On April 7, 2026, Anthropic announced "Claude Mythos Preview" — a new model class available only to 11 vetted organisations through something called Project Glasswing. The announcement was relatively quiet. The results weren't: the model autonomously discovered thousands of zero-day vulnerabilities in OpenBSD, FFmpeg, and the Linux kernel. Here's what it is, how it differs from regular Claude, and what it means for developers and security teams who aren't in those 11 organisations.
What is Claude Mythos?
Claude Mythos is a new Claude model class positioned above Opus in capability. It's not available through the standard API, on claude.ai, or through any reseller or API gateway. Access is exclusively through "Project Glasswing" — a controlled deployment to 11 vetted partner organisations.
Anthropic's framing: Mythos is a specialised model class designed for finding and fixing cybersecurity vulnerabilities. It's the first public example of Anthropic deploying a model above Opus capability for a specific domain application, rather than as a general-purpose API.
Their stated long-term goal is to "eventually enable users to safely deploy Mythos-class models at scale." That language is deliberately hedged — this is not a near-term GA release.
What it actually did (the results)
The numbers that made the security community pay attention: Claude Mythos Preview autonomously discovered thousands of zero-day vulnerabilities in production software. The confirmed targets are OpenBSD, FFmpeg, and the Linux kernel.
These aren't toy examples or CVE-database regurgitation:
- OpenBSD is the operating system used by network infrastructure, firewalls, and security-focused deployments worldwide. Its codebase is maintained with explicit security as a primary design principle.
- FFmpeg processes video and audio on billions of devices. It's a particularly rich target because it handles complex untrusted media data — the attack surface is enormous.
- The Linux kernel runs most of the internet's server infrastructure, Android devices, and a substantial portion of enterprise computing.
Finding thousands of zero-days in these three codebases — not in a lab, in actual production software — is a qualitative step beyond what any previous AI security tool has demonstrated publicly.
How it differs from Claude Opus 4.6
| Feature | Claude Opus 4.6 | Claude Mythos Preview |
|---|---|---|
| Publicly available | Yes (API, claude.ai) | No — vetted orgs only |
| Access path | Standard API, AICredits.in, etc. | Project Glasswing only |
| Primary use case | General purpose | Cybersecurity specialist |
| Context window | 1M tokens | 1M tokens (presumed) |
| Position in capability hierarchy | Highest public model | Above Opus |
| Pricing | $5/$25 per MTok input/output | Not publicly available |
| Safety evaluation | ASL-3 | ASL-4 (presumed) |
The capability hierarchy distinction matters. Anthropic's Responsible Scaling Policy (RSP) defines "Autonomy Levels" (ASLs) for models. Opus 4.6 operates under ASL-3 constraints. A model capable of autonomously discovering thousands of zero-days in production systems would plausibly require ASL-4 constraints — which explains the controlled access model rather than general availability.
The domain specialisation is also meaningful. This isn't just "Opus but bigger." Mythos appears to be trained specifically for vulnerability research — different evaluation criteria, different safety requirements, different deployment conditions than a general-purpose model.
What this means for developers and security teams
For application security teams
The practical implication is that this class of capability will eventually be deployable against your own codebase. Anthropic's "eventual goal" language suggests public access is likely 1–2 years out, with significant safety evaluation and policy work required first.
What to do now: learn prompt engineering for security-specific tasks using Opus 4.6. The prompting patterns for LLM-based code analysis are learnable today — fuzzing strategy design, vulnerability class prioritisation, SAST output interpretation, patch validation. The model that does this autonomously isn't available yet; the skills for using it when it arrives are learnable now.
Tools to study: the open-source agent frameworks that currently wrap Opus 4.6 for security analysis — most serious security AI work is happening in agent architectures where Claude reads code, proposes hypotheses, runs analysis tools, and iterates. See AI agent design patterns for the framework-level approach.
For open source maintainers
The three targets Mythos analysed (OpenBSD, FFmpeg, Linux kernel) were presumably chosen in coordination with their maintainers or with planned responsible disclosure. The vulnerability discoveries need to be disclosed and patched before any of this is public — which is a substantial amount of coordinated work for projects of that scale.
The implication for smaller OSS maintainers: a Mythos-class analysis will eventually be available through an Anthropic OSS program (similar to their existing Claude Max for open source developers program). The bugs it finds will be real. Projects that haven't thought about their disclosure and patch workflow should start thinking about it.
For developers building security products
The gap between "LLM-assisted security analysis" and "autonomous zero-day discovery" is closing faster than most security product roadmaps assumed. If you're building SAST tooling, code review infrastructure, or vulnerability management products, the assumption that AI is a "junior analyst" that needs human review of every finding is probably a 2024 assumption.
The patterns for LLM-based security analysis — structured output parsing for vulnerability reports, tool integration with analysis sandboxes, multi-step reasoning chains for root cause analysis — are applicable today using Opus 4.6. The capability ceiling will rise.
The security community's reaction
Discussion in the security research community has split predictably into two camps:
The concern: the same model that finds zero-days could theoretically be used to develop exploits. A model capable of discovering vulnerabilities at scale is, by definition, capable of understanding them deeply enough to exploit them. This is the core dual-use problem.
Anthropic's approach: controlled access, vetted organisations, responsible disclosure framework. The 11 initial Project Glasswing partners are presumably working under agreements with affected projects and with Anthropic's safety team. The model isn't being handed to anyone who can pay for API access.
This is a meaningful policy choice. The alternative — release broadly and rely on misuse detection — doesn't work for a model capable of finding zero-days in the Linux kernel. The risk profile is too asymmetric: the harm from misuse is catastrophic and the benefit of open access is marginal compared to a vetted-access program.
Where the security community's concern is legitimate: the "11 vetted organisations" list isn't public. Vetting criteria aren't published. The disclosure timeline and process for the vulnerabilities already found isn't public. Transparency about the governance model would be appropriate given the stakes.
What to expect next
Controlled rollout to more organisations is the stated path. The 11 → N expansion will likely happen through the same Glasswing application process, with Anthropic evaluating each organisation's security posture, disclosure practices, and intended use.
Integration with security tooling is the obvious direction. SIEM integration, CI/CD pipeline code scanning, fuzzing infrastructure orchestration. Mythos doing autonomous fuzzing at scale — directing test cases based on vulnerability hypotheses rather than random mutation — is a step-function improvement over current approaches.
Public API access for qualified security researchers will come, but timeline is unclear. Anthropic's track record with controlled rollouts (the extended thinking beta, the 1M context beta, the computer use beta) suggests they'll run the program for 6–12 months with vetted partners before any broader access.
For most security teams right now: Opus 4.6 with well-designed security analysis prompts is the practical ceiling. That's not nothing — Opus 4.6 is genuinely useful for code review, threat modelling, and SAST result triage. The red teaming your prompts lesson covers adversarial thinking patterns that transfer directly to security analysis prompting.
💡 Follow the MasterPrompting blog for coverage of new Claude capabilities as they ship — subscribe to updates.
Next steps
- Adversarial prompt thinking for security analysis — red teaming your prompts
- How prompt injection attacks work — prompt injection
- Using Claude Opus 4.6 for security tasks today — Claude Opus 4.6 prompting guide
- Building agent-based security tools — AI agent security: red teaming your agents
