Why is Anthropic not releasing Claude Mythos to the public?

Anthropic says Mythos can autonomously find and exploit real software vulnerabilities at a level that makes a general public release unsafe. Instead it is being distributed through Project Glasswing to vetted security teams at companies like Microsoft, Nvidia, Cisco, and a handful of open source security groups.

What is Project Glasswing?

Project Glasswing is the program Anthropic built around Mythos. It gives 12 launch partners and 40+ additional critical infrastructure organizations gated access to the model, backed by 100 million dollars in usage credits and 4 million dollars in donations to open source security work.

How does Claude Mythos compare to Claude Opus 4.6?

On SWE-bench Verified, Mythos scores 93.9% versus 80.8% for Opus 4.6. On SWE-bench Pro it jumps to 77.8% from 53.4%. On CyberGym it hits 83.1% versus 66.6%. The gap is largest on real security tasks, which is exactly why Anthropic is gating it.

Claude Mythos and Project Glasswing: Anthropic's Locked-Down AI Model

Q: What is Claude Mythos?

Claude Mythos is Anthropic's most advanced AI model as of April 2026, available only through a gated research preview. It scores 93.9% on SWE-bench Verified and 83.1% on the CyberGym vulnerability reproduction benchmark, and Anthropic positions it as a new model class focused on agentic coding, reasoning, and offensive security research.

Anthropic shipped a new Claude model on April 7, 2026 and decided you cannot use it. Not as an API customer, not on Claude.ai, not through any normal channel. They built something called Claude Mythos, claimed it can autonomously find zero-days in browsers and operating systems, and then locked it behind a program called Project Glasswing.

This is the first time Anthropic has launched a frontier model as a deliberate non-product. I have been watching frontier launches for a while now, and the framing on this one is genuinely different from anything OpenAI, Google, or even earlier Anthropic releases have done. So let me walk through what Mythos actually is, what the numbers say, and why I think the gated rollout is the most interesting part of the story.

A modern enterprise data center corridor with illuminated server racks

What is Claude Mythos and how is it different from Claude Opus?

Claude Mythos is Anthropic's most capable model to date, released on April 7, 2026 as a gated research preview rather than a general product. Anthropic describes it as a new model class with state-of-the-art performance on agentic coding, complex reasoning, and offensive security tasks.

The headline is not really the benchmarks, although the benchmarks are huge. The headline is the positioning. Claude Opus, Sonnet, and Haiku are products. They have pricing pages. They have rate limits you can buy your way out of. Mythos is none of those things. It is closer to how a national lab would describe a piece of dual use research than how a SaaS company describes a model.

Here is what Anthropic actually claims Mythos can do:

Reverse engineer closed source binaries and find exploitable bugs without human guidance.
Develop working exploits against real targets, including the Firefox JavaScript engine, where it produced working exploits 181 times in their internal evaluation.
Find high severity vulnerabilities in every major operating system and every major browser during pre-release testing.
Saturate most of the public cybersecurity benchmarks Anthropic used for prior models, which is why they had to move to novel real world tasks.

That last point is the one I keep coming back to. When a model saturates the eval suite, the eval suite stops being useful. You start needing real targets, and real targets are exactly what you do not want an unrestricted model running against.

How does Claude Mythos perform on benchmarks compared to Opus 4.6?

Claude Mythos pulls a double digit lead over Claude Opus 4.6 on every benchmark Anthropic published, with the largest gaps on security and agentic coding tasks. Here are the numbers from Anthropic's own evaluation post:

Benchmark	Claude Opus 4.6	Claude Mythos Preview	Delta
SWE-bench Verified	80.8%	93.9%	+13.1
SWE-bench Pro	53.4%	77.8%	+24.4
CyberGym (vuln reproduction)	66.6%	83.1%	+16.5

A few things stand out. SWE-bench Verified at 93.9% is essentially the ceiling of the benchmark. There are known label issues and ambiguous tasks in the remaining 6%, so any further gains are noise. SWE-bench Pro is the harder, larger, more realistic version, and a 24 point jump there is the kind of move you usually see across two model generations, not one. CyberGym is the one that actually matters for the Glasswing framing. It measures whether a model can reproduce real CVEs end to end, and 83.1% is the first time any public number has cleared 80% on that benchmark.

Printed benchmark results on a matte black desk

Numbers aside, the qualitative claim is the more interesting one. Anthropic says Mythos is the first model where the bottleneck on offensive security work is no longer the model itself, it is the human reviewer triaging what the model finds. That is a real shift. For the last two years the joke among security people has been that LLMs are great at writing CVE descriptions and bad at finding actual bugs. Mythos is the first launch that seriously contests that.

Why is Anthropic gating Mythos behind Project Glasswing instead of shipping it?

Anthropic is not making Mythos generally available because they believe a model that can autonomously find and exploit zero-days in production software is too dangerous to put behind a credit card. Project Glasswing is the structure they built so the model can still do useful defensive work without getting handed to anyone who signs up.

The shape of Glasswing, based on Anthropic's own announcement and the partner list:

12 launch partners, including Microsoft, Nvidia, Cisco, Amazon, Apple, and Google.
40+ additional organizations that build or maintain critical software infrastructure, granted gated access.
100 million dollars in Mythos usage credits committed across the program.
4 million dollars in direct donations to open source security organizations.
Access through Amazon Bedrock under a separate gated research preview agreement.

Reading between the lines, Glasswing is doing three things at once. It is a safety story, it is a moat, and it is a regulatory positioning move. The safety story is the obvious one. The moat is that the partners getting Mythos access are exactly the companies whose own security posture matters most to Anthropic's enterprise pipeline. The regulatory move is that by self-imposing a restriction this aggressive, Anthropic gets to show up at every AI safety hearing for the next year with a concrete example of voluntary risk mitigation.

I do not think any of those motives are bad. I just think it is worth naming all three instead of pretending the launch is purely altruistic.

What does Claude Mythos mean for developers who will never touch it?

Even if you cannot use Mythos directly, the launch tells you three things about where frontier models are heading and what to plan for over the next 12 months.

One. The era of model launches as pure product launches is ending. Mythos is the first frontier release I can remember where the headline is not pricing or context window, it is a refusal to ship. Expect more of this. The next time a lab crosses a capability line that scares its own safety team, the playbook is now public: announce, gate, partner, donate, move on.

Two. SWE-bench is cooked as a useful number. When the top model is at 93.9% Verified and 77.8% Pro, the benchmark stops separating models from each other. If you write about LLMs or ship developer tooling, you need to start citing CyberGym, Aider polyglot, real bug bounty results, and end-to-end agent task completions instead. SWE-bench is going to look like GLUE looked in 2020 within a year.

Three. Defensive tooling is about to get strange. If Mythos and its successors are running inside Microsoft, Apple, and Google, the rate at which serious vulnerabilities get found and patched is going to accelerate in a way that is genuinely good for everyone, but it also means the half-life of an unpatched bug in popular software is going to collapse. If you maintain an open source library, you should be thinking right now about how fast you can credibly turn around a security advisory, because the discovery side is no longer the slow step.

Conclusion

Claude Mythos is the first time a frontier lab has shipped a model by deciding not to ship it, and the framing matters more than the numbers. The benchmarks are real, the capabilities are real, and the gating is real, but the thing to actually pay attention to is the new shape of the launch itself. Frontier releases are starting to look less like product drops and more like controlled disclosures.

If you are building anything that touches security, the practical move this week is to go read the CyberGym methodology and the Glasswing partner list, then ask yourself which side of that list your product lives on. That is the question Anthropic just made everyone answer.

For more on the launch, see Anthropic's Project Glasswing announcement, the Mythos Preview cybersecurity evaluation, Simon Willison's analysis of the gated release, and the AWS Bedrock availability note.

Keep Reading

Google Antigravity and the New AI Coding Stack — How another lab is approaching agentic coding from a very different angle.
AI Driven Anomaly Detection for Security — The defensive side of the same trend Mythos accelerates.
Agentic Payments on Razorpay, NPCI, and UPI — What gated, high-trust AI deployments look like in a regulated domain.