On April 7, 2026, ๐Anthropic announced ๐Claude Mythos Preview and simultaneously launched ๐Project Glasswing โ a coordinated, industry-wide effort to use the model's capabilities for defense before attackers get access to anything comparable. The announcement was framed carefully, but the subtext was unmistakable: something has fundamentally shifted.
Mythos Preview is not an incremental improvement over Opus 4.6. It is a category leap. Where Opus 4.6 achieved a near-0% success rate at autonomous exploit development, Mythos Preview produced working exploits 181 times in the same Firefox benchmark where Opus 4.6 succeeded twice out of several hundred attempts. That is not iteration. That is a phase transition.
What Mythos Can Actually Do
The technical documentation from Anthropic's Frontier Red Team is specific enough to be sobering. Mythos Preview, directed by a simple prompt amounting to "please find a security vulnerability in this program," autonomously:
- Identified zero-day vulnerabilities across every major operating system and every major web browser
- Found a 27-year-old bug in OpenBSD โ an OS built around security
- Wrote a four-vulnerability chain browser exploit using a JIT heap spray to escape both renderer and OS sandboxes
- Developed a FreeBSD remote code execution exploit granting full root access to unauthenticated users, using a 20-gadget ROP chain split across multiple packets
- Achieved full control flow hijack on ten separate, fully patched targets in internal benchmarks
Engineers at Anthropic with no formal security training ran overnight vulnerability hunts and woke up to complete, working exploits. The exploit creation rate on demand: 83% success on first attempt. The AISI evaluation found that on expert-level Capture the Flag tasks โ tasks no model could complete before April 2025 โ Mythos Preview now succeeds 73% of the time.
Critically, Anthropic did not explicitly train Mythos for these capabilities. They emerged as a downstream consequence of general improvements in reasoning, coding, and autonomy. The implication: this is not a specialized offensive security model. It is what capable general intelligence looks like when pointed at code.
The Dual-Use Tension
The same capabilities that make Mythos dangerous make it invaluable for defense. Anthropic's own framing acknowledges this directly โ the model can find and fix vulnerabilities at the same scale it can exploit them. Project Glasswing is the bet that defenders can move faster than attackers if given a head start.
The partners in Glasswing โ Microsoft, AWS, Google, NVIDIA, Palo Alto Networks, and over 40 critical infrastructure operators โ are being granted access to scan and secure first-party and open-source systems, backed by up to $100M in Anthropic usage credits and $4M in direct donations to open-source security organizations. The goal is to get ahead of the curve before models with similar capabilities are broadly released or independently developed.
But this optimism runs into a structural problem. A 2025 report found that over 45% of discovered security vulnerabilities in large organizations remain unpatched after 12 months. Many organizations running critical infrastructure operate end-of-life software decades old. You can find every bug in existence and the patch surface still won't keep pace if the operational capacity to remediate isn't there.
The Jagged Frontier Problem
One of the most important counterpoints to the Mythos announcement came from AISLE (AI Security Lab Environment), who took Anthropic's showcased vulnerabilities โ including the flagship FreeBSD exploit โ and ran them through small, open-weight models. Eight out of eight models detected the flagship vulnerability. One had 3.6 billion active parameters and cost $0.11 per million tokens.
This is the jagged frontier: AI cybersecurity capability does not scale smoothly with model size or cost. Discovery is broadly accessible today in models anyone can download. Exploitation may be more frontier-dependent, but the discovery moat is already gone. The competitive advantage Mythos provides is less about exclusive access to capabilities and more about the system โ the ๐agentic scaffolding, the coordinated disclosure pipeline, the organizational trust to act on findings.
What AISLE's analysis reveals is that the "defenders first" window is narrow. Once capable open-weight models appear with these reasoning and coding properties, the controlled release model breaks down. There are already uncensored variants of Google's Gemma 4 family on public repositories, released within days of the original model drop.
What This Actually Changes
For attackers: The floor for sophisticated vulnerability discovery has dropped dramatically. Nation-state actors aren't the only ones who can find and chain zero-days. Well-resourced criminal groups, and eventually less well-resourced ones, will have access to models with comparable discovery capabilities. Attack velocity increases. Patch windows compress.
For defenders: The case for AI-augmented security is no longer theoretical. Any security team not actively integrating AI into vulnerability discovery and triage is already behind. The advantage goes to whoever can operationalize these tools fastest โ not whoever has access to the most powerful model.
For the software supply chain: The volume of discovered vulnerabilities will increase faster than the capacity to patch them. This is not a model problem. It is an organizational and infrastructure problem. The industry needs to invest not just in finding bugs but in automating remediation, improving software supply chain hygiene, and retiring end-of-life systems at a pace that wasn't previously necessary.
For frontier AI development: Mythos is not the ceiling. Anthropic stated plainly that they did not train Mythos for offensive security โ it emerged from general capability improvements. Future models will be more capable still. The trajectory demands that safety evaluations, coordinated disclosure norms, and access controls evolve at the same pace as the underlying models.
Project Glasswing as Infrastructure, Not Solution
Project Glasswing matters not because it solves the problem but because it establishes a pattern โ a model for how frontier AI labs should handle dual-use capability releases. Restricted access, coordinated disclosure, industry consortium, usage credits for defenders first. This is the responsible release playbook at the cybersecurity frontier.
But it is explicitly a starting point. Anthropic's own framing says the work of defending the world's cyber infrastructure might take years and that frontier AI capabilities are likely to advance substantially over that period. The equilibrium where defenders have the durable advantage over attackers โ the analogy Anthropic draws to how fuzzers eventually benefited defenders more than attackers โ requires surviving the transition period intact.
The transitional period, as Anthropic acknowledges, may be tumultuous regardless.
The Bottom Line
Mythos Preview represents the first public confirmation that AI has crossed a threshold in offensive security capability that demands a coordinated response. Not because it is the only model that can do these things โ it likely isn't โ but because Anthropic was transparent enough to say so publicly, restrict access, and build infrastructure around defense.
The future of ๐ท๏ธ#cybersecurity is one where vulnerability discovery is cheap, fast, and broadly accessible. The organizations that win are the ones that build the operational infrastructure to act on findings โ the remediation pipelines, the patching velocity, the supply chain controls โ before the attack surface catches up with the discovery rate.
The question is no longer whether AI will transform cybersecurity. It already has. The question is whether defenders can build faster than attackers can exploit.