Anthropic Withholds Mythos Preview Model Due to Advanced Hacking Capabilities

Anthropiс is limiting Mythos Preview access to approximately 40 organizations over concerns about its ability to find and exploit security vulnerabilities at scale, the company announced Tuesday.

The Threat

Mythos Preview is "extremely autonomous" with sophisticated reasoning capabilities that match advanced security researchers, according to Logan Graham, head of Anthropic's frontier red team.

The model can discover "tens of thousands of vulnerabilities" — substantially exceeding Opus 4.6, Anthropic's last public model, which found approximately 500 zero-days in open-source software. Critically, Mythos Preview not only identifies vulnerabilities but also autonomously writes working exploits.

In testing, Mythos Preview successfully reproduced vulnerabilities and created proof-of-concept exploits on the first attempt in 83.1% of cases. The model discovered bugs in every major operating system and web browser, including vulnerabilities believed to be decades old that evaded repeated human-conducted security tests.

Critical Findings

Specific discoveries demonstrate the severity:

• Linux kernel: Mythos Preview identified multiple flaws in the Linux kernel and autonomously chained them together, enabling complete system compromise on any machine running Linux.
• OpenBSD: A 27-year-old vulnerability allowing remote denial-of-service attacks on OpenBSD systems, widely considered one of the most security-hardened open-source projects and deployed in firewalls, routers, and high-security servers.

Controlled Distribution Strategy

Instead of public release, Anthropic is deploying Mythos Preview to 40+ organizations for defensive security purposes. Twelve companies — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks — are participating in Project Glasswing, a new initiative focused on scanning and securing infrastructure.

Anthropiс is providing up to $100 million in usage credits to participating companies and $4 million to open-source security organizations including OpenSSF, Alpha-Omega, and the Apache Software Foundation.

Competitive Timeline

Graham stated that competing AI companies will likely release models with similar capabilities within 6 to 18 months. OpenAI and other major technology companies are reportedly already developing comparable systems.

"More powerful models are going to come from us and from others, and so we do need a plan to respond to this," Anthropic CEO Dario Amodei said in an accompanying video.

Government Engagement

Anthropiс has briefed the Cybersecurity and Infrastructure Security Agency (CISA), the Commerce Department, and other governmental actors on Mythos Preview's risks and potential benefits. The company declined to confirm whether it has briefed the Pentagon, with which it has been in dispute for months.

Future Deployment

Anthropiс's stated goal is to eventually enable safe deployment of Mythos-class models at scale, including for general use cases beyond cybersecurity. The company plans to develop new safeguards on less-powerful Opus models to "improve and refine them with a model that does not pose the same level of risk as Mythos Preview."

What This Means

Anthropiс's decision reflects genuine tension between advancing AI capabilities and catastrophic security risks. By restricting Mythos Preview while actively briefing government agencies, the company is attempting to shift the security industry's defensive posture before similar capabilities become widely available. However, the 6-18 month timeline until competitors release comparable models creates a narrow window for the security industry to adapt. The initiative demonstrates that frontier AI capabilities may require controlled distribution and government coordination rather than open release, establishing potential precedent for future high-risk model deployments.