Anthropic's Claude Mythos Found Thousands of Zero-Days — So They're Not Releasing It

Anthropic is not releasing Claude Mythos to the public. The company announced the model's existence this week alongside Project Glasswing — a controlled deployment program — and disclosed the reason with unusual candor: the model is too good at finding and exploiting software vulnerabilities. In controlled evaluations, Claude Mythos autonomously discovered a 27-year-old memory corruption bug in OpenBSD's TCP SACK implementation, a 16-year-old codec flaw in FFmpeg that had evaded automated testing over 5 million times, and a 17-year-old NFS vulnerability in FreeBSD for which it independently developed a working exploit. The total count of high-severity vulnerabilities found across major operating systems and web browsers runs to thousands.

The Performance Numbers Are Striking

The benchmark comparisons make clear why Anthropic is being cautious. On the CyberGym benchmark — a standardized test for autonomous vulnerability discovery — Claude Mythos scores 83.1% versus Claude Opus 4.6's 66.6%. On Firefox exploit development specifically, the model produced 181 working exploits in evaluation conditions where Opus 4.6 managed two. On SWE-bench, which measures software engineering capability, Mythos achieves 93.9% versus Opus 4.6's 80.8%. These are not marginal improvements. The jump from current frontier to Mythos represents a qualitative capability shift in the specific domain of autonomous system compromise.

The "Too Dangerous" History

Anthropic's decision echoes OpenAI's 2019 decision to withhold GPT-2, which the company also described as "too dangerous to release." The industry largely dismissed that decision as overcautious, and GPT-2 was eventually released in full without the predicted consequences. Claude Mythos is different in kind: GPT-2's risk was speculative and concerned its ability to generate convincing text. Mythos's risk is demonstrated and specific — it finds and exploits real vulnerabilities in production software that billions of people use. Anthropic's decision to restrict it while deploying it with vetted security researchers through Project Glasswing is the first case where a major lab has withheld a model because of documented, measured capability rather than precautionary inference.

The Defensive Case for Controlled Release

The logic of Project Glasswing is that an AI capable of autonomously finding 27-year-old vulnerabilities should be used to find them before malicious actors do — but under conditions that ensure the exploits are patched rather than weaponized. Anthropic's 11 partner organizations include security researchers and software vendors who can act on vulnerability disclosures. The question the industry is watching is whether this model of controlled safety capability deployment scales: as models become more capable, the gap between beneficial security research and offensive weaponization narrows, and the governance structures for managing that gap are still being invented.