Anthropic has completed training on Claude Mythos, the company’s most capable model, and is releasing it only to a closed research consortium called Project Glasswing rather than as a commercial product. The decision was disclosed in a post on Anthropic’s red-team research blog and corroborated by reporting from Fortune and Pluralsight. For a frontier lab to ship a model only to defensive security researchers is the most consequential safety-policy choice any of the major labs has made in 2026.
The capability claims in the post are specific. Anthropic says Mythos autonomously identified and exploited a 17-year-old remote-code-execution vulnerability in FreeBSD, now tracked as CVE-2026-4747. In a separate benchmark, the model became the first to complete a 32-step corporate-network attack simulation in minutes; the company says the same task takes a skilled human red-teamer roughly 20 hours. Mythos also leads 17 of 18 frontier benchmarks tracked by the third-party rankings cited at Google I/O.
Project Glasswing is described as a consortium of major technology companies investigating foundational security vulnerabilities. Anthropic has not named the participating companies. The model is available to consortium members through a gated API rather than the standard Claude product surface. Claude Opus 4.7, released April 16 and generally available, is described as meaningfully more capable than Opus 4.6 but a tier below Mythos.
The structural skepticism worth flagging: the benchmarks in question come from Anthropic and from rankings Anthropic helped curate. Independent verification of the FreeBSD exploit chain or the 32-step attack simulation has not been published. The CVE assignment confirms the vulnerability exists; it does not by itself confirm that Mythos discovered it autonomously rather than with substantial human scaffolding. Anthropic’s post does not specify how much human guidance the model received during the exploit chain.
The policy choice is the real news. Anthropic’s stated reason is that Mythos’s offensive capability outpaces the company’s ability to evaluate downstream commercial use safely. Releasing it only to defenders inverts the usual frontier-model release pattern, in which capability is launched commercially first and safety research follows. The consortium structure also concentrates Mythos exposure in companies that can sign legally binding terms of use, which gives Anthropic enforcement leverage that a public API would not.
For builders, three practical consequences:
- Enterprise security teams should expect Mythos-class capability to show up in adversarial tooling within 12 months regardless of Anthropic’s release policy. The FreeBSD result implies that any model approaching Mythos’s level can probably reproduce the work given enough compute and prompt engineering. Treat Mythos as the floor of nation-state offensive AI capability for 2026 planning.
- Product teams building AI-powered red-teaming tools should now compete against an internal Anthropic capability that none of them can access. Pricing assumptions for the security-AI market need to update accordingly.
- Anyone building agentic systems on Claude should assume the underlying model can do considerably more than the public API exposes. Capability gaps between research preview and product API are now wider than they have been at any point since GPT-4 was launched.
The longer-term question is whether this becomes the pattern for frontier release. If Anthropic concludes that the gated-consortium model worked, future versions of Claude may follow the same trajectory: research preview to defenders, then a delayed and capability-limited commercial release. That structure changes the procurement calculus for any enterprise relying on commercial Claude as the upper bound of available intelligence. The upper bound is no longer the API. It is whatever Glasswing members are running internally.
Originally published by Anthropic on its red-team research blog, May 10, 2026.
