Anthropic Just Launched Project Glasswing With Claude Mythos, the Model It Won't Release Publicly

Anthropic just confirmed what its leaked materials hinted at two weeks ago. The new model exists, it’s called Claude Mythos Preview, and the company is so concerned about its cyber capabilities that it has decided not to release it to the public at all.

Instead, on April 7, 2026, Anthropic launched Project Glasswing, a cybersecurity initiative built around Mythos Preview with twelve named launch partners and more than forty total participating organizations. The named partners are Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus Anthropic itself.

The story broke this morning across TechCrunch, Fortune, CNBC, Axios, Reuters, and the Washington Examiner. Anthropic published its own technical report at red.anthropic.com/2026/mythos-preview.

We covered the leak side of this story two weeks ago: Anthropic’s Reported ‘Mythos’ Leak Exposed an Unreleased Model and a Familiar Security Failure. Today’s launch is the official follow-up, and the technical numbers Anthropic published are even more pointed than the leak suggested.

The Money

Anthropic is committing $100 million in Mythos Preview usage credits to the Project Glasswing partners, plus $4 million in direct cash donations to open-source security organizations. The breakdown of the donations is specific:

$2.5 million to Alpha-Omega and OpenSSF, routed through the Linux Foundation
$1.5 million to the Apache Software Foundation

Anthropic also published the post-preview pricing for the model: $25 per million input tokens and $125 per million output tokens. That is roughly five times the headline rate for Opus 4.6, and notable mainly because the public is not actually being offered access to it. It functions more as a benchmark for what Anthropic thinks frontier-tier compute will cost when this generation of model does become broadly available.

The Vulnerabilities

This is the part of the story that is hard to look away from.

According to Anthropic’s own technical report, Mythos Preview has identified thousands of high and critical-severity vulnerabilities across “every major operating system and web browser.” The headline examples are old, and they are old in a way that makes the result genuinely uncomfortable for the security community:

A 27-year-old OpenBSD vulnerability in the SACK implementation that lets a remote attacker crash any machine running it
A 16-year-old FFmpeg vulnerability in the H.264 codec that had survived more than five million test hits from automated fuzzing
A 17-year-old FreeBSD NFS remote code execution flaw that Mythos exploited autonomously by constructing a ROP chain across six sequential RPC requests, after first leaking kernel pointers via NFSv4

These are the kind of bugs that have been sitting in widely-deployed open-source code for nearly a generation, surviving every other audit and fuzzing campaign that has been thrown at them. Anthropic says professional security contractors reviewed 198 of the model’s vulnerability reports and agreed exactly with the severity assessment 89% of the time, and within one severity level 98% of the time. That is a higher agreement rate than most human bug bounty submissions hit.

The cost numbers are equally striking. Anthropic says it spent roughly $20,000 in API costs to scan 1,000 OpenBSD targets, and individual complex exploits cost under $1,000 each in compute. A solo researcher with a few thousand dollars in API credit could now do work that previously required a well-funded national lab.

The Benchmark Numbers

Anthropic published direct head-to-head numbers against its current flagship model, and the gap is large.

CyberGym (vulnerability reproduction):

Claude Opus 4.6: 66.6%
Claude Mythos Preview: 83.1%

Firefox 147 exploitation (head-to-head trial):

Claude Opus 4.6: 2 successful exploits across several hundred attempts
Claude Mythos Preview: 181 working exploits, plus 29 additional register-control achievements

OSS-Fuzz testing across roughly 7,000 entry points:

Claude Opus and Sonnet 4.6: 150 to 175 tier-1 crashes, around 100 tier-2, exactly 1 tier-3 each
Claude Mythos Preview: 595 tier 1-2 crashes, a handful of tier 3-4, plus 10 complete control flow hijacks

The gap between Opus 4.6 and Mythos Preview on the Firefox trial (2 exploits versus 181) is the kind of jump that is genuinely difficult to explain as ordinary model improvement. We covered the Opus 4.6 system card when it shipped in March, and Anthropic was already saying Opus had saturated their existing cyber benchmarks. Mythos appears to have walked through that ceiling.

Anthropic is careful to note in its technical report that Mythos Preview was not specifically trained for security work. The company describes its cyber capabilities as “a downstream consequence of general improvements in code, reasoning, and autonomy.” That framing matters because it implies the next generally-released Claude model, whatever it turns out to be called, will inherit a meaningful slice of these capabilities.

Why It Is Not Being Released

Anthropic’s stated rationale lands somewhere between confidence and alarm.

The technical report says directly that more than 99% of the vulnerabilities Mythos has found are still unpatched. Anthropic used SHA-3 hash commitments to prove possession of the unreleased findings without disclosing them, which is the same cryptographic technique academic security researchers use when they want to claim priority on a bug without giving attackers a roadmap.

The company’s argument for keeping Mythos Preview restricted comes down to a transition risk. In Anthropic’s framing, the same model that lets defenders find and patch decades-old bugs at $1,000 per exploit also lets attackers do the same thing, and the defenders need a head start. Project Glasswing is that head start. The 40+ partner organizations get exclusive access to use Mythos Preview for “defensive security work” on their own systems, and the open-source maintainer grants are designed to make sure the OSS layer of the supply chain is not the slow side of the race.

CNBC and Axios both led with the same framing: Anthropic withholding Mythos because its hacking capabilities are too powerful. Cisco, in a partner quote on the Glasswing page, said the model’s capabilities have “crossed a threshold that fundamentally changes the urgency” of vulnerability remediation work. The Linux Foundation framed Glasswing as “a credible path” for open-source maintainers to access frontier security tools they could not otherwise afford.

Anthropic also says it is developing safeguards for a future general-release Claude Opus model that will inherit Mythos-level cyber capabilities, and that the company is planning a “Cyber Verification Program” to grant legitimate security professionals access once the safeguards are in place.

What This Connects To

A few threads from the past few months suddenly look connected.

The Claude Code Security Report that ran in February talked about Claude Code finding 500 zero-days across its first weeks of deployment. That now reads like the public-facing edge of a much larger internal finding rate that Anthropic had been observing privately.

The Opus 4.6 system card noted that internal cyber evaluations had saturated, and Anthropic shipped Opus 4.6 under ASL-3 protections. At the time, that ASL-3 decision read as cautious. With Mythos Preview’s numbers now public, it reads like an early warning.

The Mythos leak from March 26 accidentally surfaced draft material describing a Capybara-tier model above Opus, with stronger coding, reasoning, and cybersecurity performance. That draft material turns out to have been the early version of what Anthropic published today in cleaner form.

Even Anthropic’s bug bounty expansion from August 2024, which offered up to $15,000 for universal jailbreaks specifically in cybersecurity and CBRN categories, fits the same arc. Anthropic has been positioning for this announcement for at least 18 months.

The Open Question

The open question, the one Anthropic does not answer in its launch material, is what happens to the ordinary developer who is currently using Claude Code, Claude Cowork, or any of the Claude-powered tools in the directory when the next Opus model arrives carrying some fraction of Mythos Preview’s capabilities.

Anthropic has been very explicit that Mythos Preview itself will not ship to the API and will not show up in claude.ai. The Cyber Verification Program will gate access for legitimate researchers. But the technical report’s claim that cyber capability emerged “as a downstream consequence” of general improvements implies that the next public Claude release cannot simply leave those capabilities behind. Whatever ships next will be more dangerous than Opus 4.6, by Anthropic’s own admission, and the company’s framing suggests the difference will not be small.

For now, the public-facing piece of the story is Project Glasswing itself. Twelve of the largest software companies on the planet just got first access to a model their own engineers cannot get from any other source, on a $100 million tab paid by Anthropic. The OSS maintainers who have been losing the security race for two decades just got $4 million and a cryptographic agreement that the bugs in their code will be disclosed responsibly rather than leaked.

The 27-year-old OpenBSD vulnerability sat in production code longer than most of the engineers who could have caught it have been alive. It took an AI model that does not officially exist to find it.

That is the new baseline.