Claude Mythos Found 10,000 Vulnerabilities Before You Could Even Buy It

The most consequential security event of 2026 was not a breach. It was a release strategy. Between April and June, Anthropic's secret Claude Mythos model was pointed at the software that runs the world — every major operating system, every major web browser, the infrastructure underneath banks and clouds — and it found more than 10,000 high- and critical-severity vulnerabilities before the public ever got to touch the model that found them. On June 9, with Claude Fable 5 now publicly available and the unrestricted Mythos 5 limited to vetted defenders, the industry can finally evaluate the whole arc: the leak that cratered cybersecurity stocks, the consortium that patched at machine speed, and the question every security team should now be asking — what happens when attacker capability catches up?

March 26: The Leak That Moved Markets

Claude Mythos entered public consciousness the way no frontier model ever has: through an unsecured draft blog post, discovered on March 26, 2026. The draft described an internal Anthropic model with offensive-grade security capability, and the market reacted before any official confirmation existed — cybersecurity stocks cratered on the news. The selloff logic was brutal and simple: if a model can find vulnerabilities at machine scale, the scarcity that underpins large parts of the security industry — human expertise in vulnerability research, penetration testing, detection engineering — suddenly has a substitute. Whether that logic survives contact with reality is a question we return to below, but the repricing happened in hours.

On April 7, Anthropic confirmed the model's existence, disclosed Claude Mythos Preview publicly, and made two announcements that defined the next two months. First: it had no plan to release the model. Second: it was launching Project Glasswing, a consortium built to use Mythos defensively before any question of broader access arose. The member list read like critical infrastructure itself — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

Project Glasswing: Patching at Machine Speed

The premise of Glasswing was an inversion of normal release logic. Instead of shipping a model and letting the ecosystem react, Anthropic gave the model to the organizations that maintain systemically important software and told them to use it against their own code first. By the June 9 announcement, the numbers were in.

More than 10,000 high- and critical-severity vulnerabilities across roughly 50 partners. Vulnerabilities found in every major operating system and every major web browser — a sentence that should be read slowly, because it means the attack surface used by billions of people contained thousands of undiscovered critical flaws that one model surfaced in about two months. Mozilla provided the most concrete public data point: 271 Firefox vulnerabilities patched using Mythos Preview. A single browser. A well-resourced, security-mature open-source project. Two hundred seventy-one.

The 31-minute figure deserves its own paragraph, because it is the one that reframes the defensive math. In testing, Mythos wrote a working exploit for an already-disclosed Windows kernel vulnerability in 31 minutes. The historical defense window — the gap between a vulnerability's disclosure and the appearance of weaponized exploit code — has been measured in days to weeks, and entire patch-management practices are calibrated to that window. A model that compresses disclosure-to-exploit into the length of a lunch break does not just speed up an existing process; it invalidates the operating assumption that "we patch within 30 days" is a security posture rather than a standing invitation.

The Geopolitics Arrived Within Hours

What separated the Mythos disclosure from every previous model announcement was who responded. Within hours of the April 7 reveal, Treasury Secretary Scott Bessent and Federal Reserve chair Jerome Powell convened financial executives — a meeting cadence normally reserved for liquidity crises, applied to a model card. The financial system's exposure was obvious to regulators immediately: banking infrastructure runs on decades-old software whose security rests substantially on the difficulty of finding its flaws, and that difficulty had just changed. JPMorgan, Goldman Sachs, and Citigroup began testing the model, per press coverage from CNBC and Axios.

Access decisions became foreign policy. Anthropic denied the Chinese government access to Mythos. When European banks were also denied, Mistral AI began building a rival — meaning the most direct consequence of the access regime was to accelerate a competing program on another continent. This is the structural dilemma of capability gatekeeping: every denial is also a market signal, and the parties you deny are precisely the ones most motivated to replicate what you withheld. The same dynamic shaped Anthropic's June 9 distillation safeguards, which the company describes as a response to identified large-scale distillation campaigns by authoritarian countries attempting to extract the capability through the public API.

June 9: Two Models, Two Trust Tiers

The June 9 release formalized a structure the industry has never had before. Claude Fable 5 — the same underlying model with classifier safeguards that route cybersecurity, biosecurity, and distillation-flagged queries to Claude Opus 4.8 — is available to everyone. Claude Mythos 5, with those safeguards lifted, is restricted to vetted cyberdefenders and infrastructure providers in collaboration with the US government. Glasswing itself is expanding from ~50 partners to roughly 150 organizations across 15 or more countries.

The safeguard layer on the public model held up unusually well under scrutiny. External testing found no universal jailbreaks across more than 1,000 hours, and the model showed zero compliance with harmful single-turn cyberattack-planning requests across 30 public jailbreak techniques. The classifiers trigger in under 5% of sessions on average. That is a materially stronger safety record than the agent ecosystem at large — a bar set painfully low by episodes like the one we documented in OpenClaw's 512 vulnerabilities, where viral adoption outran security review by months. But "no universal jailbreak found yet" is a statement about testing effort, not a proof, and the prudent reading is that the safeguards raise the cost of misuse rather than eliminating it.

Did Patch-First Actually Work?

The honest assessment requires separating two questions: did Glasswing make the ecosystem safer, and does it make the release safe? The answer to the first is almost certainly yes. Ten thousand critical-severity vulnerabilities removed from systemically important software is the largest coordinated hardening event in the history of the industry, full stop. The patch-before-release sequencing meant the model's offensive capability was applied to defense for two months while access remained controlled.

The answer to the second question is murkier, and security leaders should sit with the asymmetries. The vulnerabilities that got fixed are the ones in Glasswing partners' code — a set heavily weighted toward large, well-resourced organizations. The long tail of enterprise software, embedded systems, and legacy infrastructure received no Glasswing treatment, and that software now lives in a world where machine-scale vulnerability discovery exists. Meanwhile, the release itself widens diffusion: Fable 5's safeguards route exploit-development queries away, but capability has a way of leaking through fine-tuning ecosystems, distillation attempts, and eventually rival models built without equivalent restraint.

What Defenders Should Do Now

The operating assumption every security team should adopt is attacker capability parity within a planning horizon, not at some indefinite future date. Anthropic's access controls, classifier guardrails, and distillation defenses are real, but they govern one company's models. Mistral's program exists because of a denied request. State actors are running distillation campaigns against the public API today, by Anthropic's own account. The question is not whether machine-scale offensive capability diffuses, but how many quarters of lead time the current restrictions buy.

That reframes patch velocity as the single most important security metric of the next two years. If exploit development compresses from weeks to minutes, the only defensive posture that scales is closing the disclosure-to-deployment gap to hours — which for most organizations means automated dependency updates, aggressive canary deployment, and treating patch latency as an SLO with executive visibility. It also means adopting the same class of tooling defensively: the Glasswing lesson is that AI-scale discovery favors whoever runs it first against their own systems. This continues a trajectory we mapped in our AI cybersecurity trends analysis— the offense-defense balance keeps tilting toward whichever side automates faster.

The second priority is the agent layer. Organizations are wiring increasingly capable models into systems with tool access, and the security of that wiring — not the model weights — is where most real-world compromise will happen. Prompt injection remains unsolved, with every published defense failing over 90% of the time, and a Mythos-class model behind an injectable agent is a Mythos-class capability handed to whoever controls the injected content. Capability upgrades and agent-hardening budgets need to move together; in most organizations they currently do not.

A Concrete Posture Checklist

Translated into actions for a typical engineering organization: measure and publish your patch latency for critical CVEs, and drive it below one week now, with a path to under 48 hours. Inventory the software you run that no Glasswing-style sweep will ever touch — internal tools, legacy services, vendored dependencies — and schedule AI-assisted security review for it, because attackers will. Pressure your vendors on which access tier they hold and what AI-assisted discovery they run against their own products. And if you are building agents on Fable 5 or any frontier model, treat the agent's tool surface as your primary attack surface and sandbox accordingly.

Conclusion: The Era of Negotiated Capability

The Mythos saga will be remembered as the moment frontier AI stopped being released and started being negotiated — between a lab and a consortium, between a company and two governments, between what a model can do and what anyone is allowed to ask it. The patch-first strategy was genuinely novel and genuinely effective at what it attempted: 10,000 fewer critical vulnerabilities is not a press release, it is a changed threat landscape. But the strategy's success is bounded by its scope, and its scope ends exactly where most organizations' software begins.

The window between June 2026 and attacker capability parity is the cheapest security investment period your organization will ever get. The tools that found 10,000 vulnerabilities for the consortium are now, in safeguarded form, available to your team too. Use the window.