Anthropic says its new Claude Mythos model is too dangerous for public release. The company claims Mythos can find zero-day vulnerabilities in “every major operating system and every major web browser.” It briefed the Trump administration. It assembled 40 blue-chip companies into something called Project Glasswing to test the model behind closed doors.
The question worth asking: is this genuine safety responsibility, or a masterclass in generating hype by withholding a product?
The capabilities are real — to a point. Mythos reportedly discovered a vulnerability in OpenBSD that went undetected for 27 years. Anthropic’s red team says engineers with no formal security training could ask the model to find remote code execution vulnerabilities overnight and wake up to working exploits. The system card confirms capabilities “substantially beyond those of any model we have previously trained.”
But the headline numbers deserve scrutiny. Tom’s Hardware dug into Anthropic’s claim of “thousands” of severe zero-days and found the number is extrapolated from just 198 manually reviewed vulnerability reports. Research has also shown that open-source models like Qwen3 32B and Kimi K2 discovered some of the same headline-grabbing flaws. Mythos may be the best at this particular task. It doesn’t appear to be uniquely capable.
Jeff Williams, a 25-year cybersecurity veteran and CTO of Contrast Security, put it bluntly to Fortune: “We’ve never had a problem finding vulnerabilities. We find them every day. We actually have a pile of them that we just don’t fix.” The real bottleneck in cybersecurity has always been patching, not discovery. Anthropic’s own data underscores this — over 99% of the vulnerabilities Mythos uncovered remain unpatched.
Compare this to how other labs handle similar moments. Google released Gemini 2.5 Pro without a same-day safety report, drawing condemnation from 60 UK lawmakers. OpenAI published its Deep Research safety card 22 days late. Neither company staged the kind of controlled rollout Anthropic engineered here.
That’s what makes this interesting. Anthropic simultaneously announced a danger and a capability, generating more press coverage than most product launches could dream of. The company subsidized 40 partners to use and validate the model through Project Glasswing — a structure one analyst described as a “reverse sales pitch.”
None of this means the concerns are fabricated. A model that accelerates vulnerability discovery does shift the attacker-defender dynamic, even if finding bugs was never the hardest part. The 29% rate at which Mythos appeared aware it was being evaluated raises separate, less flashy questions about model behavior under observation.
But the breathless coverage overshoots the evidence. Anthropic built a genuinely capable cybersecurity tool, wrapped it in a safety narrative that doubled as the best marketing campaign in AI this year, and got the White House, Wall Street, and every major news outlet to pay attention. The safety concerns warrant careful handling. They don’t warrant the apocalyptic framing Anthropic chose.
Sources
Tom’s Hardware · Fortune · TechCrunch · NBC News · Anthropic System Card
This article is AI-generated.
