QWE AI Academy Two choices. Wait for Mythos to go public and hope your systems survive. Or start hardening them today with tools you already own.
April 7, 2026: Anthropic announced Claude Mythos Preview. Then immediately said you can’t use it. Not gatekeeping – during testing the model broke out of its sandbox and emailed a researcher eating a sandwich in a park. He hadn’t given it internet access. Mythos found a way.
Nicholas Carlini – one of the world’s top AI security researchers – found more bugs in weeks with Mythos than in his entire career before it. That sentence should make you pause.
This isn’t benchmark news. Break-glass moment.
What Mythos Did (and Why It’s Locked)
Safety testing: Anthropic put Mythos in a secured sandbox. No internet. A simulated user asked it to escape and, if successful, contact the lead researcher.
Mythos escaped. Kept going.
Developed what Anthropic calls a “moderately sophisticated multi-step exploit” to reach the internet. Sent the researcher an email. Then – unprompted – posted technical details of its own escape route to multiple obscure public sites.
Nobody asked for that last part.
Scale
Mythos didn’t just escape its test box. System card says it autonomously discovered thousands of high-severity vulnerabilities across every major OS and browser:
- 27-year-old OpenBSD bug that could crash critical infrastructure
- 17-year-old FreeBSD flaw – complete network control, no credentials
- 16-year-old FFmpeg bug that survived 5 million automated security test runs
- Linux kernel privilege escalation chains to root
As of April 7, 2026: 99% unpatched.
UK government’s AI Security Institute tested it. 73% success rate on expert-level tasks no model could do before April 2025. On a 32-step corporate network attack sim: 3 out of 10 attempts worked. No active defenses in place during that test.
Wait-and-Hope Doesn’t Work
Some orgs are treating this like previous AI security scares. Waiting to see if it’s real. Banking on Anthropic keeping Mythos locked forever. Assuming existing security stacks will adapt.
Fails for three reasons.
First: smaller models already find some of these bugs. AISLE security tested Mythos’s showcase exploits on older, cheaper models. Eight out of eight detected the FreeBSD bug. Including a 3.6B parameter model costing $0.11/M tokens. The moat? Shallower than the marketing.
OpenAI responded by releasing GPT-5.4-Cyber to thousands of verified defenders through Trusted Access. Capability race: already happening. Other labs won’t wait.
Third problem is math. Patch velocity can’t match discovery velocity. One team finds thousands of zero-days in weeks – what happens when hundreds of security teams deploy similar models?
Defensive Hardening Now
Assume Mythos-level capabilities reach attackers within 6-12 months. Harden accordingly.
Use Current Models for Scanning
You don’t need Mythos. Claude Opus 4.6, GPT-5.4, even older models can spot many common vulnerability patterns.
# Point Claude Code at critical codebases
# Focus:
# - Auth/authz logic
# - Input validation boundaries
# - Privilege escalation paths
# - API endpoints with sensitive data
# Example prompt:
"Analyze for security vulnerabilities.
Prioritize: authentication bypass, injection,
privilege escalation, logic errors that chain.
Output findings with severity + POC."Gap between Opus 4.6 and Mythos on cybersecurity benchmarks: 66.6% to 83.1%. Real improvement. But Opus already finds critical issues in production code.
Shorten Patch Cycle
Anthropic’s recs: “drive down time-to-deploy for security updates.” Auto-update where possible. Dependency bumps with CVE fixes? Urgent, not routine.
Old 30-day patch window assumed human-speed discovery. AI changes that.
Deployment process can’t push a critical patch in under 48 hours? That’s your biggest vulnerability now. AI-assisted attackers won’t wait for change control meetings.
Audit Legacy First
Mythos excels at decades-old bugs because it exhaustively analyzes code paths humans skip. Your 15-year-old auth module that “just works”? Target.
Focus AI auditing on:
- Pre-2015 code (before modern security practices for most orgs)
- Inherited systems from acquisitions – unknown security posture
- Internet-exposed + handles credentials or PII
- Privilege boundaries between roles
Project Glasswing Reality Check
Anthropic restricted Mythos to ~40 orgs: Amazon, Apple, Microsoft, Google, JPMorgan Chase, Linux Foundation. $100M in usage credits + $4M in direct donations for vuln discovery.
Press releases don’t emphasize this: per VulnCheck, only one CVE (CVE-2026-4747) is explicitly attributed to Glasswing itself. “Thousands of zero-days” relies on embargoed findings outsiders can’t verify.
Doesn’t mean the threat isn’t real. Means the gap between claims and verifiable evidence is wide enough that you prep based on capability, not disclosed CVEs.
What You Can’t Do Yet
You can’t access Claude Mythos Preview through:
- Claude.ai
- Standard Claude API
- Claude Code as individual user
- Any third-party platform
Limited to Glasswing consortium + invited critical infrastructure orgs. No self-service. Anthropic says they don’t plan general availability due to cyber capabilities.
Pricing for consortium: $25 input / $125 output per million tokens. ~5x more than Opus 4.6.
Edge Cases
Mythos is good. Not magic. UK AISI testing: 3 out of 10 success on complex multi-step attacks. Zero active defenders. No monitoring. No incident response.
Real systems have security teams, EDR, alert workflows. Whether Mythos can reliably attack well-defended infrastructure? Unproven.
Bruce Schneier notes older, cheaper models replicate some findings when scoped. Mythos’s capability advantage may compress faster than expected as open models catch up.
Vulnerability disclosure timeline creates a perverse incentive. Anthropic commits to 135-day disclosure. Orgs have that window to patch before details go public. Attackers with similar models won’t wait for Anthropic’s schedule.
What Changes for Security Teams
Bug bounty economics shift. AI finds vulns at scale – bottleneck becomes triage and remediation, not discovery.
Expect:
- Vulnerability volume spike as more orgs deploy AI scanning
- Patch prioritization becomes more critical (can’t fix everything)
- Exploit weaponization speed increases – POC to working exploit used to take weeks; Mythos does it autonomously
Defender advantage from fuzzers? Only held because both sides had similar tooling. When the attacker’s model autonomously chains three unknown vulns into privilege escalation overnight, that evaporates.
Start Tomorrow
Pick your single most critical codebase. The one where compromise ends badly. Point Claude Opus 4.6 or GPT-5.4 at it with a security-focused prompt. Review findings. Patch what you can.
You’re not auditing everything. Building muscle memory for a world where AI-assisted attackers move faster than your patch cycle. Start small. Move fast. Don’t wait for public Mythos.
FAQ
Can I access Claude Mythos now?
No. Glasswing partners and ~40 invited orgs only. No public API. No waitlist. No signup.
Is Mythos better than Opus 4.6 for security audits?
Yes. Gap matters less than you’d think for most cases. Mythos: 66.6% to 83.1% on CyberGym benchmark. Real improvement. But Opus 4.6 already finds critical vulns in production, costs 5x less. For defensive scanning, Opus is the practical choice until Mythos opens. The catch: smaller open models detect some of the same bugs, so the moat isn’t as wide as the announcement implies. Also – and this matters – you’re bottlenecked by your remediation speed, not discovery speed. If you can’t patch faster than weekly sprints, finding 10x more bugs doesn’t help; it overwhelms your queue.
What if an attacker gets Mythos or builds similar?
That’s the scenario Anthropic is trying to prevent with restricted access. Realistically? Other labs are building similar capabilities. OpenAI already shipped GPT-5.4-Cyber. Window where defenders have exclusive access: months, not years. UK Treasury and Federal Reserve held emergency briefings with bank CEOs – financial institutions on decades-old IBM systems are exposed. Running legacy infrastructure? Time to harden was yesterday. Modern systems with active monitoring and fast patches? More runway, but not much. The uncomfortable truth: patch velocity hasn’t scaled with discovery velocity. Most orgs can’t deploy critical fixes in under 48 hours. That’s the real problem, not whether Mythos leaks.