It’s been three weeks since Anthropic dropped Claude Mythos Preview into the cybersecurity world’s lap, and I’ve been watching the news cycle settle into a strange shape. The model is doing the things its release notes promised — finding zero-days at a scale that breaks how we think about software maintenance — and the part that went wrong wasn’t the AI safety apparatus around it. It was the vendor boundary. As an MSP operator, that’s the part I keep coming back to.
This is the post I’ve been wanting to write since the breach reporting landed last week. Here’s where I’ve netted out.
The capability claims survived independent review
When Anthropic announced Mythos Preview on April 7, I was skeptical of the headline numbers. “Thousands of zero-days across every major OS and browser” reads like marketing, and Anthropic’s own red team wrote the post. I gave it a week before forming a view, and the AISI evaluation that landed on April 13 changed my position.
AISI ran their full cyber suite. On expert-level capture-the-flag challenges — which no model could complete before April 2025 — Mythos Preview hit a 73% success rate. More striking, on their 32-step “The Last Ones” corporate network range (which they estimate takes a human professional roughly 20 hours), Mythos became the first model to ever solve it end-to-end, succeeding in 3 of 10 attempts and averaging 22 of 32 steps. Claude Opus 4.6, the previous best, averaged 16. That gap matters. It’s not “model B is a few percent better than model A.” It’s “model B finishes the job.”
The Mozilla data point is the one that should keep defenders up at night. Firefox 150 shipped with patches for 271 vulnerabilities Mythos found in a single evaluation pass. Some had been sitting in the codebase through 27 years of human review. Whatever you think of the AI-hype cycle, that is a step change in vulnerability discovery economics.
Project Glasswing is a sensible response, but it created a new attack surface
Anthropic chose not to release Mythos publicly. Instead they stood up Project Glasswing — a closed consortium of around 40 organizations including AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, JPMorgan Chase, the Linux Foundation, NVIDIA, and Palo Alto Networks — to use the model on critical software ahead of any general release.
I think the call was right. A model that can autonomously chain a 32-step network attack through a corporate environment is not something you put behind a credit card and a checkbox EULA. Restricting access to defenders who can fix what the model finds, before the same capability reaches attackers, is the only version of “responsible disclosure at AI speed” that I’ve seen articulated coherently.
But here’s the thing nobody seems to want to say out loud: Glasswing is a supply chain. The moment you create a tightly-controlled, high-value access tier, you’ve also created a target that someone is going to try to compromise. And someone did, almost immediately.
The breach was a vendor-environment failure, not an AI failure
The reporting that came out April 21–22, with more detail through the week, is unusually clean for an AI security incident. A worker at one of Anthropic’s third-party contractors used their legitimate vendor access to fingerprint where Mythos was hosted, then shared that location with a Discord group that hunts for unreleased model endpoints. The group reportedly guessed the URL pattern based on Anthropic’s prior model deployments and got in.
Anthropic’s statement says they have no evidence of activity beyond the “vendor environment” — the infrastructure third parties use for model development access. I believe them, because the failure modes here are completely conventional: predictable URL schemas, a contractor with too-broad access, no apparent rate limiting or anomaly detection on the vendor tier, and a hostile community organized enough to industrialize the guessing.
Strip the word “AI” out of this story and it’s an MSP-101 incident. We’ve been telling clients for years that their third-party contractors are the soft underbelly of any compliance program. The Mythos breach is the same lesson at a different altitude.
What the framing wars get wrong
The commentary has split predictably. The left-wing critique (CounterPunch, La Lucha) reads Glasswing as Anthropic appointing itself the arbiter of who gets defensive AI — calamity makers running the calamity insurance racket. The Foreign Policy piece reads the same facts as a serious shift in the cyber calculus that nation-states will not respond to slowly. Both are partially right and miss the operational reality.
The operational reality is that the technology is here, the access tier was breached within two weeks, and the next dozen models from the next dozen labs will not have Anthropic’s deployment discipline. We are at the start of a regime where defenders need to assume that some attacker has access to a Mythos-class capability, even if the official rosters say otherwise.
That’s not a policy debate. That’s a prioritization shift. Patch faster. Inventory better. Assume your old code has bugs nobody has found yet — and that someone with a model is going to find them this quarter.
What I’m watching
Three things over the next month.
First, whether Mozilla’s 271-bug patch cycle gets repeated by anyone else publicly. If Microsoft, Apple, or a major Linux distribution ships a similar tranche of Mythos-attributed fixes, the “Glasswing is working” narrative gets a real anchor. If it stays Mozilla-only, the consortium starts to look performative.
Second, whether Anthropic publishes the post-mortem on the vendor breach. They owe the security community a clear write-up of how the access boundary failed, because every other lab building the same kind of restricted tier is making the same mistakes right now.
Third, the cheap-knockoff timeline. AISI’s evaluation showed performance scaling smoothly with inference budget up to 100M tokens. The capability isn’t a moat — it’s a price point. I’d give it six months before something open-weight reaches “Mythos-minus-30%,” and at that point the Glasswing model of restricted access stops working as a containment strategy and starts working only as a head-start.
I’d love to be wrong on the third one.
Sources
- Claude Mythos Preview — red.anthropic.com
- Our evaluation of Claude Mythos Preview’s cyber capabilities — AISI
- Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems — The Hacker News
- How a cavalcade of blunders gave unauthorized users access to Claude Mythos — Tom’s Hardware
- Anthropic’s Claude Mythos Preview Changes Cyber Calculus — Foreign Policy
Leave a Reply