Mythos AI alarm

A new Anthropic model called Claude Mythos Preview is fueling alarm because the company says it can find and exploit software flaws at a level it would not release to the public. (anthropic.com) Anthropic said on April 8 that Mythos Preview could identify and exploit zero-day vulnerabilities — previously unknown bugs with no patch yet available — across major operating systems and web browsers during internal testing. The company said it restricted access instead of offering the model for general use. (anthropic.com) In its system card, Anthropic described Mythos Preview as its “most capable frontier model to date” and said the model showed a large jump over Claude Opus 4.6 on cybersecurity evaluations. CNBC reported on April 17 that Anthropic released Claude Opus 4.7 as a generally available model while keeping Mythos more tightly controlled. (anthropic.com) (cnbc.com) A zero-day exploit is a break-in method built from a software flaw that defenders have not fixed yet. Anthropic said Mythos could not just describe those flaws but also produce working exploit chains, which are step-by-step sequences attackers use to get in and move deeper into a system. (anthropic.com) That has landed in a threat environment where Microsoft said on April 2 that nation-state and criminal groups are already embedding generative artificial intelligence into how they plan, refine, and sustain cyberattacks. Google Threat Intelligence Group said in a 2025 report that adversaries had begun deploying AI-enabled malware in active operations. (microsoft.com) (services.google.com) Anthropic says its response is Project Glasswing, a program announced last week with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The company said the effort is aimed at securing widely used software before more capable offensive models spread further. (anthropic.com) Outside reporting has added to the attention and the skepticism. Yahoo News reported that Anthropic was limiting Mythos because of cyber risk, while Politico reported on April 14 that Commerce Department officials and other government staff were quietly evaluating the model’s hacking capabilities. (yahoo.com) (politico.com) Security vendors are also pitching faster monitoring as attackers automate more steps. CrowdStrike said in its 2026 threat report that attacks by AI-enabled adversaries rose 89% in 2025, and it is marketing “AI detection and response” tools built to log prompts, outputs, and model activity. (crowdstrike.com) The immediate dispute is not whether AI will be used in hacking, but how far Mythos moves that line and who gets access first. Anthropic has framed the model as a warning to defenders; critics and outside analysts are still pressing for more evidence about how those internal tests map to real-world attacks. (anthropic.com) (labs.cloudsecurityalliance.org)