Claude Mythos is Anthropic’s most advanced AI security model, achieving a 73% success rate on expert-level CTF tasks and identifying thousands of zero-day vulnerabilities across every major OS and browser before its April 2026 release. Access is gated through Project Glasswing, a vetted defensive coalition of 12 named partners including Microsoft, Google, and CrowdStrike, plus 40+ critical infrastructure organizations.
What Is Claude Mythos Preview? (And Why Anthropic Kept It Secret)
Claude Mythos Preview is Anthropic’s frontier cybersecurity model — a purpose-built AI system that autonomously discovers, analyzes, and proves exploitability of software vulnerabilities at a capability level no model had reached before April 2025. Unlike Claude Opus or Sonnet, which are general-purpose assistants, Mythos was trained specifically to perform security research tasks: reading source code across millions of lines, forming hypotheses about vulnerable code paths, writing proof-of-concept exploits, and iterating until a working attack chain is confirmed. The model was kept in restricted preview for over a year before its April 7, 2026 announcement because Anthropic’s internal red teams confirmed it could assist with real-world offensive operations — including completing a 32-step corporate network attack simulation that human experts estimate would take 20 hours, in 3 of 10 controlled attempts. The decision to restrict rather than broadly release the model reflects Anthropic’s Responsible Scaling Policy: Mythos crossed an internal threshold requiring mandatory containment measures before any external access. The result is a model that is simultaneously the most powerful defensive security tool ever deployed at scale and one of the most carefully gated AI releases in the industry’s history.
The secrecy around Mythos stemmed from a core tension at Anthropic: researchers with no formal security background were able to use Mythos to find remote code execution vulnerabilities overnight via Claude Code, waking up to complete working exploits. If Mythos could accelerate offensive research for non-experts inside Anthropic, the risk of broader misuse was too high to ignore. The public announcement on April 7, 2026 came alongside the simultaneous launch of Project Glasswing — the access control system designed to ensure only defensive teams can use Mythos capabilities. The model is not available through standard Anthropic API pricing; access requires Glasswing partner status or explicit invitation from Anthropic’s security programs team.
How Claude Mythos Detects Zero-Day Vulnerabilities — The Agentic Loop Explained
Claude Mythos finds zero-day vulnerabilities through a multi-step agentic loop — hypothesize, instrument, test, exploit — that it runs autonomously over extended sessions rather than producing a single static scan result. In standard static analysis tools, a scanner parses code according to predefined rules and flags matches. Mythos instead treats vulnerability research as a reasoning problem: it reads code, forms a hypothesis about why a specific code path might be exploitable, writes a targeted test to confirm or refute the hypothesis, observes the result, and revises its model of the system before attempting a next step. This loop continues until either a working exploit is confirmed or Mythos exhausts its current hypothesis set. The practical result is that Mythos finds vulnerabilities that survived decades of automated scanning — including a 27-year-old signed integer overflow in OpenBSD’s SACK TCP implementation that had passed millions of automated security tests and decades of human review.
The agentic loop has four distinct phases. In the hypothesis phase, Mythos reads target code and produces a prioritized list of vulnerability candidates, ranked by its assessment of exploitability and impact. Unlike keyword-based scanners, Mythos understands semantic context: it distinguishes between an integer overflow that can only corrupt heap metadata and one that directly controls a return address. In the instrumentation phase, it writes custom fuzzing harnesses or unit tests targeting its top candidates. In the execution phase, it runs those tests in a sandboxed environment and captures results. In the synthesis phase, it determines whether a candidate is a confirmed vulnerability, a false positive, or a vulnerability requiring additional conditions to trigger. For confirmed findings, Mythos produces a complete proof-of-concept exploit with CVSS scoring and remediation recommendations. The entire loop can run overnight without human intervention, which is why Anthropic engineers discovered complete working exploits in their inboxes the morning after initiating Mythos scans.
Key Benchmarks and Capabilities: What Mythos Can (and Cannot) Do
Claude Mythos Preview achieves a 73% success rate on expert-level capture-the-flag cybersecurity tasks — a category where no AI model could succeed before April 2025, according to the UK AI Safety Institute’s independent evaluation. In Anthropic’s own controlled benchmarks, Mythos detects 17% more vulnerabilities than prior AI systems, and achieves 83% accuracy in finding new vulnerabilities across testing phases — exceeding all prior AI security benchmarks reported by ArmorCode’s security analysis in 2026. The model’s most significant demonstrated capability is its ability to discover vulnerabilities that survived conventional tooling: the 27-year-old OpenBSD SACK TCP vulnerability had passed millions of automated tests before Mythos identified it using semantic reasoning about TCP sequence handling edge cases. In pre-release testing, Mythos identified thousands of zero-day vulnerabilities across every major operating system and web browser, with 99% of those findings undefended at the April 7 announcement date.
| Benchmark | Claude Mythos Preview | GPT-5.5-Cyber | Google Big Sleep |
|---|---|---|---|
| Expert CTF success rate | 73% | 71.4% | ~60% (estimated) |
| Novel vulnerability discovery | 83% accuracy | Not disclosed | Targeted (specific repos) |
| 32-step network attack sim | 3/10 attempts | Not tested | Not tested |
| Zero-days in major OS/browser | Thousands (pre-release) | Not disclosed | Dozens (published) |
| CVSS-scored PoC generation | Yes (automated) | Partial | No |
What Mythos cannot do: it does not autonomously deploy attacks against live production systems — its agentic loop operates in sandboxed environments and produces exploit artifacts for human review, not live attack execution. It also cannot reliably find vulnerabilities in highly obfuscated binaries without source code, and its 73% CTF success rate means it fails on the remaining 27% of expert-level tasks, typically those requiring domain-specific hardware knowledge or novel cryptographic attacks.
Project Glasswing: The Defensive Coalition Behind Claude Mythos
Project Glasswing is Anthropic’s invite-only access program for Claude Mythos Preview — a structured consortium designed to ensure the model’s offensive capabilities are used exclusively for defensive security research. Named for the glasswing butterfly, whose transparent wings make it nearly invisible to predators (a metaphor Anthropic uses for AI-powered defensive transparency), Glasswing launched simultaneously with the Mythos announcement on April 7, 2026. The program includes $100 million in committed usage credits for partners and $4 million in direct donations to open-source security organizations — making it one of the largest coordinated investments in AI-powered defensive security in the industry’s history. Glasswing’s design is explicitly asymmetric: Anthropic intentionally restricts Mythos access to organizations with verifiable defensive mandates, audit capabilities, and incident response infrastructure, on the theory that the defensive benefit to vetted partners outweighs the risk of offensive misuse.
The Glasswing access model operates in three tiers. Tier 1 (named partners) includes the 12 publicly announced organizations that received full Mythos API access at launch — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. These organizations contributed to Mythos’s red-team evaluation process and have contractual obligations to report discovered vulnerabilities through coordinated disclosure. Tier 2 (critical infrastructure) includes 40+ additional organizations in sectors like energy, healthcare, and financial services that received access under sector-specific use agreements. Tier 3 (application pipeline) is the queue for organizations that have submitted Glasswing access applications through Anthropic’s security programs portal. As of May 2026, Tier 3 is open but highly selective — Anthropic has not disclosed acceptance rates.
Project Glasswing Partners: Who Has Access and Why
The 12 named Glasswing partners were selected based on three criteria: demonstrated defensive security capability at scale, infrastructure to handle responsible disclosure workflows, and the organizational maturity to audit Mythos usage internally. Each partner represents a different attack surface that Mythos is being used to defend. AWS and Microsoft use Mythos to scan cloud infrastructure code and container images at scale. Apple focuses Mythos on iOS and macOS kernel analysis, targeting the categories of memory safety vulnerabilities that have historically dominated Apple security advisories. Cisco and Palo Alto Networks apply Mythos to network device firmware — an attack surface that conventional static analysis tools handle poorly because firmware often lacks source code and runs in non-standard execution environments.
CrowdStrike and Google use Mythos differently: as a threat intelligence amplifier. Rather than scanning their own code, they feed Mythos information about observed attack patterns to generate hypotheses about as-yet-unpatched vulnerabilities that adversaries might be targeting. JPMorganChase and NVIDIA represent the financial services and hardware manufacturing verticals — both sectors with critical infrastructure designations that made them early candidates for Tier 1 access. The Linux Foundation’s inclusion is significant because it allows Mythos to be applied to the open-source software supply chain, where a single vulnerability in a widely-used library (like the 2024 XZ Utils backdoor) can affect millions of downstream deployments. Broadcom rounds out the list with semiconductor and infrastructure software coverage.
Organizations outside the named 12 but inside Glasswing’s Tier 2 are primarily in the energy and healthcare sectors, where regulatory requirements around responsible vulnerability disclosure aligned with Anthropic’s Glasswing terms. These organizations cannot be named publicly per their access agreements, but Anthropic confirmed in its April 7 press release that critical infrastructure sectors account for the majority of Tier 2 slots.
How to Apply for Project Glasswing Access (Step-by-Step Guide)
Applying for Project Glasswing access requires demonstrating organizational readiness across four dimensions: defensive mandate, disclosure infrastructure, audit capability, and organizational accountability. The application process is not a simple form — it is a structured evaluation that Anthropic’s security programs team conducts over several weeks. Here is the current process as of May 2026, based on Anthropic’s published Glasswing guidelines and partner documentation.
Step 1: Verify eligibility criteria. Glasswing access is currently restricted to organizations with an established security research or operations function (not individual researchers), a documented vulnerability disclosure policy published publicly, and a designated security contact with authority to commit to coordinated disclosure timelines. Startups and solo researchers are not eligible for current Tier 2/3 access, though Anthropic has signaled a future research access program is planned.
Step 2: Submit a Glasswing access request. The entry point is Anthropic’s security programs page. Applications require: organization name, primary security use case (must be defensive — offensive testing of third-party systems without authorization is disqualifying), estimated Mythos usage volume, description of existing security tooling stack, and the name of your designated Glasswing accountability contact.
Step 3: Provide supporting documentation. After initial review, Anthropic’s security programs team requests supporting documents: your published vulnerability disclosure policy, any relevant security certifications (SOC 2, ISO 27001, FedRAMP), and a description of your incident response process for AI-discovered vulnerabilities.
Step 4: Technical evaluation call. Shortlisted organizations participate in a technical call with Anthropic’s security team to discuss specific use cases and confirm that proposed Mythos workflows fit within Glasswing’s acceptable use guidelines. This is where organizations that intend to use Mythos for red-team-style external testing are typically screened out.
Step 5: Accept Glasswing terms and receive API access. Partners that clear the evaluation receive a Glasswing-tier API key with usage credit allocation. All partners are subject to quarterly usage audits and are required to report Mythos-discovered vulnerabilities through coordinated disclosure within 90 days of discovery.
API pricing for Glasswing partners: $25 per million input tokens / $125 per million output tokens — approximately 5x the cost of Claude Opus 4.7. Usage credits from Anthropic’s $100M commitment are applied first, reducing net cost for qualifying defensive use cases.
Claude Mythos vs. GPT-5.5-Cyber vs. Google Big Sleep: Cybersecurity Benchmark Comparison
Claude Mythos Preview is the most capable general-purpose AI security research model available as of May 2026, but it faces direct competition from OpenAI’s GPT-5.5-Cyber and Google’s Big Sleep project, each representing a different architectural approach to AI-powered vulnerability research. GPT-5.5-Cyber, announced after Mythos, achieved 71.4% on expert-level narrow cyber tasks versus 68.6% for Mythos Preview in the MindStudio comparative benchmark — indicating rapid competitive escalation in this space. However, the MindStudio benchmark measures narrow task performance, not the multi-step agentic loop that is Mythos’s primary differentiator. Google Big Sleep is a different class of system: it is a targeted research tool used internally by Google Project Zero, not a general API, and its public results focus on specific vulnerability classes in specific software (primarily Android components and Chrome).
The key architectural difference is agentic depth. Mythos is designed to run multi-hour autonomous research sessions, maintaining coherent state across hundreds of tool calls. GPT-5.5-Cyber is optimized for shorter, high-accuracy task completion — it performs better on individual CTF challenges but has not been demonstrated in the 32-step multi-hop attack chain simulation that Mythos completed. Google Big Sleep is researcher-directed, meaning a human security expert guides each investigation rather than the model running autonomously.
| Dimension | Claude Mythos Preview | GPT-5.5-Cyber | Google Big Sleep |
|---|---|---|---|
| Access model | Project Glasswing (invite) | OpenAI enterprise (invite) | Internal only |
| Autonomous multi-step capability | Yes (32-step demonstrated) | Not demonstrated | No (researcher-directed) |
| CTF expert success rate | 73% | 71.4% | ~60% est. |
| Open-source focus | Yes (Linux Foundation partner) | Not disclosed | Android/Chrome focus |
| Pricing | $25/$125 per M tokens | Not disclosed | N/A |
| Disclosure requirements | Mandatory (90-day) | Not disclosed | Standard Google P0 |
For security teams evaluating which system to adopt, the decision is less about benchmark numbers and more about workflow fit. Mythos excels at overnight autonomous scans of large codebases where human direction per step is impractical. GPT-5.5-Cyber is stronger for analyst-in-the-loop workflows where a security engineer validates each model step. Big Sleep is not an option for external organizations. If your organization is in the Glasswing pipeline, Mythos is the clear choice for autonomous coverage at scale.
Practical Workflows: Using Claude Mythos for Security Research via Claude Code
Claude Mythos integrates with Claude Code — Anthropic’s agentic coding environment — to enable end-to-end security research workflows that run from code ingestion through exploit confirmation without switching tools. The practical workflow for a security engineering team looks like this: a repository is cloned into a Claude Code session with Mythos as the backing model, and the researcher provides a high-level directive (“find memory safety issues in the network parsing code”). Mythos then autonomously reads the codebase, generates a hypothesis list, writes targeted tests, executes them in a sandboxed environment, and returns a prioritized vulnerability report with proof-of-concept code for each confirmed finding.
For enterprise security teams, the most impactful use case is continuous integration scanning. Rather than running Mythos as a one-time audit tool, Glasswing partners integrate it into their CI/CD pipelines: every pull request that touches security-sensitive code (network parsers, authentication flows, cryptographic implementations) triggers a Mythos scan that runs in parallel with standard test suites. The scan completes before code review, so security findings appear as automated comments on the PR rather than as post-merge emergency patches.
A second high-value workflow is supply chain scanning. Teams with Linux Foundation Glasswing access use Mythos to scan upstream open-source dependencies before incorporating them — effectively applying Mythos’s 27-year-bug-finding capability to the libraries their products depend on before adversaries can exploit those bugs in production. The workflow is: dependency update PR is opened → Mythos scans the new version of the library → if Mythos finds issues, the PR is held pending coordinated disclosure → if clean, the PR proceeds. This workflow closes the gap between “vulnerability introduced upstream” and “vulnerability deployed in production” that made the XZ Utils incident possible.
For smaller teams without the engineering bandwidth to build CI/CD integration, the minimum viable Mythos workflow is a monthly codebase audit: clone the repository, start a Claude Code session with Mythos, and run the audit directive overnight. Review the morning report and triage findings by CVSS score. This approach requires no custom infrastructure and can be handled by a single security engineer with a Glasswing API key.
Risks, Ethics, and the Dual-Use Dilemma
The central ethical tension in Claude Mythos is that the same capability that makes it the most powerful defensive security tool ever built also makes it the most capable offensive security tool ever publicly acknowledged. Mythos can find exploitable vulnerabilities faster than human experts, write working proof-of-concept exploits autonomously, and complete multi-step attack simulations. These capabilities are valuable to defenders because they allow security teams to find and fix vulnerabilities before adversaries do. They are dangerous in adversarial hands for exactly the same reasons. Anthropic’s position — that Mythos should exist but be restricted to verified defenders — rests on a bet that the defensive benefit to Glasswing partners outweighs the risk that the model’s existence accelerates offensive AI capability development by adversaries who will build equivalent systems regardless.
The dual-use risk is not hypothetical. Anthropic’s own engineers with no formal security training used Mythos to find remote code execution vulnerabilities overnight, waking to complete working exploits. If non-expert insiders can accidentally produce offensive capability with Mythos, the risk of intentional misuse by bad actors who obtain access through false pretenses is real. Glasswing’s screening process attempts to mitigate this, but no vetting process is perfect. The 90-day mandatory disclosure requirement creates accountability for findings, but it does not prevent a compromised Glasswing partner from using Mythos for offensive purposes and simply not reporting the findings.
The broader industry implication: 68% of organizations have already experienced data leaks linked to AI usage, yet only 23% have formal governance policies in place, according to Bain & Company’s 2026 Claude Mythos Cybersecurity Report. The arrival of Mythos-level AI security capability means that organizations without governance frameworks are now operating in an environment where their infrastructure can be comprehensively audited by AI in hours — whether by defenders or adversaries. The ethical obligation is not just on Anthropic; it falls on every CISO, every board, and every organization deploying software at scale to treat AI-powered vulnerability discovery as a board-level risk.
What Organizations Outside Glasswing Should Do Right Now
Organizations that are not Glasswing partners — which is the vast majority of enterprises globally — should treat the existence of Mythos-level AI vulnerability detection as a forcing function to accelerate their security posture improvement, regardless of whether they ever receive Glasswing access. The practical implication is that adversaries who invest in building or acquiring comparable capabilities will be able to find vulnerabilities in your infrastructure at the same speed and scale that Mythos offers to Glasswing partners. The 99% of Mythos-discovered zero-days that were undefended at the April 7, 2026 announcement is the leading indicator: if you are running software that had not been scanned by AI at Mythos’s capability level, you likely have unpatched vulnerabilities that AI-equipped adversaries can find faster than your team can detect the attempt.
Three immediate actions for organizations outside Glasswing: First, submit a Glasswing application now, even if you don’t expect to qualify immediately. The application process takes weeks to months, and getting into the evaluation pipeline is better than waiting. Second, adopt the best currently-available AI security tools that don’t require Glasswing access — including Claude Opus 4.7 with security-focused prompting, GitHub Copilot Autofix, and Semgrep’s AI-assisted rule generation. These tools don’t match Mythos’s capability, but they are accessible and reduce your attack surface. Third, prioritize memory safety in new code. The categories of vulnerabilities Mythos excels at finding — integer overflows, use-after-free, buffer overflows — are the same vulnerabilities that memory-safe languages like Rust eliminate by construction. Every new service written in Rust is a service that is immune to the most common classes of zero-day vulnerabilities that Mythos finds.
For CISOs who need to brief their boards: the framing is not “should we get Mythos?” The framing is “AI has changed the economics of vulnerability discovery, and our security investment needs to reflect that.” Bain & Company recommends enterprises benchmark their current mean time to patch critical vulnerabilities and set a target of 50% reduction over 12 months — achievable without Glasswing access through process improvement and available AI tooling.
FAQ
What is Claude Mythos and how is it different from Claude Opus? Claude Mythos Preview is a specialized AI model built specifically for cybersecurity research, capable of autonomously discovering zero-day vulnerabilities through multi-step agentic loops. Claude Opus 4.7 is a general-purpose reasoning model. Mythos was trained on security-specific data and benchmarks, achieving 73% success on expert-level CTF tasks — a capability Opus was not designed for. The two models share Anthropic’s core architecture but differ in training focus and available access tiers.
How do I apply for Project Glasswing access? Submit an application through Anthropic’s security programs portal with your organization’s defensive security mandate, published vulnerability disclosure policy, and designated security contact. The process involves an initial review, documentation submission, and a technical evaluation call. As of May 2026, the pipeline is open but selective — organizations in critical infrastructure sectors (energy, healthcare, finance) have historically received faster evaluation. Budget for a timeline of 4-12 weeks from submission to decision.
What does Claude Mythos cost for Glasswing partners? Glasswing-tier API access is priced at $25 per million input tokens and $125 per million output tokens — approximately 5x the cost of Claude Opus 4.7. Glasswing partners receive credits from Anthropic’s $100M commitment that offset costs for qualifying defensive use cases. Usage is subject to quarterly audit, and all costs for vulnerability research resulting in coordinated disclosures may qualify for additional credit allocation.
Can Claude Mythos be used for penetration testing? Not for testing third-party systems without explicit authorization — doing so is disqualifying for Glasswing access and violates Anthropic’s acceptable use policy. Mythos can be used for authorized penetration testing of systems your organization owns or has contractual authority to test. Partners using Mythos for bug bounty programs must ensure the target organization’s bounty program explicitly permits AI-assisted research, as some programs have begun adding AI usage clauses to their rules.
How does Claude Mythos compare to traditional SAST/DAST tools? Traditional static analysis (SAST) tools match code patterns against rule databases — fast, low false-negative rate on known vulnerability classes, but blind to novel issues. Dynamic analysis (DAST) tools execute code to find runtime errors — better for web application testing but poor for compiled binaries and hardware firmware. Mythos operates differently: it reasons semantically about code rather than matching patterns, which allows it to find the 27-year-old bugs that passed millions of rule-based tests. In practice, Mythos should complement SAST/DAST rather than replace them — use existing tools for continuous CI/CD coverage and Mythos for deep agentic audits of security-sensitive components.