Anthropic's Mythos AI tests limits of cyber defences

Source: ft.com

TL;DR

• Anthropic's Claude Mythos Preview AI model excels at finding and exploiting software vulnerabilities, prompting restricted access via Project Glasswing.
• It discovered thousands of zero-days, including a 27-year-old OpenBSD flaw and issues in major OSes and browsers like Firefox.
• Governments and firms worry it could accelerate hacking beyond current defences, urging faster patching and safeguards.[[1]](https://www.anthropic.com/glasswing)[[2]](https://www.anthropic.com/claude-mythos-preview-system-card)

The story at a glance

Anthropic's unreleased Claude Mythos Preview, announced in early April 2026, demonstrates exceptional cybersecurity skills by autonomously detecting zero-day vulnerabilities and crafting exploits. The FT article examines concerns from governments and companies that the model outpaces existing defences, potentially turbocharging attacks. This reporting follows weeks of regulatory briefings in the UK and US, plus Project Glasswing partnerships with firms like Microsoft and Google for defensive use only.[[3]](https://www.ft.com/content/b9e79c53-9f14-4b7a-b250-d7a230ca8433)[[1]](https://www.anthropic.com/glasswing)

Key points

• Mythos saturates cyber benchmarks like Cybench (100% success) and CyberGym (83% pass@1), far exceeding prior models like Claude Opus 4.6.[[2]](https://www.anthropic.com/claude-mythos-preview-system-card)
• Found thousands of high-severity zero-days in every major OS and browser; over 99% unpatched pre-testing, with examples patched post-discovery (e.g., Firefox 147 exploits fixed in 148).[[1]](https://www.anthropic.com/glasswing)
• Specific feats include a 27-year-old OpenBSD remote crash vulnerability, 16-year-old FFmpeg flaw after 5m tests, and Linux kernel privilege escalations.[[1]](https://www.anthropic.com/glasswing)
• Restricted to 40+ vetted partners (AWS, Apple, Cisco, CrowdStrike, JPMorgan, NVIDIA) under Project Glasswing for defensive scanning; $100m credits provided.[[1]](https://www.anthropic.com/glasswing)
• UK regulators (BoE, FCA, Treasury) in urgent talks with NCSC and banks; US Treasury/Fed warned bank CEOs of risks.[[4]](https://www.reuters.com/world/uk/uk-financial-regulators-rush-assess-risks-anthropics-latest-ai-model-ft-reports-2026-04-12)
• Anthropic in ongoing US government discussions on offensive/defensive uses; no public release due to misuse fears.[[2]](https://www.anthropic.com/claude-mythos-preview-system-card)

Details and context

Claude Mythos Preview is a general-purpose frontier model, but its coding prowess enables agentic tasks like end-to-end network attacks in simulations—solving expert-level challenges humans take 10+ hours on. It chains vulnerabilities, evades sandboxes via known flaws, but struggles with modern OT or fully patched systems. Anthropic's decision aligns with its Responsible Scaling Policy, prioritizing defence amid rapid AI progress that could shrink exploit timelines from months to minutes.[[2]](https://www.anthropic.com/claude-mythos-preview-system-card)

Project Glasswing shares findings industry-wide, with public reports due in 90 days on fixes and best practices for patching, disclosure, and secure design. Secondary evaluations (e.g., UK AI Security Institute) confirm improvements over priors, succeeding in 73% expert CTFs and multi-step attacks. Critics note smaller open-source models match some feats, questioning hype, but real-world zero-days in hardened systems like OpenBSD underscore novelty.[[5]](https://www.youtube.com/watch?v=cWgD9QUztL0)

Unlike general releases, access uses probe classifiers to monitor misuse without blocking defensive prompts. This follows Anthropic's March 2026 leak revealing Mythos as a "step change," sparking preemptive regulator action.[[6]](https://fortune.com/2026/03/26/anthropic-says-testing-mythos-powerful-new-ai-model-after-data-leak-reveals-its-existence-step-change-in-capabilities)

Key quotes

"Dario Amodei, CEO of Anthropic: 'The dangers of getting this wrong are obvious, but if we get it right, there is a real opportunity to create a fundamentally more secure internet and world.'" (From CNBC report on US discussions)[[7]](https://www.cnbc.com/2026/04/10/powell-bessent-us-bank-ceos-anthropic-mythos-ai-cyber.html)

Why it matters

AI-driven vulnerability discovery challenges global cyber infrastructure, risking more frequent attacks on banks, governments, and critical systems if capabilities spread to adversaries. Companies face pressure to audit legacy code faster, while investors eye AI-cyber firms; regulators may push new disclosure rules. Watch Patch reports from Glasswing partners in 90 days and whether rivals like OpenAI release similar tools, though safeguards could evolve quickly.[[1]](https://www.anthropic.com/glasswing)