An AI found security holes in every major browser. Then Anthropic locked it in a vault.

Imagine you built an AI that could find every unlocked door in every building in the world. You've got it running in your lab. Do you hand out copies to whoever asks? Or do you put it in a room with trusted security guards and let them use it to fix the locks first?

Anthropic chose the room.

Whether that's responsible or terrifying probably depends on how much you trust the guards.

What Claude Mythos can actually do

On 7 April 2026, Anthropic announced Claude Mythos Preview, and the capabilities were genuinely striking. Not "AI-powered" marketing-speak striking. Actually striking.

The UK AI Security Institute ran an independent evaluation and found that Mythos achieved a 73% success rate on expert-level cybersecurity CTF challenges. CTF stands for Capture the Flag, which is a type of security competition where you're given a system and told to find the vulnerabilities. These aren't toy problems. They're the kind of tasks that separate elite human researchers from everyone else.

Every prior AI model had scored at or near zero on these same challenges.

Nina Schick put it plainly on 7 April: Mythos found a security flaw in a system that had been running for 27 years.

[tweet:https://x.com/NinaDSchick/status/20416232740698...0] A bug that had sat unnoticed across decades of security reviews, version updates, and millions of lines of patched code. The model found it.

Then Anthropic found it had done the same thing across every major operating system and every major web browser. Simultaneously.

That's not a marketing claim. That came directly from Anthropic's own Project Glasswing announcement.

To be clear about what this means: thousands of human security researchers, working across different companies and different countries for years, didn't find these vulnerabilities. An AI found them in what I can only assume was a deeply uncomfortable amount of time.

It gets more interesting. Mythos doesn't just find isolated vulnerabilities. It chains them. Three, four, sometimes five separate bugs linked together into a multi-step exploit path. Humans do that too, but the very best of them, and it takes considerable time. Mythos does it automatically.

In a simulated 32-step corporate network penetration scenario, it averaged 22 steps and completed the full sequence end-to-end 30% of the time. Not the majority, but 30% of a 32-step autonomous corporate network takeover is a number that should make you put your coffee down.

Project Glasswing: the $100 million head start

So what do you do with a model like this?

Anthropic's answer was Project Glasswing: a coalition of around 50 vetted companies given early access to Mythos for defensive security work only. No offensive use permitted. No general API. Anthropic committed up to $100 million in usage credits to the program. Partners include Amazon, Apple, Cisco, Microsoft, and the Linux Foundation.

As Kevin Roose reported on the day of the announcement, this was a deliberate attempt to give defenders a head start before attackers develop equivalent capability independently.

Kevin Roose

@kevinroose

NEWS: Anthropic's new model, Claude Mythos, is so powerful that it is not releasing it to the public.

Instead, it is starting a 40-company coalition, Project Glasswing, to allow cybersecurity defenders a head start in locking down critical software.

nytimes.com/2026/04/07/tec…

5.3K

7 Apr 2026

That's the logic. Mythos can find vulnerabilities that humans have been missing for decades. If Anthropic releases it broadly, attackers get access at the same time as defenders. If Anthropic restricts it to vetted defenders first, the defenders get a window to fix things before the same capability appears in the wild.

It's a coherent argument. It's also one that depends entirely on the quality of the vetting and governance around who gets access and how it's used.

Project Glasswing is named after a butterfly, by the way. Because when you build a system capable of autonomous corporate network penetration, you name it after something delicate. That's just the naming convention in this industry and I've stopped trying to explain it.

The part where OpenAI confirms the whole approach

One of the more quietly significant developments in this story came in late April 2026. OpenAI, which had been building its own competing cybersecurity model, also restricted access to it. Joseph Lykowski flagged this shift: after initially criticising Anthropic's restricted approach, OpenAI ended up doing the same thing.

That's not a coincidence. That's two of the largest AI companies independently arriving at the same conclusion: you don't release autonomous vulnerability discovery capability to everyone at once. You stage it. You vet the early users. You give defenders a head start.

When your competitor copies your governance model after publicly criticising it, that's usually a sign the governance model was correct.

There are sceptics worth acknowledging here. One commentator questioned whether Mythos is uniquely dangerous, or whether it's simply the first model for which we have published AISI evaluation data in this capability category. That's a fair point. It's possible other models are approaching similar capabilities without the same transparency. If so, the argument for controlled deployment gets stronger, not weaker.

What this means if you run a business website

Here's where I want to be honest about the limits of my own knowledge, because I think some commentary on this story has been a bit breathless.

Claude Mythos, as restricted by Glasswing, is not going to be pointed at your website. It's being used by Amazon, Microsoft, and CrowdStrike to find zero-days in operating systems. You're probably not on the threat model.

What this does signal is the direction AI-assisted security is heading. The gap between what these systems can find and what standard automated scans pick up is growing faster than most businesses realise. The tooling that script kiddies and low-level threat actors use is getting smarter by the month, even if it's a long way behind Mythos. And as one commentator put it in late April: decade-long bugs are being found like clockwork now. We might genuinely need to reinvent how we think about cybersecurity.

For Webcoda clients, the practical implication is the usual stuff, just with a bit more urgency behind it. Keep your CMS updated. Run regular security audits, not just accessibility checks. If you're on a government or healthcare platform, check what your vendors are doing about their own supply chain security. Our AI Accessibility Checker covers one dimension of site health; security is the dimension we don't automate, and this is a reminder that it needs actual human attention on a schedule.

I'll also admit we checked our own site when this story broke. We'd like to report everything was pristine. It was mostly fine. There was one thing. It's now fixed.

The harder question

I genuinely don't know if Project Glasswing makes me feel safer or less safe. I think that's the right reaction.

The capability exists. It was going to exist whether Anthropic built it or not. Giving defenders a structured head start is probably better than the alternative, which is releasing it broadly and hoping that attackers are slower than defenders.

But "we're giving this to 40 vetted companies to find your vulnerabilities before the bad guys do" is also, when you say it out loud, a fairly significant thing to simply accept on faith. The governance question matters a lot. We've already written about what happened when Glasswing's access controls failed in April, and that story illustrates exactly how much depends on the quality of the vetting.

Related Article9 min read

Anthropic locked their most dangerous AI in a vault. Four guys in a Discord opened it.

Anthropic said Mythos was too dangerous to release. A small Discord group proved otherwise on day one by guessing the URL. The vendor trust story...

Read full article

And then there's where this whole Mythos story ended up. The US government pulled both Mythos and Fable 5 offline in June 2026 on export control grounds.

[article:claude-fable-mythos-us-government-shutdown-export-control-2026] The restricted deployment model turned out not to be restricted enough for a US government that was worried about the technology crossing the wrong borders.

That might be overcaution. Or it might be that the people with access to the classified threat briefings know something that makes the 73% CTF benchmark look less reassuring than it does in a TechCrunch article.

The Glasswing framework, whatever its flaws, looks like the template the industry is converging on: restrict first, vet the early users, give the defenders a head start.

Usual disclosure: we use Claude every day at Webcoda, and this site's tooling is built on it. Factor that in when you read me writing about Anthropic's model being either brilliant or terrifying. Probably both.

---