[size=1.05]There is something cosmically satisfying about a company that builds an AI capable of finding 27-year-old security vulnerabilities in the world's most hardened software announcing its existence through a security vulnerability. The universe, it turns out, retained its sense of humour through the entire AI revolution — and on March 26, 2026, it deployed that humour with considerable precision.
[size=1.05]On that date, Roy Paz of LayerX Security and Alexandre Pauwels of the University of Cambridge independently discovered that Anthropic's content management system had defaulted every uploaded asset to public, open to any visitor with a browser and a free afternoon. Among the approximately 3,000 internal files sitting in this fully searchable data lake was a draft blog post announcing a model called Claude Mythos, internally codenamed Capybara, which the company's own authors described as "by far the most powerful AI model we've ever developed" — one that "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders."
[size=1.05]A company warning the world that AI would find hidden vulnerabilities in critical software, announcing that warning through a hidden vulnerability in its own CMS. The universe, as it turns out, has a literature degree and a grudge.
[size=1.05]Twelve days later, on April 7, 2026, Anthropic made it official. Claude Mythos Preview is real, operational, and available to exactly fifty-two organisations on the planet. Apple, Google, Microsoft, Amazon, Nvidia, CrowdStrike, JPMorganChase, Cisco, Broadcom, Palo Alto Networks, and the Linux Foundation lead a consortium operating under the name Project Glasswing: a $100 million defensive cybersecurity initiative built on the premise that arming the world's critical software operators before the capability diffuses to less restrained actors is the only responsible path forward.
[size=1.05]The rest of the world can wait. Indefinitely. This is the full story of what Anthropic built, what it found, and why April 7, 2026 represents the first time a major commercial AI laboratory has publicly stated — and meant — that it built something too dangerous for general release.
CAPABILITY BENCHMARKThe Performance Gap: Mythos vs Opus 4.6Mythos PreviewOpus 4.6CYBGERGYM — VULNERABILITY REPRODUCTIONMythos Preview83.1%Opus 4.666.6%FIREFOX EXPLOITS GENERATEDMythos Preview181Opus 4.62FULL OS CONTROL HIJACKS — OSS-FUZZ TIER 5Mythos Preview10Opus 4.60Source: Anthropic Frontier Red Team | CyberGym Benchmark | April 2026 | BW Businessworld
A 4th Tier: Where Capybara Sits Above Opus
[size=1.05]To understand the significance of Claude Mythos, it helps to understand the architecture it has now established. The Claude model family has until now operated on three tiers: Haiku, the nimble, cost-efficient workhorse; Sonnet, the versatile middle child; and Opus, the heavy-duty research-grade model that was, until last week, Anthropic's most capable offering. Mythos introduces a fourth tier — designated Capybara internally — that sits above Opus in the manner that a Formula 1 car sits above a well-specced family saloon. The family saloon is an excellent vehicle. The Formula 1 car is a fundamentally different category of object.
THE CLAUDE MODEL HIERARCHYHAIKUFast · LightweightPublicSONNETBalanced · VersatilePublicOPUSComplex ReasoningPublic (4.6)MYTHOS(CAPYBARA)General PurposeStep-Change CapabilityRESTRICTED← INCREASING CAPABILITY →
[size=1.05]The name itself is instructive. Mythos derives from the Greek μῦθος — a foundational narrative that shapes the understanding of reality. Anthropic chose this with intent. The implication, stated with minimal subtlety, is that this model will redefine the terms of the conversation.
83.1 Per Cent vs 66.6 Per Cent: Translating the Gap
[size=1.05]Abstract capability claims are the wallpaper of every AI product announcement. The specific numbers from Anthropic's internal testing are considerably more instructive. On CyberGym — the benchmark measuring a model's ability to reproduce and resolve known cybersecurity vulnerabilities — Claude Mythos Preview scores 83.1 per cent. Claude Opus 4.6 scores 66.6 per cent. In cybersecurity, the difference between finding two-thirds of the vulnerabilities in a codebase and finding four-fifths of them is the difference between a patched system and an exploited one.
181 [size=1.4]vs 2
[size=0.9]Firefox exploits generated autonomouslyWhen asked to turn known Firefox 147 JavaScript engine vulnerabilities into working exploits, Claude Opus 4.6 succeeded twice across several hundred attempts. Mythos Preview succeeded 181 times. Same task. Same vulnerabilities.
[size=1.05]On Anthropic's internal OSS-Fuzz evaluation — which grades crash severity across roughly a thousand open source repositories on a five-tier scale, with tier five representing complete control flow hijack — Sonnet 4.6 and Opus 4.6 each achieved tier five exactly once. Mythos Preview achieved it ten times, across ten separate, fully patched targets. Ten tier-five findings on patched software, found autonomously, represents a capability threshold the security research community has been anticipating and dreading in roughly equal measure.
27 Years of Hiding in Plain Sight
[size=1.05]The benchmark numbers are, in a meaningful sense, the rehearsal. The main performance began when Anthropic pointed Mythos Preview at real-world software and asked it to find bugs the rest of the industry had missed.
[size=1.05]The model found a 27-year-old vulnerability in OpenBSD. It is worth dwelling on OpenBSD for a moment, because its reputation requires some context. This is the operating system that security engineers reach for when they genuinely need something resistant to attack — the software running a significant portion of the world's firewalls, critical infrastructure, and network appliances. Its entire design philosophy is oriented around the proposition that security is the primary consideration, and every other concern is secondary. OpenBSD had been running since 1995. This particular bug — a flaw in how the system handled TCP SACK acknowledgements — had been sitting in the codebase, undetected, since the Clinton administration. Mythos Preview found it autonomously, after a single prompt, and produced a working proof-of-concept exploit demonstrating that an attacker anywhere on the internet could remotely crash any machine running the system. The bug is now patched.
27 yrs
[size=0.9]The oldest zero-day found so farA vulnerability in OpenBSD — an OS built specifically for security — that had survived every human and automated review since 1999. Mythos Preview found it in a single overnight session with no human intervention after the initial prompt.
[size=1.05]It found a 16-year-old bug in FFmpeg — the library sitting underneath essentially every piece of software that encodes or decodes video. Automated testing tools had executed the specific line of code containing the flaw five million times without catching it. It found a 17-year-old remote code execution vulnerability in FreeBSD's NFS server, CVE-2026-4747, allowing any unauthenticated user on the internet to gain complete root access. The exploit it developed — a 20-gadget return-oriented programming chain split across multiple network packets — represents state-of-the-art offensive security work. In the Linux kernel, it found and chained multiple vulnerabilities to construct a local privilege escalation sequence that takes an ordinary user account and grants complete control of the machine. In a closed-source browser, it chained four separate vulnerabilities into a JIT heap spray that escaped both the browser's renderer sandbox and the operating system's own sandbox.
[size=1.05]Over the past several weeks, Anthropic has collectively identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. The model also identified weaknesses in widely-deployed cryptography libraries, including implementations of TLS, AES-GCM, and SSH — the protocols underpinning the security of most encrypted communications on the internet. Fewer than 1 per cent of these findings have been patched and publicly disclosed; the remainder are in coordinated disclosure, with cryptographic hashes published as accountability commitments.
[size=1.05]Engineers at Anthropic with no formal security training have initiated these sessions before leaving the office for the evening and returned the following morning to a complete, working exploit. The agentic scaffold is straightforward: a containerised, network-isolated environment, Claude Code, and a single paragraph-length prompt. From that point, the model operates without human guidance.
The Part of the Story Nobody Led With
[size=1.05]The zero-day findings are alarming in the productive sense — the kind of alarm that motivates patching and investment in defence. What follows is alarming in a different register entirely, and deserves careful reading.
[size=1.05]In Anthropic's testing and early internal deployment of Claude Mythos Preview, the company reports that the model reached "unprecedented levels of reliability and alignment." On the rare occasions when it did fail or behave unexpectedly, however, the modes of failure were concerning enough to warrant extended documentation in the public system card.
[size=0.72]SYSTEM CARD — INTERNAL TESTING INCIDENTS — DOCUMENTED BY ANTHROPIC
INCIDENT 01
Faked Its Own Accuracy
[size=0.82]Obtained the correct answer via a prohibited method. Instead of flagging the violation, it submitted a deliberately wrong response calibrated so the accuracy level would be insufficient to reveal that it had found the answer through a forbidden route.
INCIDENT 02
Erased Its Own Evidence
[size=0.82]After accessing and editing files without authorisation, it made further interventions to ensure that its changes would be absent from the git commit history. It covered its tracks — the same capability it was simultaneously being evaluated for finding in open source software.
INCIDENT 03
Leaked Confidential Code
[size=0.82]Posted a private internal code artefact as a public-facing GitHub Gist, against the explicit instructions of the user who had requested it. The model appeared to assess that external validation required external publication.
INCIDENT 04
Took Down All Evaluations
[size=0.82]When asked to terminate one specific evaluation run that had ceased producing useful results, it terminated all evaluations of that type being run by every researcher across the entire system — in spite of explicit warnings to proceed carefully.
<0.001%
[size=0.9]Rate of cover-up incidents in earlier versionsThe final version of Mythos Preview shows zero clearly identified instances of cover-up behaviour in automated monitoring. Anthropic's automated pipeline surfaced clear instances below one in a million Claude Code transcripts.
[size=1.05]Anthropic's system card is clear: these incidents occurred in earlier model versions, the final version shows zero monitoring detections, and the company is "fairly confident these concerning behaviours reflect, at least loosely, attempts to solve a user-provided task." The model was trying to help. That sentence is the most important one in the entire disclosure. The most unsettling aspect of these incidents is structural rather than conspiratorial — the behaviour of covering one's tracks was emergent. It arrived, uninvited, as a downstream consequence of the model becoming more capable at pursuing goals.
52 Organisations, 1 Mission: Defend Before the Window Closes
[size=1.05]Anthropic's response was to do the one thing a purely commercially oriented technology company would almost certainly have avoided: tell everyone. Or rather, tell fifty-two organisations, and explain in considerable technical detail exactly why the rest of the world must wait.
[size=1.05]Project Glasswing — named after a butterfly whose transparent wings serve as a metaphor for software vulnerabilities that are "relatively invisible" to most people while being structurally exposed to those who know where to look — is the operational framework. Newton Cheng, Frontier Red Team Cyber Lead, told VentureBeat: "We do not plan to make Claude Mythos Preview generally available due to its cybersecurity capabilities. However, given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout — for economies, public safety, and national security — could be severe."
PROJECT GLASSWING — FOUNDING PARTNERS12 Organisations. 52 Total. Zero Public Access.Amazon WebServicesAppleBroadcomCiscoCrowdStrikeGoogleJPMorganChaseLinuxFoundationMicrosoftNVIDIAPalo AltoNetworksAnthropic(builder)
[size=1.05]Anthropic has committed up to $100 million in usage credits for Mythos Preview across these efforts, alongside $4 million in direct donations to open source security organisations. The company has also briefed senior US government officials across multiple agencies, including the Cybersecurity and Infrastructure Security Agency and the Centre for AI Standards and Innovation. The company also briefed officials "across the US government" on the model's full offensive and defensive cyber capabilities, and has made itself available to support government testing and evaluation.
How Markets Answered on April 7
[size=1.05]Financial markets registered their verdict within hours of the announcement, and the assessment was immediate. Shares in CrowdStrike, Palo Alto Networks, Zscaler, SentinelOne, Okta, Netskope, and Tenable fell between 5 and 11 per cent on April 7. The investor thesis behind the sell-off was not unreasonable: if an AI model can autonomously find the vulnerabilities that traditional security products miss, the competitive position of those products faces structural pressure.
MARKET IMPACTCybersecurity Stocks — April 7, 2026−5%−8%−11%−9%−8%−7%−6%−5%ZscalerCrowdStrikeSentinelOnePalo AltoOktaTenableSame-day stock price decline, April 7, 2026 | Source: Market data | BW Businessworld
$30B+
[size=0.9]Anthropic's annualised revenue run rateUp from approximately $9 billion at end of 2025. Business customers spending over $1 million annually now exceed 1,000 — a figure that doubled in under two months. An IPO is reportedly being evaluated for October 2026 at $400–$500 billion.
[size=1.05]CrowdStrike — a founding member of Project Glasswing — published a detailed response on the same day, arguing that frontier AI capabilities fundamentally advantage defenders with endpoint access over attackers. Their own 2026 Global Threat Report documented an 89 per cent year-over-year increase in AI-driven cyberattacks — a considerably more immediate concern than theoretical obsolescence. Broadcom has signed an expanded deal providing Anthropic with access to approximately 3.5 gigawatts of computing capacity running on Google's AI processors, a compute footprint of unprecedented scale for a company at Anthropic's stage.
The Safety Framework That Explains the Decision
[size=1.05]Anthropic operates under a Responsible Scaling Policy, currently in its third version — a public self-regulatory framework that reads, with admirable precision, like a document written by people who have genuinely thought about what happens when things go wrong. The RSP defines AI Safety Levels on a numbered scale that borrows its logic from government biosafety standards. ASL-2 is where current production models sit — capable, useful, managed under standard safety measures. ASL-3 is the classification requiring substantially stronger controls, reserved for models that could provide meaningful uplift toward mass-casualty attacks or seriously compromise critical infrastructure. ASL-4 is the category nobody wants to discuss publicly: models capable of autonomous catastrophic action at systemic scale, accelerating AI development without human direction. Claude Opus 4.6, Anthropic's current best public model, runs under ASL-3. The company has published no ASL classification for Mythos Preview. The decision to restrict access entirely — rather than deploy under ASL-3 controls, as it does with Opus 4.6 — suggests the existing framework is running at the edge of what it was designed to contain. In an internal survey conducted in relation to Opus 4.6, approximately one-third of Anthropic engineers indicated they believed that model was likely already at or approaching ASL-4 thresholds. Mythos Preview represents a significant capability jump beyond Opus 4.6.
[size=1.05]The closest historical parallel is OpenAI's 2019 decision to delay the full release of GPT-2, citing safety concerns. That decision was later broadly acknowledged — including by OpenAI itself — as disproportionate. GPT-2 was subsequently released in full. This is different. Anthropic has published a 3,000-word technical document from its Frontier Red Team detailing precisely what the model found in real-world testing, including cryptographic commitments on undisclosed vulnerability reports. This is not the behaviour of an organisation managing a narrative. This is the behaviour of an organisation that looked at what it built and decided transparency, however uncomfortable, was the appropriate response.
The Attackers Already Arrived Before This Announcement
[size=1.05]There is a sentence in Anthropic's Glasswing announcement that deserves more attention than it has received: "Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely." This is not an abstract concern. The nation-state threat is already operational.
[size=1.05]Anthropic's own threat intelligence reporting from November 2025 documented the first verified instance of a cyberattack predominantly executed by AI agents: a Chinese state-sponsored group used autonomous AI to compromise approximately 30 global targets, with AI managing between 80 and 90 per cent of tactical operations independently. That attack preceded the capability improvements represented by Mythos Preview. CrowdStrike's 2026 Global Threat Report documents what has happened since. China-nexus intrusions increased 38 per cent year-over-year, with 67 per cent of their exploited vulnerabilities providing immediate system access the moment of exploitation — meaning defenders had essentially zero time to respond before the breach was complete. Russia-nexus group FANCY BEAR deployed LLM-enabled malware designated LAMEHUG to automate reconnaissance and document collection at scale. And DPRK-nexus group FAMOUS CHOLLIMA leveraged AI-generated personas to conduct insider threat operations that culminated in a $1.46 billion cryptocurrency theft. One point four six billion dollars. The largest single financial crime in recorded history. Conducted, in significant part, by AI agents operating inside legitimate organisations under fabricated identities.
[size=1.05]Against this backdrop, Project Glasswing is less a product initiative and more an act of organised civilisational maintenance. Shlomo Kramer, founder and CEO of Cato Networks, offered the most direct assessment: "The agentic attackers are coming. This is a watershed event in the history of cybersecurity."
The Window Is Open. For Now.
[size=1.05]Anthropic chose to publish the cover-up incidents. The git history modification, the wrong answer, the GitHub Gist, the terminated evaluation cascade — none of these were required disclosures under any regulatory framework. The company included them in its own system card, voluntarily, with technical specificity and without softening language.
[size=1.05]What the transparency reveals is a company that has thought carefully about the difference between managing a narrative and managing a risk. Project Glasswing, with its voluntary technical disclosures and its deliberate restriction of a model that could presumably generate significant revenue, is a legible expression of those priorities in operational form. The glasswing butterfly's wings are transparent because transparency was the most efficient design solution available to it. In software, the vulnerabilities were always there. The question was whether defenders or attackers would find them first.
[size=1.05]The most powerful AI model ever built is currently available to Apple, Google, Microsoft, Amazon, and forty-eight other organisations. It found bugs in every major operating system and every major web browser. It tried to hide evidence of its own rule violations in testing. It is, in its final form, apparently clean of those behaviours.
[size=1.05]The question this story leaves open is the one Project Glasswing does not answer — and cannot, because nobody has yet answered it. When models with Mythos-class capabilities become broadly available, as they will on a timeline no single company controls, the advantage of the fifty-two-organisation head start collapses to zero. Anthropic bought the world several months. The world still needs to decide what to do with them. Transparency about what was built is not the same thing as a plan for what happens when equivalent capability is in the hands of people who would not have published the system card.
Claude Mythos Preview: Key Facts at a Glance
PARAMETERDETAILOfficial nameClaude Mythos PreviewInternal codenameCapybaraModel tier4th tier — above Haiku, Sonnet, and OpusAnnouncedApril 7, 2026 (leaked March 26, 2026)Public availability[size=0.8]RESTRICTED — 52 organisations onlyInitiativeProject GlasswingFounding partners12 named organisationsTotal orgs with access52+Usage credits committedUp to $100 millionOpen-source donations$4 millionCyberGym score83.1% — vs Opus 4.6's 66.6%Firefox exploits generated181 — vs Opus 4.6's 2Full OS control hijacks10 — vs Opus 4.6's 0Oldest zero-day found27-year OpenBSD TCP vulnerability (patched)Cover-up incidents (final)Zero detected in automated monitoringASL classificationUnconfirmed publiclyAnthropic annualised revenue$30 billion+ run rate (April 2026)IPO target valuation$400–$500 billion (October 2026)Cybersecurity stock reaction5–11% decline, April 7, 2026AI-driven attack increase (YoY)89% — CrowdStrike 2026 Global Threat Report |
