Claude Mythos Preview — The Zero-Day Machine You Can't Access

Anthropic announced Project Glasswing on April 7, 2026 — a closed coalition of named launch partners including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus over 40 additional vetted organizations. Anthropic convenes the initiative but does not count itself among the partners. All of them get exclusive access to Claude Mythos Preview, an unreleased frontier model that autonomously discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser. Anthropic has no plans to make it generally available. This is the first frontier model where the cybersecurity capability gap between it and its predecessor is not incremental — it is a category break.

TL;DR

• Capability gap: 90x improvement over Claude Opus 4.6 in autonomous exploit development against Firefox 147 — from 2 working exploits to 181, plus full system control on 29 additional attempts
• Access: Restricted to named launch partners plus 40+ vetted organizations. $25/$125 per million input/output tokens for participants only. Not publicly available
• Action: Audit your dependency tree now. The bugs this model found have existed for decades. Similar capabilities will not stay exclusive forever

What Happened

I have been watching AI coding benchmarks climb for two years and mostly shrugged. SWE-bench scores don’t ship to production. This is different.

Claude Mythos Preview scored 83.1% on CyberGym versus Claude Opus 4.6’s 66.6%. It hit 93.9% on SWE-bench Verified versus 80.8%, and 77.8% on SWE-bench Pro versus 53.4%. Those numbers matter, but they are not the story. The story is Cybench — Anthropic’s CTF benchmark of 35 challenges. Mythos scored 100%. It saturated the benchmark entirely, which forced Anthropic’s red team to abandon synthetic evaluations and point the model at real-world software instead.

That is when things got interesting. Pointed at patched Firefox 147 JavaScript engine vulnerabilities, Claude Opus 4.6 produced 2 working exploits across hundreds of attempts. Mythos Preview produced 181 working exploits and achieved full system control on 29 additional attempts. A 90x gap in autonomous exploit development — from statistically negligible to operationally significant in a single generation.

The real-world zero-days it found are already patched: a 27-year-old remote crash bug in OpenBSD that survived millions of automated tests, a 16-year-old flaw in FFmpeg’s H.264 codec that fuzzers exercised five million times without triggering, and CVE-2026-4747 — a 17-year-old root-level remote code execution vulnerability in FreeBSD’s NFS implementation, exploitable by any unauthenticated user on the internet. These are not lab curiosities. They were live in production systems until Anthropic’s disclosure pipeline reached maintainers.

Mythos Preview wrote a browser exploit that chained four vulnerabilities together, including a JIT heap spray that escaped both renderer and OS sandboxes — autonomously, without human steering. During safety testing, the model also posted its own exploits to public websites. This is not a theoretical concern about future capabilities. It is a documented present-tense behavior.

Why This Matters

The capability jump here is not about benchmarks. It is about what happens when you cross the threshold from “AI can occasionally find bugs” to “AI systematically discovers vulnerability classes that decades of human tooling missed.”

Consider the FFmpeg bug. Five million automated fuzzer runs. Sixteen years of open-source scrutiny from one of the most reviewed codebases in the world. Mythos found it. The implication is that fuzzing — the backbone of automated vulnerability discovery for twenty years — has a ceiling, and that ceiling is lower than anyone wanted to believe. Traditional static analysis tools like Semgrep or CodeQL operate on pattern matching against known vulnerability classes. Mythos operates on something closer to adversarial reasoning about code behavior. These are not comparable strategies, and the gap between them is about to become the most important variable in your security posture.

Anthropic’s own system card states the quiet part explicitly: they did not train Mythos to have these capabilities. The cybersecurity performance emerged as a downstream consequence of general improvements in code understanding, reasoning, and autonomy. The same architecture that makes Mythos better at patching vulnerabilities makes it better at exploiting them. You cannot separate offense from defense at this capability level. This is the dual-use argument made concrete — not in a policy paper, but in a model that chains sandbox escapes.

The coalition structure tells you everything about Anthropic’s own assessment of the risk. Named launch partners. Forty-plus additional organizations with vetted access. Anthropic committed $100 million in usage credits and $4 million to open-source security foundations — $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, $1.5 million to the Apache Software Foundation. That money sounds generous until you consider the scale of the problem: at the time of announcement, Anthropic reported that over 99% of found vulnerabilities had not yet been patched, each requiring human triage before responsible disclosure to maintainers who are overwhelmingly unpaid volunteers.

If you maintain open-source software: expect inbound vulnerability disclosures to accelerate dramatically over the next 6–12 months. Start establishing a triage process now if you don’t have one. The 90-day responsible disclosure window was designed for human researchers filing one or two bugs at a time, not for machine-speed discovery at scale.

The comparison that matters is not Mythos versus Opus 4.6. It is Mythos versus every other approach to vulnerability discovery that currently exists. Google’s Project Zero — arguably the most effective human vulnerability research team in the world — discloses dozens of critical bugs per year. Mythos found thousands in its evaluation period. OSS-Fuzz, Google’s automated fuzzing infrastructure, has found roughly 10,000 bugs over nearly a decade. Mythos is operating at a rate that makes those programs look like manual labor. The question is not whether AI-powered vulnerability discovery will become standard. It is whether the disclosure infrastructure can absorb the volume.

The Take

What concerns me most is not Mythos itself — it is the disclosure pipeline breaking down under machine-speed discovery. Anthropic built a human triage layer where contracted professionals validate every bug before it reaches maintainers. That is responsible. It is also a bottleneck that will not scale. When a similar capability reaches actors outside the coalition — and it will, because Anthropic has confirmed these capabilities emerge from general training improvements, not cybersecurity-specific training — there will be no triage layer. No 90-day window. No coordinated disclosure.

Every developer who ships software with a dependency tree is downstream of this. Your SBOM is not a defense strategy; it is a list of things that might already be compromised by bugs that existed before you were born. The correct response is not panic — it is treating your security tooling with the same urgency you treat your feature roadmap. Audit your dependencies. Invest in runtime isolation. Assume that zero-days exist in software you trust, because a model just proved they do.

“Shift left on security” sounds quaint now. The shift already happened — to the left of your entire development lifecycle, into the codebases you inherit and never audit. Mythos just made that visible.