Anthropic deemed Mythos too dangerous: model found holes in the foundational software of the internet

Anthropic created Mythos as a universal cutting-edge model, but fairly quickly realized it had gotten not just another powerful AI for code. During internal testing, Mythos began finding and converting into working exploits vulnerabilities in the very foundational software on which much of modern computing infrastructure rests. After this, the company decided not to release the model to open access and moved it into closed mode for a limited circle of partners.

The pivotal moment came during internal security checks when Anthropic researcher Nicholas Carlini began deliberately testing the model on malicious scenarios. Mythos impressed even people who professionally conduct stress tests for AI and cybersecurity. The internal Anthropic team concluded that the model is capable of finding and exploiting zero-day vulnerabilities in all major operating systems and all major browsers.

Importantly, Mythos was not created as a specialized cyber tool: its dangerous capabilities, according to the company, emerged as a side effect of the overall leap in programming, reasoning, and autonomous tool use. Further investigation revealed this wasn't about demonstration tricks. Anthropic disclosed several examples of already-patched problems: a 27-year-old vulnerability in OpenBSD, a 16-year-old bug in FFmpeg that automated systems ran millions of times and never caught, as well as chains of vulnerabilities in the Linux kernel that allowed transitioning from regular user access to complete machine control.

In one test, Mythos itself assembled a browser exploit from four vulnerabilities and managed to bypass several layers of isolation at once. According to Anthropic's security team blog, more than 99% of problems found by the model remained unpatched at the time of publication, so the company does not disclose technical details and works through coordinated vulnerability disclosure. The answer to this was Project Glasswing, which Anthropic announced on April 7, 2026.

Instead of a regular release, the company opened access only to select participants: among the launch partners are AWS, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, Palo Alto Networks, Linux Foundation, and JPMorganChase. Beyond them, over 40 more organizations responsible for critical software and infrastructure gained access. Anthropic emphasizes separately that it wants to give defenders a head start: the company allocated up to 100 million dollars in credits for using Mythos Preview and another 4 million dollars to support open source security.

A public launch for all users is not currently planned. The story doesn't end there, because the consequences extend far beyond one laboratory. Banks and government agencies began urgently assessing what would happen if models of this class reach not only defenders, but also criminal groups or state-sponsored hackers.

The financial sector is particularly nervous: if the window between vulnerability discovery and exploitation shrinks from weeks and months to hours, systems through which payments, settlements, and data storage pass will come under fire. This is why discussions around Mythos quickly emerged not only in the largest technology companies, but also among regulators and major financial institutions. The main takeaway here is that the industry has entered a new phase.

Until now, the debate was primarily about whether language models could help write malicious code. The Mythos story shows a harsher scenario: a cutting-edge model is capable of searching for weaknesses in complex codebases itself, assembling working attack chains from them, and doing so at a scale unavailable to most human teams. For the market, this means a shift in logic: the question is no longer whether to release such systems as a regular product, but whether developers, infrastructure providers, and governments will manage to build defenses before similar capabilities become widespread.

Anthropic's decision to delay the release looks not like marketing hedging, but as an acknowledgment that the boundary between useful AI for development and a cyber offensive tool has become much thinner.