Claude Mythos Preview is a frontier language model developed by Anthropic, specialized in autonomous software vulnerability discovery and in the construction of associated exploit chains^(1)(10). Unlike Anthropic’s commercialized Claude family (Opus, Sonnet, Haiku), Mythos Preview is not publicly distributed: access is limited to Glasswing program partners and to a small number of external evaluators mandated by Anthropic^(1)(20). The “Preview” suffix denotes a restricted early-access status, distinct from a stabilized commercial release.

Mythos Preview is designed to analyze source code, not compiled binaries. XBOW explicitly describes it as a model “particularly strong at analyzing source code with a security-aware reasoning lens”^(1)(10). This characteristic has three structural consequences for how the model is used:

Open source side. The 1,000+ projects analyzed by Anthropic are publicly accessible by construction; their source code is directly readable and processable by the model, without any sharing contract or specific confidentiality framework^(1)(11).

Private partner side. Editors and operators that are members of the Glasswing consortium share their proprietary source code with Mythos Preview under a restricted contractual framework. This is one of the reasons the program is limited to about 50 carefully selected partners rather than offered as an open service: providing proprietary code to an AI model requires confidentiality commitments and a data governance framework^(1)(20)(21).

Out of scope. The report does not describe binary analysis without access to source code. Vulnerabilities present in proprietary components whose code is not shared with Anthropic — whether closed third-party software or firmware — are not covered by the program as described. This limitation partly explains why the disclosed scope focuses on open source projects and on partners’ consenting code.

The report explicitly places Mythos Preview at the top of two recent academic exploit-development benchmarks — ExploitBench and ExploitGym⁽¹⁾⁽⁴⁾. Mozilla documents a 10× factor in the volume of vulnerabilities identified in Firefox 150 (under Mythos Preview) compared with Firefox 148 (under Claude Opus 4.6)⁽¹⁾⁽⁸⁾. XBOW describes the model as a significant step up over the prior state of the art for source code security analysis⁽¹⁰⁾. The UK AISI reports that Mythos Preview is the first model to solve end-to-end both of the cyber ranges it operates, simulating multi-step attack chains⁽¹⁾⁽⁹⁾.

The report and external evaluations describe four main capability families, all applied to source code made available to the model^(1)(10):

Static and semantic source code analysis. Identification of vulnerable patterns (CWEs), unsound security assumptions, and user-data propagation chains within a provided codebase.

End-to-end exploit construction. Beyond detection, the model can produce a proof of concept exploiting the identified vulnerability. The wolfSSL case (CVE-2026-5194), where Mythos Preview built an exploit enabling certificate forgery from an analysis of the library’s source code, illustrates this capability^(1)(14)(15).

Codebase mapping and multi-file reasoning. The model is used via a harness that lets it map a full repository, identify high-security-impact areas, and orchestrate specialized scanning sub-agents⁽¹⁾.

Composite signal analysis for fraud detection. The case of the partner bank that blocked a $1.5M fraudulent wire transfer illustrates a use that goes beyond code analysis and includes correlating compromised-mailbox signals with payment activity^(1)(22). This case is an extension of the model’s usual scope, but still relies on the analysis of structured data made available to it.

The report and the Claude Security product page specify that Mythos Preview is not used alone, but inside an orchestration environment with several components⁽¹⁾⁽⁶⁾:

A harness that drives the sequence of operations: source repository exploration, instantiation of scanning sub-agents, triage of findings, drafting of reports.

Skills, i.e. pre-saved custom instructions for repeated tasks (for example: analyzing a specific component type, generating an advisory, checking a particular CWE category).

A threat model builder, which maps the codebase to potential attack objectives and steers the model’s work toward the most critical areas.

Anthropic makes these components available to qualified security teams on request, independently of access to the Mythos model itself⁽¹⁾.

Raw detection by Mythos Preview is not the final result. The report describes a multi-stage triage process⁽¹⁾:

1. Reproduction of the issue by Anthropic or by one of the six independent security research firms acting as partners.
2. Severity reassessment, independent of the model’s initial estimate.
3. Search for any patches already in place.
4. Drafting of a detailed report for the maintainer or vendor.
5. Coordinated disclosure following Anthropic’s CVD policy (90 days, or ~45 days after a patch is published)⁽³⁾.

It is this triage that brings the 6,202 raw high/critical findings on the open source side down to 1,094 confirmed high/critical vulnerabilities after reassessment (a 62.4% post-triage validation rate)^(1)(21).

Anthropic justifies maintaining restricted access through an asymmetric argument^(1)(21): the model’s capabilities for discovery and exploitation of vulnerabilities from source code are such that public release without strengthened safeguards would benefit attackers more than defenders — particularly during the transitional window in which patches are not yet widely deployed. Because open source code is accessible to anyone, a Mythos-class model released broadly would drastically lower the cost of identifying and exploiting vulnerabilities in those projects. The Glasswing program is presented as a defensive mechanism intended to give systemic defenders (critical vendors, infrastructure operators, government operators) a temporal advantage before models of equivalent capability arrive on the market, potentially without the same usage restrictions⁽¹⁾.

For defensive uses that do not require Mythos Preview’s frontier capabilities, Anthropic has opened Claude Security in public beta for Claude Enterprise customers⁽⁶⁾. The product is based on Claude Opus 4.7, a public model, and allows internal teams to scan their own source code and generate patch proposals. The report states that more than 2,100 vulnerabilities have been fixed in three weeks through this channel⁽¹⁾. Claude Security incorporates part of the learnings from Glasswing, without the most advanced capabilities of Mythos Preview, and retains the same operational constraint of analyzing source code.

Mythos Preview therefore presents itself as a specialized frontier model, operating on source code made available to it, accessible only through a partner program and accompanied by an orchestration infrastructure (harness, skills, threat model builder). Anthropic positions it as a transitional systemic-defense tool, pending a broader release conditional on the development of sufficient safeguards.

Project Glasswing was announced by Anthropic in April 2026 as a collaborative effort aimed at securing the world’s most critical software before AI models of equivalent capability are used for offensive purposes⁽¹⁾⁽²⁾. The initiative rests on early access, granted to about fifty carefully selected partners, to Claude Mythos Preview — a non-commercialized frontier model whose autonomous vulnerability discovery capabilities are, according to Anthropic, superior to those of public models^(1)(20).

Partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks, along with other organizations from the open source ecosystem^(20)(22). The argument advanced is defensive: allowing systemic vendors and operators to fix their vulnerabilities before an equivalent model, distributed without safeguards, becomes accessible to malicious actors. Anthropic justifies this restriction by the observation that Mythos Preview’s capabilities for discovery and exploitation of vulnerabilities place the model above nearly all specialized human operators^(1)(21).

The update published on May 22, 2026 covers the first weeks of use and combines three angles: results on partners’ proprietary code, an analysis campaign on open source code, and external evaluations of the model. The publication logic follows coordinated disclosure: vulnerabilities are not detailed until patches are widely deployed, in line with Anthropic’s internal CVD policy⁽¹⁾⁽³⁾. The report therefore provides aggregate statistics and a few illustrative cases rather than an exhaustive enumeration.

Across the full covered scope (partners + open source), Anthropic and its partners claim more than 10,000 vulnerabilities of high or critical severity identified in one month⁽¹⁾. Most partners individually report finding several hundred, with a discovery rate growth factor greater than ten compared with their prior practices^(1)(20).

On the open source side, Anthropic ran Mythos Preview against more than 1,000 projects considered structural to the Internet and to its own infrastructure, over a period of several months⁽¹⁾. This campaign generated 23,019 findings, of which 6,202 were rated by the model as high or critical severity. The breakdown by project, vulnerability type, and CWE category is not published at this stage; Anthropic indicates that this analysis is reserved for a later report, once patches are widely deployed⁽¹⁾.

The partner scope also illustrates the diversity of targets. Cloudflare separately reports having identified 2,000 bugs in its critical systems, of which 400 are classified high or critical, with a false positive rate considered better than that of experienced human testers⁽¹⁾⁽⁷⁾. Mozilla reports fixing 271 vulnerabilities in Firefox 150 using Mythos Preview, roughly ten times more than in Firefox 148 tested with Claude Opus 4.6⁽¹⁾⁽⁸⁾. Microsoft indicates that the number of patches released in its Patch Tuesday cycles will continue to grow for some time, in connection with the findings from the program^(1)(12). Palo Alto Networks’ latest release contains five times more patches than the historical average^(1)(11). Oracle reports detecting and fixing its vulnerabilities several times faster than before^(1)(13).

One of the methodologically most structured parts of the report concerns the external verification of open source findings. Out of the 6,202 vulnerabilities rated high/critical by Mythos Preview, 1,752 were reassessed by six independent security research firms or, in a limited number of cases, by Anthropic’s internal teams^(1)(21).

The published result is as follows: 90.6% (1,587) were confirmed as true positives, and 62.4% (1,094) were confirmed as high or critical severity after reassessment^(1)(20)(22). Based on this post-triage true positive rate, Anthropic projects approximately 3,900 high/critical vulnerabilities in open source code over time, assuming continued analysis of the already identified scope, and in addition to those discovered in partners’ code⁽¹⁾.

The triage process described comprises several steps⁽¹⁾: reproduction of the issue by Anthropic or a partner firm, severity reassessment, search for any patches already in place, then drafting of a detailed report for maintainers. Anthropic also publishes a public dashboard tracking the steps of the disclosure process for open source vulnerabilities, highlighting the sharp drop-off at each stage — a symptom of the human cost of verification and remediation⁽⁵⁾.

Anthropic underlines that several open source maintainers, already facing an influx of low-quality AI-generated bug reports, have asked for the disclosure pace to slow down so they can absorb the volume^(1)(21). At the request of some maintainers, bugs are disclosed without in-depth triage: 1,129 such findings have been transmitted, including 175 rated high/critical by the model without independent reassessment⁽¹⁾.

At the time of the report, Anthropic states that 530 high/critical vulnerabilities have been disclosed to open source maintainers. Of these, 75 have been patched and 65 have been the subject of a public advisory⁽¹⁾. An additional 827 confirmed and high/critical vulnerabilities are pending disclosure⁽¹⁾. The average lead time between discovery by Mythos Preview and the availability of a patch for a high/critical bug is approximately two weeks⁽¹⁾.

Three factors are advanced to explain the gap between the volume of confirmed findings and the volume of patches already published⁽¹⁾:

CVD window still open. The report comes early in the 90-day coordinated disclosure window set by Anthropic’s CVD policy⁽³⁾.

Likely undercount. Some patches are deployed without an advisory: tracking then relies on after-the-fact detection using Claude.

Human saturation. A structural saturation of triage and remediation capacity, particularly acute on the side of volunteer open source maintainers.

In response, Anthropic has formalized a $12.5M partnership with the Open Source Security Foundation’s Alpha-Omega project, aimed at supporting maintainers in processing and prioritizing bug reports⁽¹⁶⁾. This funding is part of the broader commitment announced in April 2026: more than $100 million in usage credits and $4 million in donations to open source security organizations^(1)(21).

The report draws on several independent evaluations to characterize Mythos Preview’s performance outside the partner scope.

The UK AI Security Institute (AISI) states that Mythos Preview is the first model to solve end-to-end both of the cyber ranges it operates, simulating multi-step attack chains⁽¹⁾⁽⁹⁾. The XBOW platform describes Mythos Preview as a significant step up over existing models for the identification of vulnerable candidates and for source code analysis with a security reasoning lens, particularly on transforming a vulnerability into a complete attack chain^(1)(10).

Two recent academic benchmarks, ExploitBench and ExploitGym, place Mythos Preview at the top on exploit development capabilities⁽¹⁾⁽⁴⁾. Anthropic’s Frontier Red Team publishes a detailed analysis of these benchmarks on its dedicated blog⁽⁴⁾.

On the partner side, public feedback converges: Cloudflare reports a false positive rate considered better than that of experienced human testers on its scope⁽⁷⁾; Mozilla observes a 10× factor in the volume of vulnerabilities found between Firefox 148 (Claude Opus 4.6) and Firefox 150 (Mythos Preview)⁽⁸⁾; Palo Alto Networks documents a 5× factor in the volume of patches in its latest release⁽¹¹⁾. Microsoft, Oracle and several other vendors have published dedicated posts about the impact observed internally^(12)(13).

The report publishes two concrete examples, for illustrative purposes, on topics whose disclosure is deemed non-prejudicial.

Mythos Preview identified a vulnerability in the open source cryptographic library wolfSSL, used according to its own figures by several billion devices worldwide^(1)(14). The model built an exploit enabling certificate forgery, which would make it possible to host a fraudulent site indistinguishable from a legitimate one (bank, mail service) from the end user’s perspective⁽¹⁾. The vulnerability is referenced in the NVD as CVE-2026-5194⁽¹⁵⁾. Anthropic announces the publication of a full technical analysis after broad patch deployment⁽¹⁾.

A bank partner of the Glasswing program used Mythos Preview to detect and block a fraudulent $1.5 million wire transfer^(1)(22). The scenario combines compromise of a customer’s mailbox and spoofed phone calls. The model identified the fraud pattern before the transfer was executed. This case illustrates that the use of Mythos Preview is not limited to code analysis and includes fraud detection scenarios involving the analysis of composite signals.

The report makes an explicit structural observation: detection is no longer the limiting factor of software security; verification, disclosure, and patch production now are^(1)(20). Anthropic describes this shift as a challenge for the entire ecosystem during a transitional period in which vulnerabilities are discovered quickly and fixed slowly.

The defensive recommendations published target two audiences⁽¹⁾:

Vendors. Shorten patch cycles, make it easier to deploy updates on the user side, and more actively prompt users who keep vulnerable versions. The use of public models to automate patch production is explicitly encouraged.

Network defenders. Reduce patch testing and deployment delays, and strengthen the application of foundational controls referenced by the NIST Cybersecurity Framework and by the UK NCSC: hardening of default configurations, multi-factor authentication, logging for detection and response. Anthropic stresses that these controls improve the defensive posture regardless of how quickly any given patch is applied.

The report presents this period as transitional: in time, Mythos-class models should help developers catch bugs before deployment, and thus reduce the volume of vulnerabilities to fix downstream. But the current gap between detection and remediation constitutes, in the meantime, a widened offensive window⁽¹⁾.

Anthropic’s communication distinguishes two product trajectories.

Mythos Preview remains restricted; its public release is conditional on the development of strengthened safeguards against offensive use⁽¹⁾. Anthropic states that no company, including itself, has so far developed safeguards robust enough to allow broad distribution of a model in this category. The Glasswing program is presented as a transitional mechanism aimed at giving systemic defenders an asymmetric advantage before models of equivalent capability arrive on the market, potentially without the same restrictions⁽¹⁾.

Claude Security has been opened in public beta for Claude Enterprise customers⁽⁶⁾. The tool allows security teams to scan their codebases and generate patch proposals. According to Anthropic, more than 2,100 vulnerabilities have been fixed in three weeks via this tool, based on Claude Opus 4.7⁽¹⁾. Anthropic explains the pace gap relative to open source by the fact that enterprises fix their own code, without depending on a coordinated disclosure process toward volunteer maintainers.

Anthropic has launched a program allowing security professionals to use its public models for legitimate purposes (vulnerability research, pentest, red team) without certain restrictions applied by default⁽¹⁾.

Anthropic publishes part of the assets used internally and with its Mythos Preview partners: skills (custom instructions for repeated tasks), a harness allowing Claude to map a codebase and orchestrate scanning sub-agents, and a threat model builder to prioritize analysis areas⁽¹⁾.

Cisco, a Glasswing partner, has open-sourced its Foundry Security Spec, which allows other defenders to build an evaluation system comparable to its own⁽¹⁷⁾.

Anthropic announces three directions for the program’s continuation⁽¹⁾:

Consortium expansion. Extension of Project Glasswing to new partners, including U.S. and allied government agencies.

Progressive disclosure. Continuation of the coordinated disclosure process for vulnerabilities already identified, with progressive publication of advisories and detailed technical reports as patches are broadly deployed. The full analysis of CVE-2026-5194 (wolfSSL) is announced for the coming weeks⁽¹⁾.

Conditional public release. Public release of Mythos-class models once safeguards are deemed robust enough. No timeline is communicated.

Anthropic also mentions its support for the development of the ExploitBench and ExploitGym benchmarks, which make it possible to measure the evolution of frontier models’ exploitation capabilities over time⁽⁴⁾. The External Researcher Access Program is cited as a framework for supporting the development of other high-quality quantitative benchmarks⁽¹⁾.