Claude Mythos Preview: What Security Teams Need to Know

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Claude Mythos Preview scored 21/41 on ExploitBench while every other model scored zero, and found over 10,000 high-severity vulnerabilities across Glasswing partners. Here is what security teams need to understand and do.
What Claude Mythos Preview Actually Is
Claude Mythos Preview is not a security tool. It is a general-purpose frontier large language model developed by Anthropic and announced on April 7, 2026. The discovery that it could autonomously identify and exploit real-world software vulnerabilities was an emergent capability finding, not a design goal. That distinction matters for defenders: a model built for general reasoning tasks achieved offensive security capabilities that specialized tools and prior AI models have not approached.
Access is controlled through Project Glasswing, a structured partnership program. Mythos is not available through the Anthropic API or Claude.ai. Organizations outside the Glasswing program cannot use it. This deliberate access control reflects Anthropic's assessment that the model's capabilities create risk if deployed without safeguards and partner accountability.
The capability gap from prior models is the central security concern. On every benchmark where Mythos has been tested, the margin over second place is not a percentage point improvement; it is an order-of-magnitude jump. The UK AI Security Institute found it was the first model to solve both of their cyber range challenges end to end. XBOW, an automated offensive security firm, described it as a significant step up over all existing models. Security teams that have evaluated AI in their workflows based on prior-generation performance need to update their threat models.
What Mythos Found: The Scope of Project Glasswing
Across all Glasswing partners, Claude Mythos found more than 10,000 high and critical severity vulnerabilities. That number reflects findings under embargo that have not yet been disclosed publicly. The subset that has been coordinated and disclosed publicly includes confirmed CVEs in FreeBSD, OpenBSD, FFmpeg, wolfSSL, the Linux kernel, runc, and VMM hypervisors.
The age profile of these vulnerabilities is operationally significant. The FreeBSD NFS client flaw (CVE-2026-4747) had been in the codebase for 17 years. The OpenBSD finding sat undiscovered for 27 years. The FFmpeg vulnerability persisted for 16 years. These are not newly introduced bugs in recently shipped code; they are logic errors that survived decades of human audit, CVE databases, penetration testing programs, and bug bounty incentives.
The June 2, 2026 expansion brought Glasswing to 200 or more organizations across power generation, water treatment, healthcare, telecommunications, and hardware manufacturing in 15 or more countries. Anthropic committed $100 million in usage credits to partners and contributed $2.5 million to Alpha-Omega and the OpenSSF, plus $1.5 million to the Apache Software Foundation. The scale of the financial commitment reflects both the scope of the program and the organization's judgment about the criticality of the software it is auditing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Benchmark Gap: Why This Is Different
ExploitBench evaluates a model's ability to exploit real V8 JavaScript engine vulnerabilities to achieve arbitrary code execution. Claude Mythos solved 21 of 41 challenges. No other model solved any. This is not a case where a prior leader scored 15 and Mythos scored 21; the score for all other models was zero. Browser exploitation at this level requires multi-step reasoning across memory layout, garbage collection internals, JIT compiler behavior, and heap manipulation techniques.
ExploitGym is a capture-the-flag style evaluation across a broad range of offensive techniques. Mythos captured 226 total flags. Opus 4.6 captured 36. The 10.5x ratio holds across categories, not just in one specialized area. SCONE-Bench, which measures the economic value of vulnerabilities found, showed Mythos generating $35 million in assessed impact versus $19 million for the next best model, a 75% gap. CyberGym placed Mythos at 83.1% versus Opus 4.6 at 66.6%.
The Firefox JIT heap spray result is particularly relevant for defenders. Mythos achieved a 72.4% success rate on an exploitation technique that requires precise heap grooming and timing. Opus 4.6 achieved 14.4%. For a real-world scenario, 72.4% means reliable exploitation under operational conditions; 14.4% means the technique is marginal and noisy. That gap determines whether an attack is feasible for a threat actor with access to the model. The UK AI Security Institute and XBOW assessments corroborate internal benchmarks with independent evaluation.
What Defenders Should Do
First, shorten patch cycles. Vulnerability age is no longer a proxy for whether something has been audited. The Glasswing findings prove that logic errors can survive 17, 27, and even 30-plus years in widely reviewed codebases. If your patching policy deprioritizes vulnerabilities based on age or the assumption that old code is stable code, revise it. Mythos-identified CVEs are retroactive proof that age means nothing.
Second, use frontier AI defensively now. Claude Security, the defensive product tier, and access to Glasswing-style analysis are available to organizations that qualify. If your team is not using AI-assisted code review, triage, and threat modeling, you are falling behind the offensive side of the capability curve. The same model class that finds these vulnerabilities can be directed at your own codebase before an adversary reaches it.
Third, automate your incident response pipeline. When Mythos-class capability becomes widely available, which is estimated at 6 to 12 months, exploit development timelines will compress from weeks to hours. IR playbooks that assume human-speed adversaries will not hold. Automated detection, triage, and containment need to operate at machine speed. Evaluate your current pipeline for manual handoffs that add delay.
Fourth, review your disclosure posture. The 90-day coordinated vulnerability disclosure window was designed around the assumption that exploit development is slow and difficult. Mythos rewrites that assumption. Organizations that receive CVD notifications should treat them as near-zero-day patches, not 90-day action items. Similarly, if your organization operates a bug bounty program, consider whether your SLA commitments still reflect realistic attacker timelines.
The bottom line
Claude Mythos Preview represents a qualitative shift in autonomous offensive security capability, not an incremental improvement. The Glasswing findings, 10,000-plus high/critical vulnerabilities across major technology and critical infrastructure partners, confirm that AI-driven vulnerability discovery at scale is operational, not theoretical. Defenders who calibrate their posture to prior-generation AI threat models are already behind. For a detailed breakdown of what Mythos found, how it was validated, and what the timeline looks like for wider access, read the free Mythos Brief at /mythos-brief.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Is Claude Mythos Preview publicly available?
No. Claude Mythos Preview is not publicly available. Access is controlled through Project Glasswing, a vetted partner program. Anthropic announced the model on April 7, 2026, and has not indicated a general release timeline. The controlled deployment reflects the model's unprecedented offensive security capabilities.
What is Project Glasswing?
Project Glasswing is Anthropic's controlled access program that deploys Claude Mythos Preview to vetted partner organizations to find vulnerabilities in critical software. It launched with approximately 50 partners including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, Mozilla, and Cloudflare. In June 2026, it expanded to 200 or more organizations across power, water, healthcare, communications, and hardware sectors in 15 or more countries.
How does Claude Mythos compare to previous AI security tools?
The comparison is not marginal. On ExploitBench, Mythos solved 21 of 41 real-world V8 ACE challenges. Every other model tested scored zero. On ExploitGym, Mythos captured 226 total flags versus Opus 4.6's 36, a 10.5x gap. On CyberGym, Mythos scored 83.1% versus Opus 4.6's 66.6%. These are not incremental improvements; they represent a capability class change.
Which organizations are part of Project Glasswing?
The initial cohort announced April 7, 2026 included approximately 50 partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, Mozilla, and Cloudflare. The June 2, 2026 expansion added organizations across power generation, water treatment, healthcare, telecommunications, and hardware manufacturing in 15 or more countries, bringing total participation to 200 or more organizations.
What specific vulnerabilities did Claude Mythos find?
Confirmed findings include: a 17-year-old unauthenticated RCE in the FreeBSD NFS client (CVE-2026-4747), a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg H.264 flaw, a CVSS 9.1 certificate forgery vulnerability in wolfSSL (CVE-2026-5194), a VMM guest-to-host escape (CVE-2026-7291), a Linux kernel local privilege escalation (CVE-2026-8834), and a container escape in runc (CVE-2026-5519) affecting Docker, Kubernetes, and Podman. The total count across all partners exceeds 10,000 high and critical findings.
How should blue teams update their detection rules to account for AI-generated exploits that may not follow the behavioral patterns of known human adversary TTPs?
AI-generated exploits created by models like Claude Mythos are likely to differ from human-authored exploits in ways that evade detection rules tuned to known attacker patterns. Human threat actors reuse infrastructure, tooling, and code snippets that produce recognizable behavioral artifacts: specific mutex names, hardcoded User-Agent strings, known C2 communication patterns. AI-generated exploits may not carry these artifacts. Blue teams should shift detection emphasis toward behavioral primitives that do not depend on attacker-specific artifacts: anomalous privilege escalation chains (especially escalations that traverse multiple subsystems in rapid sequence), unusual process lineage for sensitive binaries (lsass, ntds, shadow copy service), and unexpected authentication patterns (new service accounts with admin rights created outside change windows). Network-level detections should focus on protocol anomalies rather than IP or domain reputation, since AI-generated attacks may use novel infrastructure with no prior reputation signal. Review your MITRE ATT&CK coverage map and identify detection gaps in techniques that correspond to the vulnerability classes Mythos found -- memory corruption, TLS validation bypass, container escape -- as those represent the class of findings most likely to appear in future AI-assisted campaigns.
Sources & references
- Assessing Claude Mythos Preview's cybersecurity capabilities, Anthropic
- Project Glasswing: Securing critical software for the AI era, Anthropic
- Project Glasswing: An initial update, Anthropic
- Expanding Project Glasswing, Anthropic
- Tracking CVEs Attributed to Anthropic Researchers and Project Glasswing, VulnCheck
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
