It has been twelve days since Anthropic pulled back the curtain on Claude Mythos Preview, and I am still not sure the industry has caught up with what happened. The model was announced on April 7, the AI Security Institute published its evaluation a week later, and this weekend a Pentagon-adjacent spat made its way onto CNBC. In between those headlines is the quieter story I care about: a very small number of organizations were handed a very large head start on patching the world’s software, and the rest of us are racing the clock to keep up.
This post is my attempt to pull the last twelve days of Mythos coverage into a single frame. I am writing as a practitioner, not a pundit, which means I care less about whether Anthropic’s decision was “right” in the abstract and more about what the release structure actually means for the people who have to defend production systems on Monday morning.
The capability jump, by the numbers
The numbers are the part I keep coming back to, because they are easy to dismiss until you line them up next to the previous generation. On CyberGym, Mythos Preview hits 83.1% on vulnerability reproduction versus 66.6% for Opus 4.6. On SWE-bench Pro it jumps to 77.8% from Opus 4.6’s 53.4%. These are not the sort of gains you shrug off; they are the sort of gains that change what a single engineer can do in an afternoon.
The AI Security Institute’s independent evaluation is what really moved me off my priors. AISI built a 32-step attack range called “The Last Ones” — roughly 20 hours of human effort — and Mythos Preview is the first model to solve it end-to-end, in three of ten attempts. On expert-level CTF tasks it hits 73%. AISI is careful to caveat that their range lacks “active defenders and defensive tooling,” so the numbers apply to “weakly defended and vulnerable enterprise systems.” Which, if we’re being honest about the installed base, is a lot of what’s out there.
Why I think the gated release is defensible
Simon Willison’s analysis convinced me that Anthropic’s decision to keep Mythos behind Project Glasswing is the right call, at least for now. His write-up highlights a detail I had not fully absorbed: in a Firefox JavaScript exploit-generation task, Claude Opus 4.6 succeeded 2 times while Mythos succeeded 181. That is not an incremental step; it is a phase change. Willison’s quote from Daniel Stenberg — “I’m spending hours per day on this now. It’s intense.” — captures the mood among maintainers better than any press release can.
The gated-release structure, backed by $100M in Mythos Preview credits, $2.5M to Alpha-Omega and OpenSSF, and $1.5M to the Apache Software Foundation, is Anthropic acknowledging something important: the offense–defense asymmetry is not temporary, and someone has to front-load the defensive work. I would rather that “someone” be a coalition of eleven launch partners with an obligation to file disclosures on a 90-day clock than a generally available API with no strings attached.
The forty-organization problem
This is where the Council on Foreign Relations analysis starts to worry me. CFR’s read is that Mythos represents a fundamental shift in the offense–defense balance — “discovery is accelerating exponentially. Remediation still moves at human speed.” That is not a fixable problem in twelve days, or ninety, or probably a year. Project Glasswing extends access to roughly 40 organizations. The rest of the global software estate — antiquated systems running dams, reactors, power plants, water utilities, not to mention every small business with a VPN appliance from 2018 — remains exactly as exposed as it was on April 6.
CFR’s fifth point is the one I keep returning to: proliferation containment will likely fail. The CMS leak that preceded the official announcement on March 26 is a useful case in point. Once capabilities exist, source code leaks, red-team tooling, and the economic incentive to replicate them means the window in which Glasswing’s privileged partners enjoy an exclusive defensive advantage is, at best, measured in months. Everyone downstream is running a patch race against a clock they cannot see.
The governance vacuum nobody wants to fill
The IAPP piece names the uncomfortable part out loud: private companies are now making consequential safety decisions about systemic financial and infrastructure security. The framing I found most useful was the analogy to aviation and nuclear industries, where “safety, control and oversight must be established before large-scale deployment.” We do not have anything like that regime for frontier AI, and the Anthropic–White House friction that surfaced on CNBC this week is, I think, a symptom of institutions discovering in real time that they lack the formal authority to oversee these choices.
AISI is probably the closest thing we have to a functioning model, and even AISI is running pre-release evaluations voluntarily, with the cooperation of the developer. That works when Anthropic is the developer. It is not obvious what happens the first time it isn’t.
What I’m watching
Three things on my radar for the next week. First, the 90-day disclosure clock — when do we see the first public CVEs from the Glasswing cohort, and how many are in software my employer actually runs? Second, the downstream replication curve — how long before a meaningfully capable offensive model exists outside the Glasswing perimeter? And third, the governance conversation — whether the Amodei meetings with CISA and the Center for AI Standards and Innovation produce anything durable, or whether this ends up as another episode in the long American tradition of punting hard tech-policy questions to the next administration.
I started this post thinking the story of Mythos was about a new model. I am ending it convinced the story is about a new class of governance problem, and the model is just the part we can benchmark.
Sources
- Project Glasswing: Securing critical software for the AI era — Anthropic
- Our evaluation of Claude Mythos Preview’s cyber capabilities — AISI
- Anthropic’s Project Glasswing—restricting Claude Mythos to security researchers—sounds necessary to me — Simon Willison
- Six Reasons Claude Mythos Is an Inflection Point for AI—and Global Security — Council on Foreign Relations
- Claude Mythos: Rethinking cybersecurity and AI governance — IAPP
Leave a Reply