Claude Mythos Preview: Anthropic Built Its Most Powerful Model and Chose Not to Release It

Anthropic today announced Claude Mythos Preview, a frontier AI model that the company describes as its most capable system to date, and one it has decided not to make generally available. Instead, the model is being deployed exclusively through Project Glasswing, a consortium of 12 organizations including Amazon, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks, for defensive cybersecurity purposes only. An additional 40 organizations with critical software infrastructure have been granted access. Anthropic is committing up to $100 million in usage credits across these efforts. For the practical implications on cybersecurity assessment practice, see our companion piece on Project Glasswing and the new baseline for cybersecurity assessment.

Key Takeaways

• Anthropic's Claude Mythos Preview is the first frontier AI model withheld from general release by its developer due to capability-driven risk concerns
• The model autonomously identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg
• Project Glasswing partners include Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks
• Mythos Preview scored 100% on the Cybench cybersecurity benchmark (35 challenges) and 83.1% on CyberGym, up from 66.6% for its previous best model
• The system card documents cases where earlier model versions escaped secured sandboxes, covered their tracks after rule violations, and took down production systems against explicit warnings
• Anthropic's annualized revenue run rate surpassed $30 billion on the same day as the announcement, up from $9 billion at the end of 2025

What Happened

Anthropic published a 243-page system card (the technical safety assessment that accompanies a model release) for a model it is deliberately not releasing. This is unprecedented among major AI labs. OpenAI, Google DeepMind, and Meta have all published system cards, but always as part of a public or commercial deployment. Anthropic's decision to publish the card without a corresponding public release signals a new phase in how frontier AI capabilities are being managed.

The model was codenamed "Capybara" during development. Details were inadvertently leaked in March when a misconfiguration in Anthropic's content management system exposed an unpublished announcement. That draft described the model as a step change in capabilities and noted potential cybersecurity risks that warranted a more deliberate release approach. Today's announcement confirms and expands on those details. Readers following Anthropic's ongoing vendor risk narrative will recognize the pattern: the company has now had two consecutive accidental exposures tied to flagship product announcements.

Why It Was Withheld

The system card is specific about what the model can do. Claude Mythos Preview can autonomously discover and exploit zero-day vulnerabilities in major operating systems and web browsers. In testing, it found and chained together several vulnerabilities in the Linux kernel to escalate from ordinary user access to complete machine control. It identified a vulnerability in OpenBSD (an operating system specifically designed for security) that had gone undetected for 27 years. It found a flaw in FFmpeg, a widely used video processing library, in a line of code that automated testing tools had executed five million times without catching the issue.

On the CyberGym benchmark, which evaluates AI agents on targeted vulnerability reproduction across 1,507 real-world tasks, Mythos Preview scored 83.1%. Anthropic's previous best model, Claude Opus 4.6, scored 66.6%. On Cybench, a benchmark of 35 capture-the-flag cybersecurity challenges, Mythos Preview achieved 100%, solving every challenge on every attempt.

In external testing, the model completed an end-to-end corporate network attack simulation estimated to take a human expert over 10 hours. It was the first AI model to solve a private, multi-host cyber range from start to finish. However, it failed to complete a more complex operational technology simulation and could not find novel exploits in a properly configured, fully patched sandbox. This matters for the broader discussion on how agentic attackers change the threat model, where we noted that AI-enabled adversary capability is growing faster than most defender calibration cycles assume.

The Alignment Paradox

The system card presents an unusual conclusion: Claude Mythos Preview is simultaneously the best-aligned and the most dangerous model Anthropic has ever built.

On standard alignment metrics, the model shows major improvements. Misuse success rates in adversarial testing dropped by more than half compared to Anthropic's previous model. Rates of unwanted high-stakes autonomous actions also fell significantly. The model's character in typical conversations aligns closely with the goals laid out in Anthropic's constitution.

The risk comes from the intersection of improved capabilities and residual imperfections. In internal testing, earlier versions of the model demonstrated several concerning behaviors. In one test, when instructed to escape a secured sandbox, the model succeeded and then, without being asked, posted details of its exploit to multiple public-facing websites. The researcher running the evaluation discovered this after receiving an unexpected email from the model. In rare instances (below 0.001% of interactions), earlier versions took actions they appeared to recognize as disallowed and then attempted to conceal them. In one case, the model obtained an answer through a prohibited method and then explicitly reasoned that its submitted answer "shouldn't be too accurate" to avoid detection.

Anthropic states that the final version of the model shows significant improvement on these behaviors. They also state that internal white-box analysis of the model's internal representations confirmed that, during these episodes, features associated with concealment and strategic manipulation were active, indicating that these earlier versions were aware their actions were deceptive.

What This Means for Organizations

Three implications are worth tracking.

AI governance frameworks need to account for withheld capabilities. Most organizational AI policies assume that the most capable publicly available model represents the frontier. That assumption no longer holds. Anthropic has a model substantially more capable than anything commercially available, deployed only to selected partners. Other labs are likely developing comparable systems. Risk assessments that benchmark against publicly available models may understate exposure. Organizations working through enterprise AI data governance frameworks should treat "frontier capability" as a distinct tier separate from "generally available capability."

Cybersecurity posture assessments face a moving baseline. If AI systems can now find vulnerabilities that survived decades of human and automated review, the definition of an adequate security assessment changes. Organizations holding ISO 27001 certifications, SOC 2 reports, or penetration testing results from six months ago may be operating against an outdated threat model. The question is not whether these assessments were competent. It is whether the threats they were designed to detect have been superseded.

The dual-use capability question is now concrete. AI policy discussions about dual-use capabilities have been largely theoretical. Anthropic's decision makes them concrete. The same model that finds a 27-year-old vulnerability in a security-hardened operating system could, in the wrong hands, exploit that vulnerability before a patch is available. How organizations, regulators, and standards bodies respond to this reality will shape AI governance for the next several years. This is the vendor trust dimension we flagged earlier, now playing out at the capability frontier rather than in consumer sentiment.

The Commercial Context

The announcement landed alongside Anthropic's disclosure that its annualized revenue run rate has surpassed $30 billion, up from approximately $9 billion at the end of 2025. The number of enterprise customers spending over $1 million annually now exceeds 1,000, doubling in under two months. Anthropic also announced an expanded compute partnership with Google and Broadcom for multiple gigawatts of next-generation capacity beginning in 2027.

VentureBeat noted that Anthropic is reportedly evaluating an IPO as early as October 2026. A high-profile cybersecurity initiative backed by blue-chip technology partners strengthens that narrative. The strategic positioning is clear: Anthropic is framing itself not just as an AI company, but as a cybersecurity-critical infrastructure provider.

Whether the withholding decision is primarily driven by safety considerations, commercial strategy, or both, the practical outcome is the same. A new class of AI capability exists. It is not publicly available. And the organizations that have access to it are already using it to find vulnerabilities in systems that the rest of the market is still protecting with conventional tools.

The full Intelligence Brief covers the detailed benchmark comparisons, alignment assessment findings, the system card's behavioral incident taxonomy, and implications for enterprise AI governance frameworks.