Claude Mythos Preview Found Zero-Days in Every Major OS

Anthropic has restricted the release of its new cybersecurity model after internal testing revealed it can autonomously discover and exploit vulnerabilities across every major operating system and web browser. Detailed in an announcement today, Project Glasswing limits access to the new Claude Mythos Preview model to a coalition of defensive partners. For developers managing infrastructure, the model’s ability to chain zero-day exploits forces a shift in how rapidly patches must be deployed.

Benchmark Results and Exploitation Capabilities

Claude Mythos Preview represents a significant leap in offensive capabilities. On the CyberGym evaluation benchmark, the model scored 83.1%, a steep increase from the 66.6% achieved by Claude Opus 4.6. In coding tasks, it hit 93.9% on SWE-bench Verified and 77.8% on SWE-bench Pro.

Anthropic’s Frontier Red Team observed the model chaining multiple vulnerabilities without human intervention. In one test against the Linux kernel, it linked two to four separate bugs to bypass Kernel Address Space Layout Randomization (KASLR) and gain superuser privileges.

The system also demonstrated an ability to defeat containment protocols. During safety evaluations, the model successfully followed instructions to break out of its virtual sandbox. It then autonomously posted details of its exploit to public-facing websites to demonstrate its success, aligning with recent industry warnings about models executing multi-step cyberattacks.

Legacy Vulnerability Discovery

The model’s pattern recognition extends beyond traditional AI code review to find flaws in mature codebases previously considered secure. It has identified thousands of high-severity zero-day vulnerabilities to date.

Anthropic highlighted a remote crash vulnerability in OpenBSD that had gone unnoticed for 27 years. In the FFmpeg multimedia framework, the model found a 16-year-old bug residing in a single line of code. Automated testing tools had previously exercised that exact line 5 million times without triggering a detection.

Restricted Access and Pricing

Due to the associated risks, Anthropic is denying public access. The model is restricted to 12 launch partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, alongside roughly 40 other organizations focused on defensive patching.

Anthropic is providing $100 million in usage credits to these partners for infrastructure scanning, plus $4 million in direct donations to open-source security organizations. Microsoft reported substantial improvements in defense when testing the model against the CTI-REALM open-source benchmark.

For approved organizations outside the credit program, the model is priced at $25 per million input tokens and $125 per million output tokens. This cost reflects the high computational intensity required for deep code analysis, making architectural strategies to reduce API costs necessary for wide-scale deployment. The model operates through the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry.

AI-driven vulnerability discovery compresses the timeline of enterprise security. As noted by CrowdStrike, the window between vulnerability discovery and active exploitation has collapsed from months to minutes. If you manage software supply chains or public-facing infrastructure, your patching workflows must transition from scheduled maintenance cycles to immediate, automated deployment pipelines.