Anthropic launched Claude Mythos for cybersecurity — but first leaked its own drafts

Anthropic has launched Claude Mythos — a specialized AI model for automated vulnerability discovery in software. By the end of May 2025, the system had identified over 10,000 critical vulnerabilities in real-world software. The story of the launch, however, contains a notable irony: weeks before the official announcement, the company itself suffered a massive leak of internal files through its own website.

Data Leak Before Launch

In late March, it was discovered that Anthropic's website was misconfigured. Around 3,000 unpublished files — draft articles, PDF documents, images — ended up in open public access and were indexed by search engines. This was not discovered by malicious actors, but by researchers from LayerX and Cambridge University: no hacking involved, just specialists studying publicly available resources who stumbled upon the leak. Fortune reported on the discovery.

Among the leaked drafts were texts in which Anthropic itself characterized the future model as carrying "unprecedented cyber risks" — meaning it could potentially cause serious damage in the wrong hands. The company, which positions itself as the most responsible AI developer, fell victim to a classic misconfiguration leak. Many viewed the situation as symbolic: the story of unprecedented cyber capabilities began with an unprecedented hole in its own infrastructure.

Official Launch: Partners and Initial Figures

On April 7, Anthropic officially introduced Claude Mythos Preview as part of the Glasswing initiative. The announced funding amount was $100 million. The consortium's partners include:

• AWS, Apple, Cisco
• Google, Microsoft, NVIDIA
• Palo Alto Networks and other major industry players
• 40 pioneering organizations as the first customers

The model was created for professional offensive security: it analyzes code and finds vulnerabilities that a human analyst might miss. One notable example is a vulnerability in OpenBSD that remained undetected for approximately 27 years. By May 26, Claude Mythos had identified over 10,000 critical vulnerabilities in critical software. The scale impressed market participants.

"This is the most important cyber alliance since the creation of CISA," stated the CEO of

Palo Alto Networks.

Access Exceeded Planned Scope

In parallel with the launch, it emerged that the actual Claude Mythos API became accessible to outsiders through partners and supply chains — before the protective architecture around the product was fully in place. Technical documentation on how Mythos capabilities should be deployed in public scenarios also became available prematurely. Essentially, a vulnerability discovery tool began circulating in conditions where key components of its own secure distribution were not yet ready. No confirmed breaches or publicly known exploits were recorded — but the situation raised legitimate questions about processes within Anthropic itself.

What This Means

Claude Mythos is a real step toward automating cybersecurity at a level previously unavailable. Tens of thousands of discovered vulnerabilities, a major consortium, and serious funding speak to a working enterprise product. But the story surrounding the launch raises a legitimate question: how well do Anthropic's own security standards match what the company promises to provide its clients.