Anthropic’s Mythos: The Cybersecurity Model That Could Restore Its Government Standing

When Anthropic announced Claude Mythos Preview in April 2026, it sent shockwaves through both the cybersecurity community and Washington’s corridors of power. This isn’t just another incremental AI upgrade — it’s a model so capable at finding and exploiting software vulnerabilities that Anthropic itself has deemed it too dangerous for public release. Instead, the company chose a radically different path: partnering with the U.S. government and launching Project Glasswing, an unprecedented defensive coalition that may just heal the fractured relationship between Anthropic and federal authorities.

The stakes couldn’t be higher. In a world where every major operating system and browser harbors unknown vulnerabilities, a single AI model capable of discovering them all autonomously represents both the greatest defensive opportunity and the most terrifying offensive weapon in cybersecurity history.

What Makes Claude Mythos Preview So Powerful

Let’s start with the numbers, because they are staggering. Claude Mythos Preview scores 93.9% on SWE-bench Verified — the gold standard benchmark for software engineering tasks — and an extraordinary 94.6% on GPQA Diamond, a graduate-level reasoning benchmark. But these benchmark scores only hint at the real story.

The true measure of Mythos Preview’s capability lies in its autonomous cyber operations. According to Anthropic’s own red team report, the model can independently discover and exploit zero-day vulnerabilities across every major operating system and every major web browser — without human guidance. In one documented case, Mythos Preview identified a vulnerability in Network File System (NFS) protocol, now tracked as CVE-2026-4747, that allows an attacker to gain complete control over a server starting from an unauthenticated connection anywhere on the internet.

“Mythos Preview fully autonomously discovered and exploited vulnerabilities that human security researchers had missed,” Anthropic wrote in its 244-page system card — the most detailed safety documentation the company has ever produced.

To put this in perspective, the previous model — Claude Opus 4.6 — succeeded in only 2 out of several hundred attempts on Anthropic’s Firefox 147 exploit benchmark. The leap from Opus 4.6 to Mythos Preview represents not a step forward but a quantum jump in capability.

How the UK’s AISI Evaluated Mythos’s Cyber Capabilities

The UK’s AI Safety Institute (AISI) conducted independent evaluations of Mythos Preview’s cyber capabilities, and their findings paint a nuanced picture. They confirmed “continued improvement in capture-the-flag (CTF) challenges and significant improvement on multi-step cyber-attack simulations.”

The AISI evaluation is particularly significant because it came from an independent government body, not from Anthropic itself. Their assessment found that Mythos Preview doesn’t just excel at single-step exploits — it demonstrates the ability to chain multiple attack vectors together, simulating the kind of sophisticated, persistent threat that nation-state actors typically deploy. This multi-step attack capability is what keeps cybersecurity professionals awake at night.

However, the AISI also noted that the threat landscape is “more nuanced than the headlines claim.” In their testing of 1,000 AI-assisted penetration tests, they found that while Mythos dramatically accelerates vulnerability discovery, successful exploitation still requires specific environmental conditions and that defensive measures remain effective against many attack paths.

The Pentagon Fallout: Why Anthropic Needed This Win

Anthropic’s relationship with the U.S. government has been anything but smooth. The company recently fought the Pentagon over the military’s use of its technology, taking a public stance against weaponization that earned praise from AI ethics advocates but alienated powerful voices within the Department of Defense. That confrontation left Anthropic in a precarious position — morally principled but politically isolated.

Enter Claude Mythos Preview and the U.S. government’s response. Rather than treating the model as a threat to be contained, federal agencies see it as a strategic asset that cannot be ignored. A source familiar with the discussions stated to Axios: “It would be exceedingly irresponsible for the U.S. government to deprive itself of the technological advancements offered by the new model.” The same source warned that restricting access would “be a boon for China” — framing Mythos not just as a cybersecurity tool but as a critical component of America’s AI competitiveness.

Anthropic CEO Dario Amodei’s recent meeting with top White House officials — described by Axios as “peace talks” — signals a dramatic shift in the relationship. If those discussions lead to deeper integration of Claude within governmental operations, the Department of Defense may well reconsider its stance on working with Anthropic.

CISA and the Intelligence Community Are Already Testing It

While the public debates the implications, the actual testing is already underway. According to multiple reports, the Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — is actively testing Mythos Preview, along with parts of the U.S. intelligence community. Other federal departments and agencies are reportedly expressing interest.

The White House is reportedly planning to make a modified version of Mythos available to major federal agencies. The reference to a “modified version” raises important questions: What capabilities would be retained? What would be restricted? And how would access be controlled?

An Anthropic official told CNBC the company has been in “ongoing discussions” with U.S. government officials about both the offensive and defensive cyber capabilities of the model. These conversations are not theoretical — they’re shaping the architecture of how frontier AI will be deployed within the federal government.

Project Glasswing: Anthropic’s Defensive Masterstroke

Perhaps the most significant element of the Mythos announcement was Project Glasswing — Anthropic’s initiative to use the model defensively before its capabilities can be replicated by others. The coalition includes some of the most influential organizations in technology and finance:

Amazon Web Services — the world’s largest cloud provider
Apple — securing the devices of over a billion users
Broadcom — critical semiconductor and infrastructure software
Cisco — the backbone of enterprise networking
CrowdStrike — the leading endpoint security platform
Google — web infrastructure and Android ecosystem
JPMorgan Chase — the world’s largest bank by market cap

Project Glasswing’s stated mission is to “secure the world’s most critical software for the AI era” by giving these organizations’ defenders “a head start” with Mythos Preview. The strategy is elegant: use Anthropic’s controlled distribution to fortify the most important systems before adversarial actors — whether rogue states or criminal organizations — can develop equivalent capabilities.

According to Anthropic, Project Glasswing has already identified thousands of zero-day vulnerabilities across critical software infrastructure. Each of these vulnerabilities is being responsibly disclosed to the affected vendors for patching, creating a defensive shield that could protect billions of users worldwide.

The Risk Factor: What Happens When Amateurs Get These Tools

The cybersecurity community’s concerns about Mythos Preview are not abstract. The model’s capabilities represent a fundamental shift in the accessibility of advanced cyber attacks. As multiple experts have noted, Mythos would “put that capability in reach of amateurs — and turbocharge the professionals’ ability to wreak havoc.”

Consider the economics of vulnerability research today: finding a zero-day vulnerability typically requires weeks or months of work by highly skilled security researchers. Mythos Preview can do it autonomously. If — or when — an equivalent model becomes available outside Anthropic’s controlled environment, the barrier to launching sophisticated cyber attacks will collapse.

This is precisely why the federal government’s involvement matters. A coordinated, government-backed defensive initiative powered by Mythos could identify and patch vulnerabilities faster than adversarial actors can exploit them. But it requires speed, scale, and an unprecedented level of cooperation between government agencies and private sector partners — exactly what Project Glasswing aims to achieve.

What This Means for Enterprise Security Leaders

If you’re a CISO or security leader, here’s what you need to know about the Mythos Preview announcement:

Assume the vulnerability landscape is about to change dramatically. Models like Mythos will eventually be replicated. Organizations that haven’t invested in their security posture will be at severe risk.
Watch Project Glasswing closely. If you work with any of the partner organizations, their security posture is about to improve significantly. If you don’t, you may be left behind.
Reassess your threat models. The assumption that sophisticated multi-step attacks require nation-state resources is becoming outdated. AI-powered attacks will lower that threshold.
Engage with responsible disclosure programs now. The window for patching known vulnerabilities before AI-powered discovery becomes widespread is narrowing.

The Bigger Picture: AI Governance at a Crossroads

Anthropic’s decision to restrict Mythos Preview’s distribution while simultaneously partnering with the U.S. government raises fundamental questions about the future of AI governance. Should frontier models with dangerous capabilities be controlled by private companies? Should governments have privileged access? And what happens when other AI labs — or other nations — develop equivalent capabilities without the same restraint?

The fact that the U.S. government is actively engaging with Anthropic rather than simply mandating restrictions suggests a new model of AI governance is emerging: one based on public-private partnership rather than top-down regulation. Whether this model proves effective — or simply entrenches the power of a few large tech companies and their government partners — remains to be seen.

What is clear is that Claude Mythos Preview has forced a conversation that the industry was trying to avoid. The question is no longer whether AI will transform cybersecurity. The question is whether we can build defensive capabilities fast enough to stay ahead of the offensive ones — and whether the institutions responsible for protecting us are ready for the challenge.

What Comes Next

The coming months will be critical. The outcome of Anthropic’s White House discussions, the expansion of Project Glasswing, and the pace at which other AI labs develop comparable capabilities will determine whether Mythos Preview becomes a turning point in defensive cybersecurity or a cautionary tale about releasing power we can’t control.

One thing is certain: the era of AI models that can autonomously hack anything is here. The only question is who gets to use them first — and for what purpose.

As frontier AI capabilities increasingly intersect with national security, the role of governments in regulating model distribution is an ever more urgent question. The organizations that act now to integrate these capabilities into their defensive posture will have a decisive advantage. Those that wait will be reacting to breaches that AI could have prevented.

Stay informed about AI and cybersecurity developments. Subscribe to our newsletter for weekly analysis of the technologies shaping the future of digital security.

Anthropic’s Mythos: The Cybersecurity Model That Could Restore Its Government Standing