Anthropic restricts Claude Mythos
Anthropic pulled its newest, most capable model from general release and says it’s only sharing it with a handful of trusted partners because it’s “too dangerous.” (thehill.com) That safety-first framing is under scrutiny because claims about “thousands” of severe zero-days rest on just 198 manual reviews, calling the evidence into question. (tomshardware.com) The episode has been treated as a national-security–level event, which makes the credibility of evaluation evidence as important as the model’s raw capability. (thedispatch.com)
Anthropic spent April 7 saying its newest model was strong enough to find and exploit previously unknown software flaws, then refused to put that model on general release. Instead, it put Claude Mythos Preview inside a restricted program called Project Glasswing for a small set of companies and infrastructure groups. (anthropic.com) The company’s own security post says Mythos could identify and exploit zero-day vulnerabilities across every major operating system and every major web browser during testing. Anthropic also says more than 99 percent of the bugs it found are still unpatched, which is why it withheld technical details. (red.anthropic.com) A zero-day is a software flaw the developer does not know about yet, so there is no fix waiting in the wings. If an attacker finds one first, it is like discovering a building’s hidden back door before the owner even knows the lock exists. (red.anthropic.com) Anthropic says some of the flaws Mythos found were 10 to 20 years old, and one OpenBSD bug was 27 years old before being patched. That is the part that turned a product launch into a national-security story almost overnight. (red.anthropic.com) The restricted rollout is not tiny. The Hill reported that Microsoft, Apple, CrowdStrike, and Amazon Web Services are among the firms getting access, alongside more than 40 organizations that build critical software infrastructure. (thehill.com) Anthropic also attached money to the rollout. The company says it will provide up to $100 million in usage credits and $4 million in direct donations to open-source security groups through Project Glasswing. (thehill.com) Then the argument shifted from what Mythos can do to how Anthropic proved it. Anthropic’s announcement used the phrase “thousands” of serious zero-days, but critics pointed to the evaluation details and said that headline-sized claim rests on a much smaller base of manually reviewed cases. (tomshardware.com) That matters because model evaluations are the ruler in this story. If a company is asking governments, infrastructure operators, and the public to treat a model like a controlled technology, the sampling method behind words like “thousands” becomes as important as the model itself. (thedispatch.com) TechCrunch reported that Anthropic had already been discussing Mythos with federal officials, and the partner list includes companies that sit deep inside the internet’s plumbing, including Cisco, Broadcom, the Linux Foundation, and Palo Alto Networks. That is a sign Anthropic is framing this less like a chatbot launch and more like a coordinated defense exercise. (techcrunch.com) Anthropic’s own system card says Mythos is its most capable frontier model so far and that the capability jump is the reason it is not being made generally available. The immediate fight is no longer just over whether the model is powerful, but whether the evidence for that power is solid enough to justify treating it as too dangerous for the public. (anthropic.com)
