Assessing Claude Mythos Preview's cybersecurity capabilities

April 7, 2026
aisecuritybusinessopen-source
Close-up of wooden Scrabble tiles spelling SECURITY, symbolizing cybersecurity and protection.
Photo by Markus Winkler on Pexels

The announcement

Anthropic has unveiled Claude Mythos Preview and, it has been reported that, the company says the model is "strikingly capable" at computer security tasks. Alongside the preview, Anthropic launched Project Glasswing — an initiative it says will use Mythos Preview to help secure critical software and prepare the industry for what’s coming. The blog post released technical details aimed at researchers and practitioners. Intrigue, meet alarm bells. Which side wins out — defense or chaos?

What Anthropic says the model can do

According to the announcement, Mythos Preview was tested across a range of security problems and, it has been reported that, the model found and exploited zero-day vulnerabilities in major operating systems and web browsers when instructed to do so. Anthropic alleges the model chained complex browser bugs, produced JIT heap-spray style techniques, bypassed sandboxes and KASLR, and even split a large ROP chain across packets to exploit an NFS server. The company also reports that engineers without formal security training were able to wake up to working remote-code-execution exploits after asking the model to look overnight. Startling claims. Powerful stuff. Dangerous in the wrong hands.

Limits, disclosure and the ethics of silence

Anthropic notes it is holding back details: over 99% of the vulnerabilities it says it found are unpatched, and the firm is following a coordinated vulnerability disclosure process — hence the public write-up is deliberately sparse. It has been reported that only a small fraction of bugs are being disclosed now, which the company argues is necessary to prevent abuse. That restraint is sensible — but it also raises hard questions about transparency, industry accountability, and trust. Who gets a head start on defending, and who gets a head start on attacking?

What happens next

Project Glasswing is framed as a defensive play, and Anthropic calls for urgent, coordinated action across the industry: better red-teaming, wider deployment of mitigations, and changes to how we manage critical code. The broader implication is clear — generative models are lowering the bar for sophisticated exploit creation, turning niche craft into a repeatable workflow. This is a wake-up call for security teams, regulators, and platform owners alike. The next few months will tell whether Mythos Preview becomes a tool for bolstering defenses or a catalyst for a new kind of cyber arms race.

Sources: anthropic.com, Hacker News