On April 7, Anthropic announced Mythos Preview, a frontier AI model with such potent hacking capabilities that the company deemed it too dangerous for public release. In the same statement, it also rolled out Project Glasswing, a limited release of Mythos to a select group of approximately 50 industry partners to harden cyber defenses against future AI-enabled hacking.
Taken together, Mythos and Glasswing signal the speed at which new and potentially dangerous AI capabilities are coming and the challenges of mitigating their risks before they widely proliferate. Mythos is already forcing a reckoning with long unaddressed cybersecurity problems. But it is also a harbinger of the security and governance dilemmas that AI companies and governments will face in enabling the safe adoption of progressively more powerful models, including the geopolitical tensions that arise when vastly superior models are made available to only a select few.
A “Step Up” in AI-Enabled Hacking
Experts have long warned about the potential for agentic AI systems to shift the balance between offense and defense in cyberspace. AI has already been used to generate malware and improve phishing emails. Last year, Anthropic exposed the first “AI-orchestrated cyber espionage campaign,” in which Chinese state-sponsored hackers used Claude Code to autonomously target approximately 30 organizations (albeit using relatively unsophisticated hacking tools, and producing only a handful of successful intrusions).
With Mythos Preview, AI systems are now reportedly able to identify and exploit at that same speed and scale previously undiscovered software vulnerabilities (“zero-day vulnerabilities”) with a level of capability that “surpass[es] all but the most skilled human.” Anthropic says that Mythos has “already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.” The United Kingdom’s AI Safety Institute independently assessed that Mythos’s cyber capabilities represent a “step up” over those of other frontier models.
Historically, only a small percentage (5-6 percent) of discovered vulnerabilities have actually been exploited. What sets Mythos apart is not so much its ability to find vulnerabilities, but to exploit them autonomously, potentially within minutes or hours of discovery. This is an otherwise time and resource-intensive activity for expert human operators. The capabilities displayed in Mythos could put the ability to conduct such high-end hacking operations in the hands of many more governments, and criminal groups.
Because of this risk, Anthropic says it “do[es] not plan to make Claude Mythos Preview generally available.” But restricting release only buys time. Other frontier model companies like OpenAI and Google are likely to develop similar capabilities. More significantly, Chinese AI companies have repeatedly managed to match U.S. frontier models within months — in part by distilling capabilities from those very models. Restricting access to Mythos may slow that process, but it will not prevent Mythos-level capabilities from becoming more widely available. At least one group has already gained unauthorized access to Mythos through one of Anthropic’s vendors.
Glasswing: Giving Defense a Chance
The good news is that the same capabilities that allow Mythos to exploit software vulnerabilities can also be used to discover and patch them. Glasswing and OpenAI’s parallel Trusted Access for Cyber (TAC) program are designed to give defenders a head start before Mythos-level capabilities reach malicious hackers. Under Glasswing, a group of 11 founding partners — including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, Microsoft, and NVIDIA — as well as 40 additional organizations are being given access to Mythos to scan and secure critical software systems.
Glasswing is designed to be tightly controlled to prevent adversarial actors from gaining access to Mythos. Nonetheless, Anthropic has included non-profit open source security organizations in the effort, providing $4 million in direct donations to support the work, on top of $100 million in usage credits for Mythos being spread across the effort. Both Glasswing and TAC are characterized as the beginning of a broader effort to secure networks against AI-enabled threats. Anthropic promises a report within 90 days that includes recommendations for how “security practices should evolve in the AI era.”
Reckoning with Mythos
Mythos and Glasswing together present a number of key policy implications.
1. Cybersecurity
First, Mythos brings into sharp relief many ongoing issues in cybersecurity. Software products are rolled out by companies with the expectation that any vulnerabilities discovered would be patched later. And yet, for years, there has been a lag of weeks to months between patch release and implementation. This lag will be untenable in an AI-enabled threat landscape, where the time between vulnerability discovery and exploitation can be minutes or hours. For Glasswing and TAC to succeed, organizations will need to match the speed of AI by increasing the pace of their patching and other basic cyber hygiene measures.
And then there is the problem of all the software producers and other organizations that are not participating in Glasswing or TAC. This includes under-resourced organizations (like schools, hospitals, and utilities) in the United States and other countries that are unable to afford state-of-the-art cyber defenses or transition from legacy systems that do not have patches available. The result may be a widespread migration of organizations to cloud-based and other services run and protected by a limited number of trusted companies that have advanced access to highly powerful models to harden defenses. This reshapes cyberspace, bringing much-needed changes to how organizations secure their networks but also concentrating responsibility in the hands of a few large companies.
2. Emergent AI Capabilities
How governments and companies handle Mythos now will set a precedent for how they manage other emergent, potentially harmful AI capabilities going forward. The Glasswing/TAC approach is uniquely effective for dealing with cyber risks, because AI-enabled vulnerability discovery can be used almost as readily to patch at scale as it can for hacking purposes. Different response models may be needed for other types of risks.
Anthropic says it wants to eventually “deploy Mythos-class models” at scale, but only after “mak[ing] progress in developing cybersecurity (and other) safeguards that detect and block the model’s most dangerous outputs.” But company-level safeguards are only part of the answer. Safeguards can only work as a strategy if they are implemented across all models that gain new and potentially dangerous capabilities — including Chinese open-source models. This will require regulation and negotiation to achieve. The Trump administration has taken a limited approach, letting AI companies themselves decide what safeguards to implement. Such an ad hoc approach is unlikely to produce the consistent, verifiable safeguards that will be needed. But there are signs this approach may be changing. The White House is reportedly considering an Executive Order to develop oversight procedures, including to vet new AI models before they are released to the public. In addition, the U.S. Commerce Department’s Center for AI Standards and Innovation (CAISI) recently announced an agreement with three additional model companies to conduct pre-deployment evaluations.
3. Allies, Adversaries, and AI Power
Finally, Mythos offers an early glimpse of how powerful AI capabilities concentrated in a handful of countries will reshape national security and international relations. Mythos’s capabilities have caused the Trump administration to reconsider its approach to Anthropic, following the U.S. Defense Department’s March 2026 designation of the company as a “supply chain risk” and President Trump’s directive that all federal agencies should stop using its technology. Several federal agencies, including the Commerce Department’s CAISI, are already circumventing the ban to test the model’s defensive applications. And there are signs that the U.S. government will seek to limit who else gets to access Mythos, with the administration reportedly fighting plans by Anthropic to expand participation in Glasswing by another 70 organizations.
For allies and partners, the limited release of Mythos to primarily U.S.-based organizations is an early indication of how U.S. frontier model dominance may deepen their dependence on the United States. Cybersecurity is one area where governments cannot afford to avoid the frontier AI race. If governments do not use the most powerful AI models to defend their critical infrastructure and government systems, then someone else will soon use similar capabilities to hack them. And yet, foreign government access to Mythos has been as of now quite limited. European allies, for example, have been sidelined and are questioning why a private U.S. entity is making decisions with such bearing on their national security. This will intensify strategic questions among these countries about how to secure reliable access to frontier AI technology, whether by trying to catch up and build their own frontier models (a challenging prospect), hedge between U.S. and Chinese models, or make deals with the United States.
For U.S. adversaries, like China and Russia, the implications are even less pleasant. Their companies will not have early access to Mythos for defensive purposes, and so will remain vulnerable to Mythos-level cyber capabilities whenever they become widely available to hackers — that is, unless they too start buying more software and services from companies participating in Glasswing and TAC. Moreover, they will fear that in the meantime, the United States, its allies, or criminal groups will use frontier AI models to support cyber operations against them. This will raise the stakes for Chinese AI companies’ race to keep pace with U.S. frontier model companies, using distillation attacks or any other means available to them. And it will increase incentives for China to negotiate with the United States around AI security issues, potentially as soon as the upcoming Trump-Xi summit, currently scheduled for May 14.
Issues that Cannot Wait
Three larger strategic issues stand out as requiring sustained attention:
- First, cyberspace will need to be secured in a world where adversaries can deploy AI tools to discover and exploit vulnerabilities faster than humans can respond. The Trump administration’s Cyber Strategy for America acknowledges the need to “securely scale network defense and disruption” using AI. But a strategy is not a plan. Still needed is a concrete vision for AI-enabled defense, backed by investment in the organizations least able to protect themselves, and incentives to ensure defensive AI tools reach beyond the large companies already participating in Glasswing and TAC.
- Second, a governance framework for emergent AI capabilities that goes beyond voluntary company decisions must be built. The Glasswing model is a promising start, but it leaves too much to individual companies’ judgment. Serious work on AI governance frameworks has already begun — like safety standards, export controls, and international engagements — but it remains fragmented and largely voluntary. There is an urgent need to build a coherent policy, especially as more powerful models continue to arrive. Recent movements to enable pre-deployment testing could be a start.
- Finally, the United States must develop an international strategy for managing access to frontier AI capabilities. This strategy could give allies meaningful access to defensive AI capabilities, build shared governance norms among like-minded countries, and pair continued efforts to outcompete China with targeted negotiations, where Washington and Beijing have an interest in establishing guardrails. The United States has the leverage to pursue all three goals, but not without a sustained investment in diplomacy.
Mythos is a preview. The question is whether governments and companies are ready for what comes next.
