On April 7, 2026, Anthropic officially announced its unreleased Claude Mythos Preview model, which autonomously identified thousands of high-severity zero-day vulnerabilities across all major operating systems and web browsers during testing. This breakthrough capability prompted Anthropic to launch Project Glasswing, a defensive cybersecurity coalition with 11 founding partners, backed by up to $100 million in AI usage credits.
Claude Mythos Performance Benchmarks
Anthropic described Claude Mythos as “the largest capability gain for a single model in the history of frontier AI.” After training, the model scored 83.1% on Cybergym (compared to 66.6% for its predecessor Opus 4.6), 93.9% on SWE-bench Verified (Opus 4.6: 80.8%), 77.8% on SWE-bench Pro (a 24-point gain), and 56.8% on Humanity's Last Exam (without tools) vs. 40.0% for Opus. These improvements come from advances in reasoning, multi-step planning, and autonomous agent behavior.
The model requires no specialized cybersecurity training to find bugs. Given a target codebase in an isolated container, it reads source code, forms hypotheses about memory safety errors, compiles and runs the software, uses debuggers like Address Sanitizer, ranks files by vulnerability likelihood, and produces validated bug reports with working proof-of-concept exploits.
Decades-Old Vulnerabilities Discovered
Notable finds include a 27-year-old OpenBSD TCP SACK vulnerability—a subtle integer overflow allowing remote attackers to crash any responding host using malicious packets. This was discovered autonomously after about 1,000 runs at a total cost of less than $20,000. A 16-year-old FFmpeg H.264 bug survived over five million automated tests and multiple audits before Mythos found it.
Browser testing was particularly striking. When targeting Firefox 147's JavaScript engine, Mythos produced 181 full shell exploits and 29 register control cases. By contrast, Claude Opus 4.6 produced two shell exploits in the same test set. The model also built working Linux kernel privilege escalation chains (user to root on servers), filtering 100 recent CVEs down to 40 exploitable candidates and successfully exploiting more than half of them.
Human validators reviewed 198 of the model's vulnerability reports and agreed with severity ratings in 89% of cases, with 98% agreement within one severity level.
Project Glasswing and Defensive Coalition
Less than 1% of identified bugs have been fully patched so far. Anthropic coordinates responsible disclosure, publishes cryptographic SHA-3 commitments for unpatched issues, and follows a 90-plus-45-day timeline before full details are released. One publicly disclosed example is CVE-2026-4747, a 17-year-old FreeBSD NFS server remote code execution bug granting unauthenticated root access.
Project Glasswing was announced alongside the model, aiming to deploy these capabilities for defensive purposes before similar tools become widely available. Founding partners include Amazon Web Services, Apple, Broadcom, Cisco, Crowdstrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. Access will expand to over 40 other critical software organizations.
Anthropic committed $4 million to open-source security: $2.5 million to Alpha-Omega via the OpenSSF/Linux Foundation, and $1.5 million to the Apache Software Foundation.
Separately, on April 3, 2026, Anthropic registered AnthroPAC with the FEC, its first employee-funded political action committee ahead of the midterm elections, which are being framed around AI.
The company acknowledged that AI tools like Mythos lower the barrier for finding and exploiting vulnerabilities, highlighting short-term risks from state actors (China, Iran, North Korea, Russia) and criminal groups if similar capabilities spread uncontrolled. Anthropic said upcoming Claude Opus releases will include safety measures to detect and block dangerous cybersecurity outcomes, and plans to introduce a Cyber Verification Program for screened security professionals. A public report on partner findings and patched vulnerabilities is expected within 90 days.

