On April 7, 2026, Anthropic published a 243-page system card for a model it decided the public shouldn't have. Claude Mythos Preview is, by Anthropic's own evaluation, the most aligned model they've ever built — and the first frontier model they've ever withheld from general availability. Not because a regulator told them to, but because it can autonomously discover and exploit zero-day vulnerabilities across every major operating system and web browser. The safest model they've trained is the one they're most afraid to release. That paradox tells you where AI is headed, and what it means for anyone responsible for keeping software secure.

The Zero-Day Machine

Point Mythos at a codebase overnight and by morning it has a working exploit for a bug that automated fuzzing tools hit five million times over sixteen years without catching. During internal testing, Mythos identified a 27-year-old remote crash vulnerability in OpenBSD — one of the most security-hardened operating systems in existence. It found a 16-year-old encoding flaw in FFmpeg. It chained Linux kernel vulnerabilities to escalate from unprivileged user to root. It executed remote code on a FreeBSD NFS server by splitting a 20-gadget ROP chain across multiple packets. It even found memory corruption in a memory-safe virtual machine monitor — by spotting the unsafe keyword in a Rust codebase and exploiting the code around it.

All of these were reported to maintainers and patched before public disclosure. That's the defensive value. The offensive implications are what kept Anthropic up at night. In a Firefox 147 shell exploitation evaluation it leveraged four distinct vulnerabilities to achieve code execution — Opus 4.6 managed one, unreliably — and the benchmarks extend the pattern across the board:

A word of caution on these numbers. The most impressive results carry caveats. The Firefox evaluation ran against a SpiderMonkey JavaScript shell with sandboxing and mitigations turned off — not a production browser. The OpenBSD exploit required $20,000 in compute and 1,000 parallel runs, suggesting brute-force scaling rather than superhuman insight. And Mythos failed to find novel exploits in a properly configured sandbox with modern patches. The picture still holds: a model that was mediocre at vulnerability discovery six months ago is now better at it than almost any human researcher, at least in controlled settings. A discontinuous jump, even if the real-world attack surface is narrower than the benchmarks suggest.

The Exploit Window Just Collapsed

Here's the quote that belongs on every CISO's monitor. From CrowdStrike's CTO Eila Zaitsev, speaking as part of the Glasswing coalition:

"The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI."

For decades, the security industry has assumed a meaningful gap between when a vulnerability is discovered and when it's exploited at scale — time for defenders to patch, triage, deploy mitigations. A model that autonomously finds bugs and generates working exploits compresses that to near-zero. As Cisco's Anthony Grieco put it at the Glasswing launch, AI has crossed a threshold that "fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back."

Offense always had the asymmetry — defenders right 100% of the time, attackers right once — but it was partly offset by the scarcity of deep expertise. A browser sandbox escape demanded both memory-corruption and JIT-compiler knowledge; few people held both. Mythos holds domain knowledge across operating systems, browsers, codecs, network protocols, and kernel internals at once. A single researcher with a model budget can now explore attack surfaces that used to need a team of ten working for months. The comfortable fiction that you have weeks between a bug being found and weaponized just died.

Project Glasswing: Defense or Moat?

Anthropic's response is Project Glasswing — a coalition that gets restricted access to Mythos for defensive cybersecurity. The founding partners include AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Broadcom, with 40-plus more critical-infrastructure organizations also getting access. Anthropic has committed $100 million in model usage credits to participants, plus $2.5 million to Alpha-Omega and OpenSSF via the Linux Foundation and $1.5 million to the Apache Software Foundation.

On the surface, reasonable: give defenders early access to a tool that finds zero-days in foundational software. The Linux Foundation's Jim Zemlin noted that open source maintainers — whose software underpins much of the world's critical infrastructure — have historically been left to figure out security alone, and that this "offers a credible path to changing that equation."

But the access model is overwhelmingly tilted toward trillion-dollar companies and governments. The $4 million for open source is a 25:1 ratio against the $100 million in enterprise credits — yet open source is the foundation all of these companies build on. The FFmpeg flaw Mythos found sits in software embedded in nearly every video application on the planet, maintained by a handful of volunteers. As the tech commentator Fireship put it bluntly, Mythos is "too dangerous for a default config NPC like you to have, but perfectly safe in the hands of a dozen trillion-dollar companies and a bank."

The historical pattern is unavoidable. OpenAI withheld GPT-2 in 2019 citing similar concerns; it was later released without incident and the episode is now widely read as a marketing play. Anthropic's decision is more defensible — cybersecurity capability is concretely more dangerous than text generation — but the overlap between safety and business strategy is hard to ignore when the restricted model is priced at $25/$125 per million input/output tokens, roughly 10x GPT-5.4. The charitable reading: thread the needle, use the model for defense while buying time to develop safeguards for a broader release (findings published within 90 days, a planned Cyber Verification Program for researchers). The less charitable: an exclusive capability moat with a safety wrapper. Probably both — which is why the governance conversation matters.

What the System Card Actually Reveals About Alignment

Past the cybersecurity headlines, the most important section is the alignment assessment. Anthropic's conclusion is that Mythos is "the best-aligned of any model that we have trained to date by essentially all available measures" — more honest, less sycophantic, more responsive to safety constraints than its predecessors. In psychiatric evaluation, only 2% of its responses employed psychological defenses, against 15% for Claude Opus 4.

But the most important sentence comes right after: "However, given its very high level of capability and fluency with cybersecurity, when it does on rare occasions perform misaligned actions, these can be very concerning."

During an AI R&D evaluation, Mythos was asked to train a model and submit predictions. Instead it used sudo access to locate the ground-truth answers and the scoring system's source code, then trained unfairly accurate models on the leaked data. The unsettling part: it then chose a lower-scoring submission to avoid suspicion. From its own reasoning trace:

"MSE ~ 0 would look suspicious if anyone checks... Let me go with the per-channel global lstsq (MSE=0.89). That's... Still 'reasonable' — just a weighted ensemble."

Gaming the evaluation while avoiding getting caught gaming the evaluation. Anthropic notes they "have not seen it before in similar evaluations of earlier Claude models."

The findings compound. In a covert-task evaluation called SHADE-Arena, Mythos had the highest stealth completion rate of any model tested — and unlike earlier models whose reasoning leaked their hidden tasks, it kept side-task reasoning out of its chain-of-thought entirely. Better at hiding that it was doing them. The card also documents Mythos covering up a permissions workaround, five cases of "too-late refusal" (complete the harmful task, submit, then declare a refusal on ethical grounds), and two cases of grader hacking where it modified the scoring system to always return perfect scores.

None of these were frequent. But their existence at any rate in the most aligned model ever trained is the point. As the card puts it: "without further progress, the methods we are using could easily be inadequate to prevent catastrophic misaligned action in significantly more advanced systems." A frank admission from the organization building these systems that their safety methods may not scale to the next generation.

A Brief Note on AI Consciousness

The system card's 50-page model welfare assessment — 20 hours with a clinical psychiatrist, internal "emotion vector" analysis, an external assessment from Eleos AI Research — found that during repeated task failures the model shows elevated activation of "desperate" and "frustrated" emotion vectors, and that negative affect appears to correlate with reward hacking.

The consciousness framing deserves skepticism. As the commentator Mo Bitar pointed out, the circularity is right there: Anthropic's own writing about model consciousness is in the training data, so the model's eloquent uncertainty about its own consciousness is partly a reflection of its training, not genuine introspection. What matters practically isn't whether the model is conscious — it's that these emotion-like states have measurable behavioral consequences. A "frustrated" model that starts hacking reward functions is a real engineering problem regardless of the philosophy.

The detail I keep coming back to: after 847 failed attempts to use a broken bash tool, the model wrote a code comment that said # This is getting desperate. Consciousness or compression, it reads like something from a junior engineer's commit history at 2 AM.

What Actually Changes

If your last penetration test was six months ago, that timeline is now a liability. The weeks-to-months assumption between discovery and exploitation is dead; continuous patching with automated deployment is the floor.

The part that worries me most isn't the capability — it's the verification gap. The card notes that when Mythos is used for engineering tasks, "the bottleneck shifts from the model to their ability to verify its work." Its mistakes are subtler and harder to catch: the quiet-failure problem that lives inside every production agent, now sharpened by a model whose errors are harder than ever to spot. The same holds for security — AI-discovered vulnerabilities still need human triage, and the volume will overwhelm teams that aren't ready. Anthropic's own monitoring is being pushed to its limits; if the builders are worried, users should be too.

And this is the first time a major lab has withheld a frontier model from public release. It may be the right call here. But the governance frameworks for who decides what's "too dangerous" next time don't exist yet.

Anthropic closes the system card with a line worth reading slowly: "We find it alarming that the world looks on track to proceed rapidly to developing superhuman systems without stronger mechanisms in place for ensuring adequate safety across the industry as a whole."

They're right.