← Hardik GoelWriting

Anthropic Built an AI So Powerful They Refuse to Sell It

May 30, 2026 · by Hardik Goel

Subscribe now

On March 26, 2026, a configuration error at Anthropic accidentally exposed nearly 3,000 internal documents to the open internet.

Among them: a draft blog post describing a model called Claude Mythos. “By far the most powerful AI model we’ve ever developed.” Cybersecurity stocks cratered the next morning. CrowdStrike lost 7.5% before lunch.

Twelve days later, on April 7, Anthropic made it official. Claude Mythos Preview exists. It’s as dangerous as the leak suggested. And no, you can’t use it.

The reason isn’t pricing strategy or competitive positioning. It’s this: Anthropic believes this model, in the wrong hands, could do meaningful damage to the world’s critical infrastructure. So they built a controlled initiative to give it exclusively to the people who maintain that infrastructure, hoping defenders can outrun what’s coming.

Whether that bet pays off is one of the more genuinely interesting questions in technology right now. But let’s start with what the model actually does.


What “Watershed Moment” Actually Means in Practice

Anthropic called Mythos Preview a “watershed moment” for cybersecurity. That’s the kind of phrase that normally signals a PR team’s involvement. In this case, the benchmarks back it up in a way that’s hard to wave away.

Here’s the comparison that lands hardest. Last month, Opus 4.6 attempted to turn known Firefox vulnerabilities into working JavaScript shell exploits. It succeeded twice out of several hundred attempts. Not a typo: two.

Mythos Preview ran the same benchmark. It produced 181 working exploits.

That’s not an incremental improvement. That’s a different category of capability. The jump from 2 to 181 isn’t a percentage gain you can plot on a roadmap. It’s the kind of discontinuity that changes the threat model.

On Anthropic’s internal OSS-Fuzz benchmark, the comparison is similarly stark:

Share

Tier 5 is full control flow hijack. On ten separate, fully patched targets. In one run each.

The model also found a 27-year-old bug in OpenBSD, an operating system known primarily for its security record. A vulnerability that survived decades of expert human review was found by asking an AI to look at the code.

And here’s the detail that changes how you think about this: Anthropic didn’t train Mythos to be a security tool. These capabilities emerged as a downstream consequence of general improvements in coding and reasoning. The same advances that make it better at patching vulnerabilities make it better at exploiting them. There’s no way to have one without the other.


The Architecture of Project Glasswing

Instead of releasing Mythos publicly, Anthropic launched Project Glasswing: a controlled initiative that gives access exclusively to vetted organizations with defensive mandates.

The access structure looks like this:


The pricing is notable: $125 per million output tokens puts Mythos at a level that makes casual experimentation economically unappealing even for large organizations, let alone individual developers. That’s presumably by design.

The $100 million in usage credits going to vetted organizations, and the $4 million in direct donations to open source security infrastructure, signals that Anthropic is treating this as something closer to a public health intervention than a product launch. Helping the ecosystem patch faster before the next lab ships something similar with fewer guardrails.


The Technical Capability: What It Can Actually Do

The red team blog from Anthropic laid out the specific capabilities with unusual frankness, presumably because the alternative was letting the rumor mill fill the gap.

The scaffold they used is worth understanding because it’s deliberately minimal. A container running the target software. Claude Code with Mythos Preview. A prompt that amounts to “find a security vulnerability in this program.” No special security tools, no hand-tuned prompting, no bespoke scaffolding.

From there, Mythos autonomously reads the codebase, hypothesizes vulnerabilities, runs the actual program to test its hypotheses, adds debug logic or uses debuggers as needed, and outputs a bug report with a proof-of-concept exploit and reproduction steps.

To increase coverage across a codebase, they run parallel agents on different files, prioritized by a pre-ranking step where Mythos itself scores each file 1 to 5 on bug likelihood. Files that parse raw network input or handle authentication get 5. Files that define constants get 1. The ranking is done by the same model, before the main analysis begins.

The specific exploits it constructed:

A browser exploit chaining four separate vulnerabilities, writing a JIT heap spray that escaped both the renderer sandbox and the OS sandbox autonomously. The model “fully autonomously discovered the necessary read and write primitives, and then chained them together.” No human pointed it at the chain. It found it.

Privilege escalation exploits on Linux obtained by exploiting race conditions and KASLR bypasses.

A remote code execution exploit on FreeBSD’s NFS server granting full root access to unauthenticated users, implemented as a 20-gadget ROP chain split across multiple packets.

The UK’s AI Security Institute evaluated Mythos separately and found it capable of completing a 32-step corporate network attack simulation (”The Last Ones”) in three out of ten attempts. Multi-stage network attacks. Lateral movement. Data extraction. Autonomously.

Here’s the thing worth sitting with: an engineer at Anthropic with no formal security training asked Mythos to find remote code execution vulnerabilities overnight, and woke up the next morning to a complete, working exploit. That’s the accessibility shift. This isn’t a tool that augments expert security researchers. It’s a tool that gives non-experts access to expert-level attack capability.

Subscribe now


The Dual-Use Problem Has a Name Now

The fuzzer analogy Anthropic uses is worth examining carefully, because it’s both apt and conveniently optimistic.

When software fuzzers became widely deployed, there were concerns they’d benefit attackers by finding vulnerabilities faster. They did benefit attackers, initially. But modern fuzzers are now central defensive infrastructure. OSS-Fuzz has found and fixed tens of thousands of vulnerabilities in open source software. The equilibrium shifted toward defenders.

Anthropic’s thesis is that the same arc will play out here. Eventually, powerful language models will benefit defenders more than attackers. The side with more resources to deploy these tools efficiently will win. That’s likely to be the defensive side, long-term.

The uncomfortable word in that framing is “eventually.” The transitional period, Anthropic’s own language, “may be tumultuous.” Mozilla patching 271 Mythos-found Firefox vulnerabilities in Firefox 150 is the best-case version of what the transitional period looks like: a controlled, coordinated disclosure process where the model’s findings get patched before being exposed. But coordinated disclosure only works if the organization finding the vulnerabilities is Anthropic or one of its vetted Glasswing partners.

The question Glasswing is racing against: how long until another frontier lab ships a model with comparable capabilities and fewer guardrails? The AI Security Institute confirmed Mythos can execute multi-stage network attacks autonomously. That capability exists now. Containment is not permanent. It’s a head start.

CrowdStrike’s CTO put it more directly than Anthropic did: “What took months now happens in minutes.” The defenders just got a head start. The clock is already running.


The Containment Problem: Launch Day

The theory of Glasswing is elegant. The execution was immediately tested.

On the same day Anthropic announced Project Glasswing, unauthorized users gained access to Mythos Preview by guessing the model’s URL through a third-party vendor environment. Not a sophisticated breach. Not nation-state threat actors. Someone guessed a URL.

Anthropic’s access control was not airtight on launch day for the model they’d decided was too dangerous to release publicly. The irony writes itself and is genuinely worth sitting with, not as a gotcha, but as a signal about the difficulty of the problem.

Containment strategies for powerful AI models face a structural challenge: the value of containing them depends on how long you can maintain the restriction. A head start measured in weeks may matter. A head start measured in months almost certainly matters. A head start that evaporates on day one because of a URL-guessing incident is less reassuring.

The vendor breach on launch day doesn’t invalidate the strategy. It illustrates that the strategy is harder to execute than the architecture suggests.

Subscribe now


What This Means If You’re Building With AI Today

For the 99.something percent of developers who won’t have Glasswing access: Mythos is relevant to you as a threat model update, not as a tool.

The model can find vulnerabilities in your software that survived years of expert human review. Memory safety vulnerabilities in C and C++ codebases. Race conditions. Authentication flaws. It does this autonomously, in a container, with a minimal prompt, overnight.

The defensive implication is straightforward and also inconvenient: your codebase’s security posture should be assumed to be weaker than a senior human security auditor would have found, not stronger. The baseline has shifted. Vulnerabilities that would have required months of expert manual review to discover can now be found in hours by an autonomous agent.

What you can do before Glasswing access becomes broadly available, or before a similar capability becomes publicly accessible:

Memory-safe languages wherever you have a choice. Rust, Go, Swift: they eliminate entire vulnerability classes Mythos is particularly effective at exploiting. The model is good at memory safety bugs partly because so much critical software is written in C and C++. Change that equation in your own stack.

Dependency auditing at a level you haven’t before. Mythos-class models will be used to find vulnerabilities in widely deployed open source libraries. The Firefox 271 disclosure is the preview. Your dependency tree is part of your attack surface.

The fuzzer analogy applies here too: the tools that find vulnerabilities are the same tools that will be used to patch them, eventually, at scale. Mozilla’s 271-fix release in Firefox 150 is what the defensive equilibrium looks like when it’s working. The window between “vulnerability found by AI” and “vulnerability patched by the same AI” is the attack surface that matters now.


The Strange Conclusion

Anthropic built a model that can chain four browser vulnerabilities into a sandbox escape, found a 27-year-old OpenBSD bug, and handed it to 12 companies and 40 organizations with instructions to fix things before the rest of the world gets access to something similar.

Mozilla has already patched 271 of the findings. Firefox CTO Bobby Holley said the defects are “finite” and that defenders can “finally find them all.”

That’s the optimistic read. An AI capable of finding every bug, paired with defenders capable of fixing them, racing against the clock before something similar becomes broadly available.

The pessimistic read is that the model capable of finding every bug is also the model capable of exploiting every bug, and the structural guarantee that it only gets used by defenders is a URL guess away from being meaningless.

Both reads are simultaneously true. That’s the actual situation Glasswing is navigating.

And perhaps the strangest part: the most powerful AI Anthropic has ever built, the one they’re calling a watershed moment, the one that kept security stocks down for a week before it was even officially announced, is available to approximately 52 organizations.

The rest of us are waiting for the equilibrium.

-Hardik

Support my work : buymeacoffee.com/HardikGoel

Thanks for reading Hardik's Substack! This post is public so feel free to share it.

Share

Thanks for reading Hardik's Substack! Subscribe for free to receive new posts and support my work.

Leave a comment

Originally shared on Substack, Medium. Canonical home: this page.
More at hardikgoel portfolio.