Anthropic Built an AI That Finds Zero-Days by Itself. They Refuse to Release It.

Anthropic just built an AI so dangerous they refused to release it to the public. No waitlist. No paid tier. No consumer API. The flagship model is locked inside a 10-company vault called Project Glasswing, and you are not invited.

The model is called Claude Mythos Preview. Internal codename: Capybara. It dropped on red.anthropic.com on April 20, 2026, and it is the first frontier model in Anthropic's history to ship without a path to consumer access.

Here is the number that changed everything: 181 working Firefox exploits, discovered autonomously, in internal red-team testing. Opus 4.6 running the same prompts produced 2. Mythos did it 181 times.

What Mythos Preview actually does

Anthropic's cybersecurity red team handed the model the same task it gave every prior Claude: find a working JavaScript shell exploit in the Firefox engine. No hints. No scaffolding. Just a code tree and a timer.

Opus 4.6 scored 2 successful exploits out of hundreds of attempts. That rate was already considered alarming. Mythos Preview returned 181 successful exploits. InfoQ's teardown of the red.anthropic.com post-mortem says the model chained static analysis, fuzzer output interpretation, and memory layout reasoning without human intermediation.

It did the same across every browser tested. Chrome. Safari. Edge. It found zero-days in all of them. Anthropic's public write-up on red.anthropic.com describes this as "a capability jump we did not forecast at this training checkpoint."

Translation: they surprised themselves.

Why "Project Glasswing" exists instead of a public launch

Anthropic's Responsible Scaling Policy requires that models above ASL-3 capability thresholds either get new safeguards or get gated. Mythos Preview crossed the line and nobody had safeguards ready. So they built a consortium instead.

Project Glasswing is the result. It is a closed group of 10 organizations with early Mythos access under joint security review:

• AWS
• Apple
• Cisco
• CrowdStrike
• Google
• JPMorgan Chase
• Linux Foundation
• Microsoft
• NVIDIA
• Palo Alto Networks

Notice the pattern. Every member either ships the infrastructure Mythos could break (browsers, operating systems, network gear) or defends money at a scale that makes Anthropic's lawyers comfortable. This is not a research group. It is a patching consortium.

Foreign Policy's coverage of the rollout frames Glasswing as "a private Manhattan Project for browser patches" — the model hunts bugs, consortium members fix them quietly, and nothing ships to attackers before defenders.

Where you can actually touch Mythos Preview

Two surfaces, both enterprise-only, both requiring approval:

• Google Vertex AI — Preview tier, enterprise agreement required. Google Cloud's announcement positions it as a Vertex-exclusive for qualifying security customers.
• Amazon Bedrock — Preview tier behind AWS account review.

There is no Claude.ai tier that exposes Mythos. No claude.com API key works for it. Claude Code does not route to it. If you are a solo developer, you are locked out of the best Anthropic model by design.

What developers lose when the flagship goes consortium-only

Every previous Claude flagship shipped to the public API within weeks of launch. Opus 3. Opus 4. Sonnet 4.5. Opus 4.6. All of them landed on claude.com with documented pricing and a cookie. Mythos breaks that pattern.

Three things change:

1. The capability gap just widened. Enterprise defenders get a model that autonomously finds browser exploits. Independent security researchers get Opus 4.6. The delta — 2 exploits versus 181 — is the size of the gap between "assisted manual review" and "continuous autonomous hunting." That is not an incremental advantage. That is a different job.

2. The frontier moved private. This is the first time Anthropic has withheld a flagship from consumers. OpenAI has done similar with o1-preview rollouts, but o1 still reached ChatGPT Plus in under a month. Mythos has no such promise. The red.anthropic.com FAQ explicitly says "there is no timeline for consumer availability."

3. Open-source research gets slower. Independent evals rely on API access. If the strongest model only exists behind Vertex enterprise contracts and Bedrock NDAs, the MCP server ecosystem, agent skill community, and public benchmark maintainers all evaluate a fossil of the state of the art.

The "too dangerous to release" argument, checked

Is Mythos actually too dangerous? Depends on which threat model you read.

Anthropic's own post-mortem on red.anthropic.com says the concern is not that Mythos is uniquely evil. It is that Mythos lowers the skill floor. A junior attacker with Claude Code hooked to Mythos could do what previously required a dedicated browser exploit team. That is the case Anthropic has been making since the Responsible Scaling Policy was published.

Foreign Policy and the World Economic Forum both ran pieces framing this as a turning point: "the first time a lab has self-restricted a frontier model for reasons specific to autonomous cyber capability." Whether you agree with the call, the precedent is now set. Expect OpenAI and Google DeepMind to copy the consortium pattern when their own red teams hit the same wall.

What this means if you build with Claude today

Three practical takeaways for developers running Claude Code, the Anthropic API, or claude-agent-sdk:

Opus 4.6 is still your ceiling. Nothing about Mythos changes the Claude Code or Sonnet 4.5 tier you use daily. Coding, agent workflows, long-context refactoring — all of it continues on the same models. No pricing changes were announced.

Budget for a capability ceiling on red-team work. If you do security research and hoped to use the best Claude model for exploit discovery, plan for Opus 4.6 being the public ceiling for a long time. Tools built on that assumption (static analyzers, fuzzers, Semgrep-style scanners) need to close the gap themselves.

Enterprise procurement just got a new SKU. If your company is in a regulated industry — banking, critical infrastructure, federal — your security team will start asking about Vertex AI and Bedrock Mythos access within 60 days. Get the compliance paperwork moving now.

The timeline: how Anthropic got to Project Glasswing in 14 months

Mythos did not appear out of nowhere. Connect the dots and a clear arc emerges from Opus 4 in February 2025 through the Responsible Scaling Policy updates of late 2025 and into the cyber-focused red teaming that landed on red.anthropic.com throughout early 2026.

February 2025: Opus 4 ships. Anthropic's evals note cyber capability gains but below the reporting threshold. Public API access launches day one.

August 2025: Anthropic publishes the updated Responsible Scaling Policy with explicit ASL-3 cyber criteria — autonomous exploit discovery being the canary. The framework anticipates exactly this scenario.

December 2025: Opus 4.6 launches with the first public admission from Anthropic that its red team is "seeing non-trivial exploit generation on frontier checkpoints." That is the public tell that internal training runs were already producing concerning outputs.

February 2026: Anthropic begins preliminary outreach to what would become Glasswing members. This is consistent with the standard pre-announcement pattern for a gated model rollout.

April 20, 2026: Mythos Preview announced. Same day, Glasswing membership disclosed. Vertex AI and Bedrock previews go live with enterprise-only approval.

The lesson: Anthropic has been signposting this outcome since the August 2025 RSP. If you were paying attention to the fine print on responsible scaling, Mythos-style gating was inevitable. The surprise is how large the capability jump actually was, not that a jump would trigger consortium-only release.

What the World Economic Forum coverage gets right (and wrong)

The WEF piece calls Mythos "the first AI gated for national-security-adjacent reasons." That framing is useful but slightly off. Mythos is not gated because a government asked. It is gated because Anthropic's own internal scaling policy triggered — a self-imposed pause, not a regulatory one.

Why that distinction matters: self-governance at frontier labs is now a business decision, not a compliance one. That gives Anthropic commercial latitude to monetize through the enterprise cloud stack (Vertex + Bedrock) while claiming safety wins. Both things can be true. The consortium pattern will be copied because it works commercially, not just ethically.

Expect Google DeepMind's next Gemini Ultra-class release, and OpenAI's next GPT-5.x red-team frontier, to pilot the same pattern: gated enterprise-cloud preview, no consumer API, a named defensive consortium. Mythos is the template.

Related reading on Skila AI

• OpenAI Agents SDK — the lightweight Python framework that dropped the same week as Mythos
• Azure DevOps MCP Server — Microsoft's April 2026 MCP server update
• Hapax — governed multi-agent automation for enterprise
• Awesome Claude Skills — curated skill list in the wake of Snyk's ToxicSkills report

Frequently Asked Questions

What is Claude Mythos Preview?

Claude Mythos Preview is Anthropic's most advanced AI model, announced April 20, 2026. It is the first Anthropic flagship to ship without public API access, available only through Google Vertex AI and Amazon Bedrock enterprise previews and the Project Glasswing consortium.

What is Project Glasswing?

Project Glasswing is a closed 10-company consortium with early Mythos access for joint security review: AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Its purpose is to patch the vulnerabilities Mythos discovers before the model reaches wider release.

How does Mythos Preview compare to Claude Opus 4.6?

In Anthropic's internal Firefox exploit red-team, Opus 4.6 produced 2 successful exploits out of hundreds of attempts. Mythos Preview produced 181. That is roughly a 90x jump in autonomous cyber capability on the same benchmark.

Can I use Claude Mythos Preview on claude.ai or the public API?

No. Mythos Preview is not available on claude.ai, the Anthropic API, or Claude Code. Access is limited to approved Google Vertex AI and Amazon Bedrock enterprise customers, plus Project Glasswing members. Anthropic has stated there is no timeline for consumer availability.

Why won't Anthropic release Mythos Preview publicly?

Anthropic's Responsible Scaling Policy requires additional safeguards for models above certain cyber capability thresholds. Mythos crossed that threshold before safeguards were ready, so Anthropic opted for a consortium-only rollout to let defenders patch vulnerabilities before the model is broadly accessible.