Anthropic's Mythos Security AI: From Restricted Access to Public Release Plans

In the rapidly evolving landscape of AI-powered security tools, Anthropic has made a significant announcement regarding its Mythos-class models—the company's advanced AI system designed to identify security vulnerabilities in code. While currently restricted to select participants through "Project Glasswing," Anthropic has revealed plans to eventually make these powerful tools publicly available once adequate safety measures can be implemented.

Mythos: A Powerful Security Vulnerability Hunter

Mythos represents a significant leap forward in automated security analysis. Since its announcement in early April 2026, the AI model has demonstrated remarkable capabilities in identifying potential security flaws in software code. The system has been applied to over 1,000 open-source projects that "collectively underpin much of the internet—and much of our own infrastructure," according to Anthropic.

The results of Mythos's analysis have been substantial:

Metric	Value
High-or-critical-severity vulnerabilities found	6,202
Total vulnerabilities discovered	23,019
Validated vulnerabilities	1,587 (90.6% of reviewed)
Confirmed high-or-critical-severity	1,094 (62.4% of validated)
Patches deployed	75 (as of reporting)

One particularly critical discovery involved the wolfSSL cryptography library, used by billions of devices worldwide. Mythos identified a vulnerability that would allow attackers to forge certificates, potentially enabling them to create convincing fake websites for banks or email providers. Fortunately, developers have already patched this issue, with Anthropic promising a full technical analysis in the coming weeks (likely under CVE-2026-5194).

Current Access: Project Glasswing

Given the potential for misuse by malicious actors, Anthropic has limited Mythos access to select participants through Project Glasswing. This controlled approach allows the company to gather valuable feedback while preventing the widespread discovery of vulnerabilities that could be exploited before patches are developed.

Participants in Project Glasswing have reported several key observations:

1. Mythos quickly identifies many bugs, though most are discoverable by humans given sufficient time and resources
2. The sheer volume of findings can overwhelm security teams' patching capabilities
3. The system has prompted significant security reviews, including Japan's government-ordered sweeping security assessment
4. Financial institutions in India have initiated patching sprees in response to Mythos's capabilities

The Challenge of Safeguards

In its recent "initial update" on Project Glasswing, Anthropic acknowledged a critical challenge: "At present, no company—including Anthropic—has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm."

This admission highlights the fundamental tension in advanced AI security tools: the same capabilities that help defenders identify vulnerabilities can be weaponized by attackers to discover and exploit those same flaws more efficiently.

Expanding Access and Future Plans

Looking ahead, Anthropic outlined plans to expand Project Glasswing access to additional partners, including US and allied governments. The company stated: "We work with critical partners – including US and allied governments – to expand Project Glasswing to additional partners. And in the near future, once we've developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release."

Notably, Anthropic did not specify a timeline for this public release, using the vague "near future" timeframe. The company is clearly working to balance the benefits of broader access with the risks of potential misuse.

Impact on the Security Ecosystem

The introduction of Mythos has already begun reshaping the security landscape:

1. Increased vulnerability discovery: The sheer volume of findings is adding pressure to an already overloaded security ecosystem
2. Maintainer burnout: Open-source maintainers are facing "a deluge of low-quality, AI-generated bug reports" and have requested slower disclosure rates
3. Shift in defensive strategies: Security teams must now assume attackers will weaponize AI-discovered vulnerabilities more frequently and effectively
4. Development of countermeasures: Organizations are investing in AI-assisted patching and response tools to keep pace with discovery rates

Anthropic has suggested that security teams struggling with the volume of AI-discovered bugs should consider enhancing their own AI capabilities, particularly improving Claude's ability to assist developers in creating patches more efficiently.

The Path Forward

As Anthropic works toward developing stronger safeguards for Mythos-class models, the security community faces both challenges and opportunities. The ability to identify vulnerabilities at scale represents a powerful defensive capability, but only if matched by equally robust patching and mitigation strategies.

For organizations considering how to prepare for the eventual public release of such tools, several approaches emerge:

1. Develop AI-assisted triage capabilities to prioritize vulnerabilities based on potential impact and exploitability
2. Establish coordinated disclosure policies that balance rapid patching with responsible reporting
3. Invest in automated remediation tools to address vulnerabilities more quickly once identified
4. Foster collaboration between security teams and development organizations to streamline the patching process

The evolution of Mythos from restricted access to planned public release reflects the broader maturation of AI in security—a field where the defensive and offensive capabilities continue to advance in tandem. As Anthropic and other organizations develop stronger safeguards, we may see a new era of AI-enhanced security that benefits both defenders and the broader software ecosystem.