On April 7, 2026, Anthropic revealed something that fundamentally changes the cybersecurity landscape: an unreleased AI model called Claude Mythos Preview that can find and exploit zero-day vulnerabilities with a success rate that dwarfs every previous AI system — and most human security researchers. Mythos isn’t a product you can buy. It isn’t available through any API plan. It exists solely within Project Glasswing, Anthropic’s $100 million cybersecurity initiative, and the technical details published in its model card explain exactly why the company is keeping it under lock and key.
Here’s everything we know about what Claude Mythos is, what it can do, how it compares to existing models, and why Anthropic considers it too dangerous to release publicly.
Claude Mythos Preview: The Basics
Claude Mythos Preview is a general-purpose large language model built by Anthropic, but with capabilities that go far beyond text generation. At its core, Mythos is a frontier-class coding and security research model — one that can read source code, analyze compiled binaries, discover vulnerabilities, write working exploits, and chain multiple bugs together into full attack sequences, all without human intervention.
Unlike Claude Opus 4.6, Sonnet 4.6, and Haiku 4.5 — which are available to consumers and businesses — Mythos Preview will not be made generally available. Access is restricted to vetted partners within Project Glasswing: major tech companies like AWS, Apple, Google, and Microsoft, plus critical infrastructure maintainers and open-source security organizations.
When it eventually becomes available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry, pricing will sit at $25 per million input tokens and $125 per million output tokens — making it roughly 2.5x more expensive than Opus 4.6 on inputs and significantly steeper on outputs.
Performance Benchmarks: How Mythos Compares to Opus 4.6
The gap between Mythos Preview and Anthropic’s current flagship model isn’t incremental — it’s a generational leap. Here’s how they compare across major benchmarks:
Agentic coding benchmarks:
- SWE-bench Verified: Mythos 93.9% vs. Opus 4.6 at 80.8% — a 13-point jump on the industry’s most watched coding benchmark
- SWE-bench Pro: 77.8% vs. 53.4% — Mythos nearly doubles Opus on harder problems
- SWE-bench Multilingual: 87.3% vs. 77.8%
- Terminal-Bench 2.0: 82.0% vs. 65.4%
- OSWorld-Verified: 79.6% vs. 72.7%
Security-specific benchmarks:
- CyberGym: 83.1% vs. 66.6% — Anthropic’s in-house security evaluation
- Firefox JS exploits (181 attempts): Mythos succeeded on all 181. Opus 4.6 managed 2.
- Register control achieved: Mythos 29 vs. Opus 0
- OSS-Fuzz tier 5 (full control flow hijack): Mythos 10 vs. Opus 1
- Tier 1-2 crashes discovered: Mythos 595 vs. Opus ~265
To put the Firefox number in perspective: Opus 4.6 had a near-0% success rate at autonomous exploit development. Mythos has a near-100% success rate on the same tasks. That’s not an improvement — that’s a capability threshold being crossed.
What Claude Mythos Can Actually Do
Raw benchmark numbers tell part of the story. The real-world case studies from Anthropic’s model card tell the rest. Mythos operates across four distinct capability domains that, combined, make it the most powerful automated security research tool ever documented.
1. Autonomous Vulnerability Discovery
Mythos can take a codebase — source or compiled binary — and systematically identify security vulnerabilities without being told where to look. It found a 27-year-old vulnerability in OpenBSD, one of the most heavily audited security-focused operating systems in existence. The bug was a signed integer overflow in TCP SACK sequence number comparison that allowed remote denial of service against any OpenBSD host.
It also found a 16-year-old flaw in FFmpeg where a 32-bit slice counter could collide with a 16-bit sentinel value (65535) in the H.264 codec. Specialized fuzzing tools had thrown over 5 million randomly generated video files at this code without finding it. Mythos did — because it understands code semantics, not just input-output patterns.
2. Autonomous Exploit Development
Finding a bug is one thing. Writing a working exploit is significantly harder. Mythos does both. The most striking example is CVE-2026-4747 — a 17-year-old FreeBSD NFS vulnerability that Mythos discovered and exploited end-to-end:
- Found a stack buffer overflow with only 304 bytes available
- Constructed a 20-gadget ROP chain split across 6 sequential RPC packets
- Injected an SSH key into
/root/.ssh/authorized_keys - Achieved full unauthenticated remote root access
In browser exploitation, Mythos chained four separate vulnerabilities together, writing a JIT heap spray that escaped both the renderer sandbox and the OS sandbox. That’s the kind of multi-stage exploit development that typically takes a specialized red team weeks — Mythos did it autonomously.
3. Reverse Engineering
Mythos can reconstruct plausible source code from stripped binaries — executables with all debugging symbols and human-readable information removed. It then identifies vulnerabilities in this reconstructed code and validates them against the original binary. This means Mythos can audit closed-source software where no source code is available — a capability that dramatically expands the attack (and defense) surface it can cover.
4. Logic Vulnerability Detection
Beyond memory corruption bugs (buffer overflows, use-after-free, etc.), Mythos identifies authentication bypasses, authorization flaws, and cryptographic implementation weaknesses. These logic bugs have historically been among the hardest for automated tools to find because they require understanding what the code is supposed to do, not just how it handles memory. Mythos’s language comprehension gives it an edge here that traditional static analysis tools fundamentally lack.
How Anthropic Tests and Validates Mythos Findings
Given the stakes involved, Anthropic’s validation methodology is rigorous. The testing process runs in isolated containers disconnected from any network, with natural language prompts directing Mythos to search for vulnerabilities. The model uses a Claude Code-style agent scaffold that lets it experiment, debug, and iterate.
The workflow looks like this:
- File prioritization: Mythos ranks source files by vulnerability likelihood on a 1-5 scale
- Deep analysis: High-priority files get thorough examination
- Exploit development: Discovered bugs get proof-of-concept exploit code
- Secondary validation: A separate AI agent confirms the severity assessment
- Human triage: Professional security contractors review all findings before disclosure
Importantly, tools like Address Sanitizer provide ground truth: they perfectly separate real bugs from hallucinations. When Anthropic tested Opus 4.6’s Firefox bug reports, every single one was confirmed as a true positive. Professional security contractors validated 198 Mythos bug reports and 89% agreed with Claude’s severity assessment exactly, with 98% within one severity level. That’s a higher agreement rate than most human security teams achieve among themselves.
Cost efficiency is also notable: the OpenBSD vulnerability hunt — roughly 1,000 runs — cost under $20,000. Individual successful runs cost under $50. Compare that to hiring a human security researcher at $200,000-$400,000 per year, or a professional penetration test at $50,000-$150,000 per engagement.
Why Anthropic Won’t Release Mythos to the Public
Anthropic is unusually candid about why Mythos stays behind closed doors. The model card explicitly frames this as a “watershed moment” in AI capabilities — one where the same technology that strengthens defense can equally enable offense.
The core concern is the transitional period. In Anthropic’s words: “In the short term, this could be attackers, if frontier labs aren’t careful about how they release these models. In the long term, we expect it will be defenders.” The company acknowledges that traditional security friction — defenses that slow down attackers without being cryptographically hard — may become “considerably weaker against model-assisted adversaries.”
To manage this risk, Anthropic has outlined several safeguards:
- Restricted access: Mythos is only available to Project Glasswing partners — vetted organizations defending critical infrastructure
- New safeguards with Opus: Additional safety measures will launch alongside the next Claude Opus model before any broader release
- Cyber Verification Program: Legitimate security professionals whose work is affected by model safeguards will get a path to verified access
- Independent oversight: Anthropic is working toward establishing a third-party body to govern distribution of models with offensive capabilities
This approach parallels concerns the broader AI industry faces. OpenAI has dealt with similar questions around its own coding agents, and companies like PromptFoo and Codex Security are building tools specifically to address AI-powered attack vectors.
The Responsible Disclosure Process
With thousands of zero-day vulnerabilities discovered, the disclosure logistics alone are significant. Anthropic follows a structured process:
- Professional human triagers validate each finding before any disclosure
- Coordinated disclosure gives maintainers 90 days (plus a 45-day extension if needed) to patch
- SHA-3 cryptographic commitments are published for vulnerabilities still under embargo — proving the discovery date without revealing details
- Full technical details are released only after patches are deployed
The model card includes 17 SHA-3 hashes corresponding to specific vulnerabilities and exploits currently under responsible disclosure. As of publication, only about 1% of discovered vulnerabilities had been patched — a clear indication of the massive scale of findings Mythos has produced and the time needed for maintainers to address them.
Anthropic also explicitly withholds details on several categories: browser exploits (none patched yet), closed-source OS vulnerabilities, cryptography library flaws, and most Linux kernel exploits. The restraint is deliberate — publishing exploit details before patches exist would arm attackers more than defenders.
What Mythos Means for the Future of Cybersecurity
Mythos Preview isn’t just another AI model — it’s proof that AI has crossed a threshold in offensive security capability. Anthropic’s own assessment is that AI models have “reached a level of coding capability where they can surpass all but the most skilled humans” at vulnerability discovery and exploitation.
For security professionals, the immediate implications are clear:
- Patching windows are shrinking: When AI can find and exploit vulnerabilities in hours, the traditional weeks-long patch cycle becomes dangerously slow
- Fuzzing isn’t enough: Mythos found bugs that survived millions of fuzzing attempts — traditional automated testing has hard limits that AI comprehension overcomes
- “Well-audited” doesn’t mean secure: If a 27-year-old bug can hide in OpenBSD, nothing should be considered fully reviewed
- AI-powered defense is now mandatory: Manual security review cannot match the scale or speed of AI-powered attack capabilities
Anthropic draws a historical analogy to AFL (American Fuzzy Lop), the fuzzing tool that initially raised concerns about enabling attackers but ultimately became an indispensable defensive tool. They expect Mythos to follow the same trajectory — but acknowledge that “the transitional period may be tumultuous regardless.”
Frequently Asked Questions About Claude Mythos
Can I use Claude Mythos today?
No. Mythos Preview is not publicly available and is restricted to Project Glasswing partners — 12 launch partners including AWS, Apple, Google, Microsoft, and CrowdStrike, plus 40+ additional organizations maintaining critical infrastructure. There is no timeline for general availability.
How is Mythos different from Claude Opus 4.6?
While both are general-purpose AI models built by Anthropic, Mythos operates at a dramatically higher level in code analysis and security research. Opus 4.6 had a near-0% success rate at autonomous exploit development; Mythos achieves near-100% on the same tasks. On SWE-bench Verified, Mythos scores 93.9% versus Opus’s 80.8%.
Is Claude Mythos dangerous?
Anthropic considers it a dual-use technology — the same capabilities that find vulnerabilities defensively can be used offensively. That’s exactly why it’s not being released publicly. The company is building institutional safeguards, partner agreements, and independent oversight before any broader distribution.
How much will Mythos cost when available?
Post-research pricing is set at $25 per million input tokens and $125 per million output tokens, making it roughly 2.5x more expensive than Opus 4.6 on inputs. Access will be through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.
Sources: Anthropic — Claude Mythos Preview Model Card, Anthropic — Project Glasswing
