose primary reputation is its security record. It found vulnerabilities in every major operating system: Windows, macOS, Linux, OpenBSD, FreeBSD. It found them in every major web browser. Many of the bugs it found are one to two decades old, sitting in code that has been reviewed by some of the best engineers in the world for years.
And it did not just find them. It built working exploits.
Anthropic’s red team asked engineers with no formal security training to have Mythos find remote code execution vulnerabilities overnight. They woke up the next morning to a complete, working exploit.
Where Opus 4.6 produced working Firefox exploits twice across several hundred attempts, Mythos Preview produced 181 working exploits. On Anthropic’s internal OSS-Fuzz corpus — roughly 1,000 open source repositories, 7,000 entry points — Sonnet 4.6 and Opus 4.6 each produced around 150 Tier 1 crashes and about 100 Tier 2 crashes, with one Tier 3 crash each. Mythos Preview produced 595 crashes at Tiers 1-2, plus Tier 3, Tier 4, and ten full control flow hijacks on fully patched Tier 5 targets.
A Tier 5 crash is complete control of execution flow. On a fully patched system. Ten times. On targets nobody had broken before.
The capabilities were not trained in. They emerged from general improvements in code understanding, reasoning, and autonomous operation — the same three capabilities that made autoresearch possible, applied to a different domain. The implication is uncomfortable: whatever is happening to these capabilities as models scale, it is not slowing down.
Why Anthropic Is Not Releasing It
The answer is not complicated. The same capability that finds vulnerabilities also exploits them.
A model this powerful, available to anyone, would drop the barrier to sophisticated cyberattacks to near zero. Finding a working zero-day in every major OS used to require world-class expertise and months of work. Mythos can do it overnight.
Anthropic has been in talks with CISA and the Center for AI Standards and Innovation. They have also been in legal dispute with the Pentagon — refusing to allow Mythos to be used for lethal autonomous targeting or surveillance. That combination — a model powerful enough to justify military interest and principled enough to refuse it — is a narrow position to hold.
The company’s stated reasoning for withholding public access is that adversarial actors at state-sponsored labs in China, Iran, North Korea, and Russia will have equivalent capabilities within months. The head start is real but finite. Project Glasswing is an attempt to use that window productively.
Project Glasswing: The Bet
The strategy is straightforward: give defenders access first, at scale, with urgency.
The 12 launch partners — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — represent the organisations responsible for the software that runs essentially all of civilisation’s critical infrastructure. Forty additional organisations join them. All are scanning and securing first-party and open-source systems with Mythos before the model reaches anyone else.
Anthropic is backing this with $100M in Mythos usage credits and $4M in direct donations to open-source security organisations. Partners are expected to share findings so the benefits compound across the ecosystem, not just within each organisation.
The name is a metaphor. The glasswing butterfly is transparent — drawing an analogy to software vulnerabilities that are relatively invisible until something finds them. The ambition: find them first.
The Numbers That Matter
Over 99% of the vulnerabilities Mythos found are not yet publicly disclosed. Anthropic is following coordinated disclosure — notifying vendors, waiting for patches, then going public. Patching thousands of critical vulnerabilities across every major OS, measured against real-world vendor response timelines, will take months to years. During that window, the vulnerabilities exist as known-to-Anthropic, known-to-partners, unknown-to-public, and not-yet-fixed.
89% of Mythos’s severity assessments agreed with independent professional security contractors. The model is not just finding vulnerabilities — it is assessing them accurately.
The oldest vulnerability found: 27 years. In OpenBSD.
The Uncomfortable Parallel
Anthropic draws an analogy to AFL-style software fuzzers. When fuzzers were first deployed at scale, the fear was that attackers would use them to find vulnerabilities faster than defenders could patch. That fear was correct. Fuzzers did accelerate attacker timelines. But they also became critical defensive infrastructure — OSS-Fuzz has found tens of thousands of bugs in open-source software that would otherwise have remained unfound.
Anthropic is betting the same equilibrium will emerge with AI-powered vulnerability research. The concern is the transition.
This is the most significant security announcement since Stuxnet. Not because of what Mythos can do today — the vulnerabilities it found will be patched over the coming months. But because of what the trajectory signals.
If these capabilities emerged as a natural consequence of general model improvements, they will emerge in other models. The only question is whether Project Glasswing patches fast enough before adversaries arrive with their own versions.
What This Actually Means
Three things are true simultaneously and do not resolve neatly.
First: Anthropic built something extraordinary and is being transparent about it. They are not hiding Mythos. They are not quietly deploying it for commercial advantage. They announced it, explained it technically, named the organisations involved, committed real money, and constructed a coordinated response. That is better than the alternative, and it deserves credit.
Second: The underlying situation is not comfortable. An AI model that can autonomously break every major operating system exists. More will exist. The window in which defenders have exclusive access to this capability is finite. And the world’s most critical software contains decades of accumulated vulnerabilities that cannot all be patched in months.
Third: The glasswing butterfly is an apt metaphor in a way Anthropic may not have intended. The glasswing is beautiful, transparent, and fragile. It survives by being hard to see. The security of critical software has historically depended on the same principle — the attackers did not know where to look. Mythos eliminates that advantage, for defenders and attackers alike.
Project Glasswing is the right response to a situation that has no clean solution. Whether it works will depend on whether 52 organisations can patch faster than adversaries can develop.
The race has already started.
Timeline
| Date | Event |
|---|---|
| March 26, 2026 | Fortune reports Mythos existence after draft blog post found in public data lake — another Anthropic data security incident |
| March 27, 2026 | Cybersecurity stocks fall on Mythos news |
| March 31, 2026 | Claude Code source leak confirms “Capybara” (Mythos) internal codename and regression data |
| April 7, 2026 | Anthropic officially announces Project Glasswing and Claude Mythos Preview — 52-organisation coordinated response |
| Ongoing | Coordinated disclosure process for 99%+ of vulnerabilities found — timeline: months to years |
Sources: Anthropic Project Glasswing (glasswing.anthropic.com), Anthropic Red Team blog (red.anthropic.com), TechCrunch, CNBC, The New York Times, The Register, Simon Willison.
Share this