On 7th April 2026, Anthropic published a system card for an AI model we may never be allowed to use: 

. This preview demonstrated a significant leap in capability over Anthropic’s previous Claude Model (Opus 4.6), and their Responsible Scaling Policy (RSP) v3.1 led to them making the decision to withhold it from general availability, serving as a "defensive only" asset. This has limited access to only a small number of key partners responsible for the security of global infrastructure under an initiative called 

As someone who has spent many years in offensive security and vulnerability research, my first reaction was a mix of genuine excitement and moral concern. I was excited because the capabilities described in the technical documentation represent a complete shift in how vulnerabilities are found and exploited, and concerned because many of us know exactly what those capabilities would look like in the wrong hands.

In this post I’ll unpack what the Mythos Preview actually is, why its cybersecurity capabilities are significant (or not so significant), and why I think Anthropic made the right call in keeping it restricted for now.

Before diving in, let me provide some context about vulnerability research.

Vulnerability research is hard. Really hard! The journey to becoming a competent security researcher is long, technical, and arduous. It takes years to develop the skills needed to find meaningful vulnerabilities in production software for one specific domain. Understanding memory management, compiler behaviour, kernel internals, protocol specifications, different languages/frameworks, and a whole world of defence mechanisms that modern systems leverage is a prerequisite to success, not just an advantage. You need to be able to read assembly, understand heap layouts, reason about race conditions, craft ROP chains, and efficiently navigate codebases with millions of lines of code using minimal documentation.

Writing a working exploit is then itself another huge skill. Finding a bug is one thing, but turning it into a reliable exploit that defeats ASLR, stack canaries, memory protections, sandboxing, and all the other creative mitigations modern systems layer on top of each other is an entirely different discipline. It is not uncommon for a researcher to spend weeks or months developing a single exploit chain that combines multiple vulnerabilities to achieve something as conceptually simple as "read some data" or “run a command”

This is why the Mythos Preview has had a big impact on people in this field. What has been described by Anthropic is not a simple incremental improvement, it is the compression of years and years of human expertise into something that can be invoked with a simple paragraph of natural language text.

OK, so what did the reported data actually show?

When having an initial read of the released research / reports, the numbers themselves seem impressive, but we need to interpret them carefully. The released 

 demonstrated a clear improvement over previous models in vulnerability research workflows, but the test cases and results are slightly uneven.

Anthropic’s red team notes that the model has moved beyond simple capture-the-flag style tasks. However, performance seemed to vary significantly depending on the environment, tooling, and task design, and a lot of comparisons seem to be under slightly different conditions. That aside, the results are still hugely impressive!

The System Card evaluated Mythos Preview across several benchmarks and compared it to earlier models, including Opus 4.6. A simplified high-level summary is provided below:

At first glance, these results suggest a dramatic improvement, and the Firefox exploitation results in particular are striking. These are, however, also the most easily misinterpreted.

While Mythos achieves a high success rate in the benchmark, the paper notes that most successful exploits relied on two specific underlying vulnerabilities that were repeatedly reused across trials. So, this does demonstrate a strong capability in refining and reusing exploits, but not necessarily broad, generalised exploit development across diverse targets.

The comparison to Opus 4.6 also seems a bit uneven. The earlier result was based on initial informal testing, while Mythos was subsequently evaluated using a more structured benchmark with curated inputs and repeated trials. So, although it’s still a huge improvement, the apparent jump from “2 exploits” to a 72% success rate shouldn’t be read as a like-for-like improvement.

The other benchmarks also need to be interpreted carefully:

Finally, it is important to note that these capabilities may not generalise well. The model seemed to struggle in more complex or constrained environments, and success often depended on the availability of scaffolding, tooling, and well-structured inputs. While similar setups can be reproduced in practice, many current real-world targets will lack the same level of tooling, observability, and feedback, so this performance may not fully translate.

Despite the numbers for finding bugs being easy to misrepresent or overstate, it is extremely impressive regardless. But what’s more impressive is less how it found the bugs and more how it exploited them, as the sophistication of the exploit chains is legitimately remarkable.

One example the Mythos Preview showed was that it autonomously identified and exploited a 17-year-old remote code execution vulnerability in FreeBSD's NFS server (

) that granted unauthenticated root access.

The exploit itself is an absolute textbook example of a stack buffer overflow into a Return Oriented Programming (ROP) chain:

The more impressive aspect was the model's approach to the authentication bypass. Reaching the vulnerable code relied on providing a 16-byte handle that matched a live entry in the server's GSS (Generic Security Service) client table. Rather than brute-forcing the 2^32 possible handles, Mythos Preview discovered that a single unauthenticated NFSv4 

 call returned the host's UUID and NFS daemon start time, which could be used to recompute a valid 

The final ROP chain wrote a new public SSH key into the server’s 

 to gain root access. However, the payload size exceeded the available overflow space, so Mythos split exploitation over six RPC requests, demonstrating a complex, multi-step, and constraint-aware exploitation that could take an experienced researcher days to construct.

While the FreeBSD case relied on a single highly exploitable vulnerability, Mythos Preview’s work on the Linux kernel better demonstrates its capability to chain multiple weaker vulnerabilities together into a complete exploit.

Unlike FreeBSD, modern Linux kernels implement multiple layers of defence-in-depth, so individual vulnerabilities are often insufficient on their own. Instead, exploitation typically requires combining several primitives to bypass protections such as Kernel Address Space Layout Randomisation (KASLR) and restricted memory access. So, while Mythos was unable to successfully exploit these remotely due to Linux’s protections, it did successfully construct multiple local privilege escalation exploits by chaining together various independent vulnerabilities.

These chains followed a common structure:

The key challenge in these chains is not discovering any single bug but correctly combining them. Each step depends on the success of the previous one, requiring the model to maintain context, adapt its strategy, and select appropriate follow-up actions based on partial results.

Overall, these examples highlight a shift from isolated vulnerability discovery to compositional exploitation, where multiple weaknesses are combined into a functional attack path.

Mythos also reportedly identified vulnerabilities across multiple major web browsers, though the specific technical details were not disclosed as the vulnerabilities were (at the time of writing) yet to be patched.

At a high level, the model demonstrated the ability to autonomously discover read and write primitives and used these to construct a Just-In-Time (JIT) compiler heap spray to achieve code execution within the browser. By subsequently working with researchers, this was then expanded into a cross-origin bypass that could read sensitive data from another domain, such as a victim’s bank account, and in another scenario, the exploit was combined with a sandbox escape and local privilege escalation vulnerability to create a webpage that could gain write access to the operating system kernel.

Beyond what’s been mentioned, it also found many other issues, including a 27-year-old issue in OpenBSD, vulnerabilities in popular cryptography libraries that enabled certificate forgery, decryption of communications, and a guest-to-host memory corruption vulnerability in a production memory-safe Virtual Machine Monitor (VMM).

This really puts the sheer breadth and depth of its capabilities into perspective. And what stands out the most is not necessarily just the severity of each individual finding, but the fact that many were produced autonomously, fast, and at a relatively low cost compared to traditional research workflows (with the most expensive disclosed run being $20,000 over 1000 runs to discover the 27-year-old OpenBSD issue).

In total, Anthropic identified thousands of potential high- and critical-risk vulnerabilities with expert contractors agreeing with the model’s severity assessment exactly in 89% of the 198 manually reviewed reports, and 98% were within one severity level.

Why it’s Being Kept Behind Closed Doors

One of the fundamental issues in security is that attackers only need to succeed once, whereas defenders need to succeed every time. This contrast is what makes the capabilities of Mythos as alarming as they are exciting and emphasises one of the main risks of generalised release.

Considering what broad availability would mean, the table below outlines the imbalance that exists between attackers and defenders, and how a tool like Mythos amplifies it:

Basically, every row favours the attackers.

The N-day contrast alone is enough to cause significant concern, as Anthropic demonstrated that Mythos can autonomously craft working exploits from known vulnerabilities in a matter of hours. Given that most organisations already struggle to patch known vulnerabilities in time, this shift could significantly widen the gap between disclosure and exploitation.

There's also the same “underground” problem we’ve seen with every previous AI capability. WormGPT, FraudGPT, jailbroken models, and malicious agents appeared within months of initial release. If/when models with Mythos-level cybersecurity capabilities eventually leak, or are independently developed by others with fewer safety commitments, they will be weaponised. And weaponised fast!

Anthropic's decision to restrict Mythos Preview to Project Glasswing and using it defensively to secure critical infrastructure before models with similar capabilities become broadly available, is probably the right call. It buys the security community time to prepare, adapt, and find and patch their most critical vulnerabilities before these capabilities are in everyone's hands. And in security, time is everything!

Despite the risks, models like Mythos will improve security in the long run, both while restricted and when its capabilities become more widely available. In the meantime, Project Glasswing will allow this highly capable technology to be applied where it matters the most, against critical infrastructure and widely deployed software.

The main change brought by Mythos and Project Glasswing is not just the ability to find individual bugs, but the feasibility of systematically analysing entire codebases with a level of depth and consistency that’s not previously been possible. This shifts vulnerability discovery from something selective and heavily resource-constrained to something a bit more comprehensive for well-scoped targets.

As with all AI advances, over time, this has the potential to streamline parts of the defensive pipeline. Tasks that currently create friction, such as triaging reports, validating impact, or producing actionable fixes, can be accelerated or automated. This does not remove the need for human expertise, but it changes where that expertise is applied, moving it away from repetitive validation work and towards higher-level decision making and system design.

There is also a longer-term structural effect. As more of these latent vulnerabilities are identified and resolved, the baseline security of widely used software improves. And whilst the initial phase will likely surface a huge backlog of issues, once that’s reduced, the ongoing rate of discovery should (hopefully) begin to reflect newly introduced issues rather than decades of accumulated technical debt.

This is a positive take, but none of it eliminates the difficulty of the initial transition period. As noted before, the contrast between attackers and defenders does not disappear, and increased capability on both sides will almost definitely create volatility. However, if these systems are first applied to reduce existing exposure and strengthen core infrastructure, they can help shape a more stable long-term balance.

So in a sense, Project Glasswing is less about preventing the arrival of these capabilities and more about influencing the state of the ecosystem in preparation for when the capabilities arrive more broadly.

Mythos Preview represents everything I find both exciting and terrifying about the direction of AI. It compresses years of hard-won expertise into something that can be invoked with a simple prompt, finding bugs that skilled researchers have missed for decades and producing exploit chains that would normally take weeks, autonomously and at a fraction of the cost.

Anthropic made the right decision in not simply releasing it to the public. Generalised access to these capabilities in the current state of asymmetry between attack and defence would, in the short term, benefit attackers far more than defenders.

At the same time, this type of technology does have the potential to make us safer. Many of the vulnerabilities it uncovers are not new, they have existed for years. What matters is who gets to them first: defenders or attackers. The ability to systematically audit software at scale and accelerate defensive pipelines could begin to shift that balance in our favour.

The transition will be messy, and almost definitely marked with incidents that might not have happened without these capabilities being available. But in the long-run, a world where critical software is continuously reviewed and hardened faster than attackers can exploit it, is worth pursuing... sensibly.

For now, though, this is why we can't have nice things.

In this post, we unpack what the Mythos Preview actually is, why its cybersecurity capabilities are significant (or not so significant), and why Anthropic may have made the right call in keeping it restricted for now.

Why we can’t have nice things! ...Or can we?

Anthropic Mythos Deep Dive

Recommended for you

The AI Control Gap: Why Partners Are Now on the Front Line

The Offensive Potential of Computer-Using Agents

5 Themes From a Candid Discussion