Anthropic announced Claude Mythos Preview on April 7, a specialized AI model designed to autonomously find and exploit software vulnerabilities, but it is not available to the general public. Instead, the model is restricted to a partner program called Project Glasswing, which includes only vetted organizations like AWS, Apple, Google, Microsoft, and Cisco, plus roughly 50 additional partners focused on critical infrastructure and open-source security. This is not an oversight; it is the deliberate foundation of how Anthropic shipped this model .

What Makes Claude Mythos Different From Other AI Security Tools?

Claude Mythos demonstrated capabilities that are difficult to dismiss as mere marketing. Anthropic announced two findings that showcase the model's real-world impact. First, it discovered a 27-year-old vulnerability in OpenBSD, an operating system whose entire reputation is built on aggressive code review and proactive security auditing. A bug that survived 27 years inside the OpenBSD codebase is, by definition, a bug that human reviewers were never going to find on their own .

Second, the model found a 16-year-old flaw in FFmpeg, a widely used multimedia framework. This discovery is technically more interesting because modern fuzzing, which is the gold standard for catching memory corruption in C codebases, had executed the surrounding code path more than 5 million times without triggering the bug. This means the vulnerability is reachable only under specific semantic conditions, exactly the kind of gap that large language models (LLMs), which are AI systems trained on vast amounts of text data, are theoretically good at closing .

Anthropic also reported multiple Linux kernel privilege-escalation vulnerabilities and claims "thousands of high-severity vulnerabilities" in total across operating systems, browsers, and foundational libraries. The real measure of capability, however, comes from a benchmark called CyberGym, which measures whether a model can take a vulnerability description and actually reproduce a working exploit against the real target codebase. Claude Mythos scored 83.1% on CyberGym, compared to 66.6% for Claude Opus 4.6, Anthropic's previous most capable general-purpose model .

Going from 67% to 83% on a benchmark like that is not an incremental improvement. It is the difference between a useful research assistant and an autonomous agent you can leave running against a codebase overnight and trust to come back with reproductions instead of false positives. Anthropic explicitly states that Mythos "performs autonomously without human steering in many cases," a phrasing that matters significantly. Most AI security tooling today still requires a researcher in the loop to triage and verify findings. Mythos, in the cases where it works, does not .

Why Is Anthropic Restricting Access to This Powerful Model?

The decision to gate Claude Mythos behind a partnership program rather than releasing it broadly reflects a fundamental challenge in AI safety. A model that can autonomously find a 27-year-old bug in OpenBSD is also a model that can autonomously find unknown bugs in your production stack. The capability does not care about the operator's intent. Anthropic could have published Mythos behind a standard "acceptable use policy" click-through, the way every other AI lab handles dual-use risk, but the company chose not to .

The math is brutal: if even a small fraction of paying API customers used Mythos to find zero-days, or previously unknown vulnerabilities, for sale on the black market, the result would be a measurable spike in real-world exploitation against the same critical infrastructure Anthropic is trying to protect. Gating by partnership is an admission that policy alone is insufficient when the capability gap is this large .

How to Determine If Your Organization Qualifies for Project Glasswing

• Maintain Critical Software: You maintain code that other people depend on at scale, such as operating systems, browsers, kernels, or foundational libraries that millions of users rely on.
• Operate Critical Infrastructure: You operate critical infrastructure systems including cloud platforms, networking infrastructure, or financial systems that support essential services.
• Security Organization Track Record: You are an open-source security organization with a demonstrated track record of responsible vulnerability disclosure and community trust.

Notably absent from the public list are penetration testing firms, bug bounty platforms, and anyone whose business model is selling vulnerability research to third parties. That is a deliberate choice. Project Glasswing launched with 12 founding partners, including AWS, Google, Microsoft, Apple, and Cisco. Beyond the founding 12, Anthropic added 40 or more organizations focused on critical infrastructure protection and open-source maintenance .

When Mythos eventually reaches general availability, it will cost $25 per million input tokens and $125 per million output tokens. For comparison, Claude Opus 4.6 costs roughly $15 input and $75 output per million tokens, making Mythos approximately 1.7 times more expensive on output than the most capable general-purpose Claude model. This pricing reflects real cost: Mythos is almost certainly larger than Opus, almost certainly does more internal reasoning per token, and almost certainly was more expensive to train .

More importantly, the price is a soft access control mechanism. At $125 per million output tokens, you do not casually point Mythos at every public GitHub repository to see what it finds. The economics make opportunistic mass-scanning prohibitively expensive while keeping targeted defensive use affordable for organizations that have a specific codebase to harden. This is the same logic that keeps satellite imagery affordable for journalists but expensive for stalkers; pricing is not just revenue, it is a filter .

How Anthropic Is Subsidizing Defenders Over Attackers

Anthropic committed $100 million in usage credits to Glasswing partners and donated $4 million to open-source security organizations. Read those numbers in context: defenders are getting subsidized to use Mythos at zero or near-zero marginal cost, while everyone else faces full price plus access restrictions. That is a deliberate asymmetry. Anthropic is paying to put Mythos in the hands of the people who maintain the code, before it is available to anyone who might want to exploit it .

The window between "defenders can use this" and "attackers can buy this" is the entire game, and Anthropic is spending $100 million to widen it. Whether that strategy actually works depends on how long the window stays open. If a competing AI lab ships an equivalent capability without the access controls, the asymmetry collapses overnight. If Anthropic stays meaningfully ahead on this specific capability for six months, defenders get a meaningful head start on hardening the most-used software on the planet .

The official timeline for general availability is "after we develop appropriate safeguards with an upcoming Claude Opus model." The unofficial reading suggests months, not weeks, and tied to a future release rather than a fixed date. Realistically, Mythos in its current form is unlikely to be sold directly to the open API market. What seems more probable is that the techniques pioneered for Mythos, including the training data, the autonomous-loop scaffolding, and the safety filters, will be folded into a future general-purpose Opus release in a more constrained form. Users will get some of the capability, with guardrails that prevent the most concerning use cases .

For organizations that maintain critical infrastructure or foundational open-source software, investigating Glasswing membership is worth considering. The 40 or more non-founding partners suggest the program is actively expanding, and the subsidized usage credits represent the cheapest security audit available. For teams building products on the Claude API, nothing changes today; Opus 4.6 and Sonnet 4.6 remain the daily drivers for most use cases .