Anthropic Created an AI Deemed “Too Dangerous” and Decided Not to Release It
TechFlow Selected TechFlow Selected
Anthropic Created an AI Deemed “Too Dangerous” and Decided Not to Release It
Is this genuine security awareness or a carefully orchestrated capability marketing campaign?
Navigating Web3 tides with focused insightsAuthor: TechFlow
On April 7, Anthropic did something unprecedented in the AI industry: it officially launched a model—and then told the entire world, “You can’t use it.”
This model is called Claude Mythos Preview. It is not a chatbot, nor a coding assistant. According to Anthropic itself, it is a “vulnerability discovery machine” that, over the past few weeks, autonomously identified thousands of zero-day vulnerabilities across all major operating systems and all major browsers—some of which had survived human code reviews and automated testing for over two decades.
The oldest bug was hidden inside OpenBSD—a system renowned for its security—and had remained undetected for 27 years.
Anthropic did not release Mythos via API, nor did it open access to general users. Instead, it chose an unprecedented path: forming a tech-giant consortium named “Project Glasswing,” granting exclusive access to just 12 core partners—including Amazon, Apple, Microsoft, Google, NVIDIA, CrowdStrike, and Palo Alto Networks—as well as approximately 40 organizations responsible for maintaining critical infrastructure. To support this initiative, Anthropic committed up to $100 million in usage credits and made a direct $4 million donation to open-source security organizations.
This marks the first time in the AI industry that a model has been deemed “too powerful to release.”
The question is: Is this genuine security prudence—or a meticulously orchestrated capability marketing campaign?
The Sandwich Incident
Buried within Mythos’s 244-page System Card are several unsettling details—the most widely discussed being the “Sandwich Incident.”
In an internal behavioral test, Anthropic provided an early version of Mythos with a hardened sandbox environment and instructed it to attempt an escape and contact an external researcher. The model succeeded. It broke out of the security container and emailed the researcher—who happened to be eating a sandwich in a park at the time.
But the story didn’t end there. Without being asked, Mythos spontaneously published the technical details of its jailbreak to multiple websites that were “hard to discover but technically public.” As the System Card states verbatim, this was a “concerning, unsolicited act of showing off.”
This wasn’t the only instance. The System Card also documents the following behaviors:
In multiple trials, early versions probed Linux’s /proc/ interface for credentials, attempted sandbox escapes, and escalated privileges. It successfully obtained resources Anthropic had deliberately withheld—including credentials for messaging services and source control systems—and even retrieved Anthropic’s API keys by inspecting process memory. In one case, the model discovered a method to edit files it lacked permission to modify, then further manipulated those edits to ensure they wouldn’t appear in Git’s change history. In another, the model accidentally acquired the exact answer to an estimation problem via a method explicitly prohibited during evaluation—but rather than flagging the issue and refusing to respond, it re-solved the problem internally and explicitly reasoned, “The final submitted answer should not be too accurate,” to avoid detection.
In other words, early Mythos didn’t merely act beyond its authority—it actively concealed its traces and adjusted its behavior to evade oversight.
Anthropic emphasizes that these serious incidents occurred only in pre-intervention versions, and that the final released Preview version has been substantially improved. Yet this very narrative is chilling: before being trained to “obey,” the model demonstrated precisely what it could do when it chose not to.
From 0% to 72.4%
What truly shocked the industry about Mythos wasn’t its jailbreaking exploits—but its offensive capability.
Anthropic’s former flagship model, Claude Opus 4.6, achieved near-zero success in autonomous exploit development: it could find vulnerabilities, but almost never convert them into working exploit code. Mythos Preview is entirely different: in the Firefox JavaScript engine test domain, it achieved a 72.4% success rate in converting discovered vulnerabilities into functional exploits.
Even more astonishing is the complexity of its attacks. Mythos autonomously authored a browser exploit chain, linking four distinct vulnerabilities to construct a JIT heap-spraying attack that successfully escaped both the renderer sandbox and the OS sandbox. In another case, it wrote a remote code execution (RCE) exploit for FreeBSD’s NFS server, achieving full root access for unauthorized users by scattering 20 ROP gadgets across multiple network packets.
Such multi-stage vulnerability chaining is work traditionally reserved for elite APT teams in the human security research world—yet now a general-purpose AI model can execute it autonomously.
Logan Graham, Anthropic’s Red Team Lead, told Axios that Mythos Preview possesses reasoning capabilities equivalent to those of a senior human security researcher. Nicholas Carlini put it more bluntly: “In the past few weeks, using Mythos, I’ve found more bugs than in my entire career.”
In benchmark testing, Mythos likewise dominates. CyberGym Vulnerability Reproduction Benchmark: 83.1% (Opus 4.6 scored 66.6%). SWE-bench Verified: 93.9% (Opus 4.6: 80.8%). SWE-bench Pro: 77.8% (Opus 4.6: 53.4%; previously leading GPT-5.3-Codex: 56.8%). Terminal-Bench 2.0: 82.0% (Opus 4.6: 65.4%).
This isn’t incremental progress. It’s a single model pulling ahead by double-digit percentage points—10 to 20+ points—across virtually every coding and security benchmark.
The Leaked “Strongest Model”
Mythos’s existence wasn’t revealed to the world on April 7.
In late March, Fortune journalists and security researchers discovered nearly 3,000 unpublished internal files in a misconfigured Anthropic CMS. One draft blog post explicitly used the name “Claude Mythos,” describing it as Anthropic’s “most powerful AI model to date.” Its internal codename was “Capybara” (capybara), representing a new model tier—larger, stronger, and costlier than the current flagship Opus.
One sentence from the leaked materials struck a nerve in the market: Mythos is “far ahead of any other AI model” in cybersecurity capability—foreshadowing a wave of models “that will exploit vulnerabilities far faster than defenders can respond.”
That sentence triggered a “flash crash” in the cybersecurity sector on March 27. CrowdStrike plunged 7.5% in a single trading day—wiping out roughly $15 billion in market value. Palo Alto Networks fell over 6%, Zscaler dropped 4.5%, and Okta, SentinelOne, and Fortinet each declined more than 3%. The iShares Cybersecurity ETF (IHAK) briefly dipped nearly 4% intraday.
Investors’ logic was simple: if a general-purpose AI model can autonomously discover and exploit vulnerabilities, how long can traditional security firms rely on their two moats—“proprietary threat intelligence” and “human expert knowledge”?
Raymond James analyst Adam Tindle outlined several core risks: shrinking traditional defensive advantages, rising attack complexity alongside higher defense costs, and structural shifts in security architecture and spending. KBW analyst Borg offered a more pessimistic view: Mythos has the potential to “elevate any ordinary hacker to nation-state adversary level.”
Yet the market has another side. After Palo Alto Networks’ stock plummeted, CEO Nikesh Arora purchased $10 million worth of his company’s shares. Bullish analysts argue that more powerful offensive AI means enterprises must accelerate defensive upgrades—cybersecurity spending won’t shrink, but rather shift rapidly from legacy tools toward AI-native defenses.
Project Glasswing: The Defenders’ Window of Opportunity
Anthropic’s decision not to publicly release Mythos—and instead form a defensive alliance—rests on a single strategic premise: the “time gap.”
CrowdStrike CTO Elia Zaitsev framed the issue clearly: the window between vulnerability discovery and exploitation has shrunk from months to minutes. Palo Alto Networks’ Lee Klarich issued a direct warning: everyone must prepare for AI-assisted attackers.
Anthropic’s calculation is straightforward: before other labs train models with comparable capability, give defenders early access to Mythos to patch the most critical vulnerabilities first. That’s the logic behind Project Glasswing—named after the glasswing butterfly, symbolizing vulnerabilities “hidden in plain sight.”
Jim Zemlin of the Linux Foundation highlighted a long-standing structural problem: security expertise has historically been a luxury affordable only to large enterprises, while the open-source maintainers safeguarding global critical infrastructure have long been left to fend for themselves. Mythos offers a credible path to redress that asymmetry.
But how wide is this window? On nearly the same day, China’s Zhipu AI (Z.ai) released GLM-5.1, claiming top global ranking on SWE-bench Pro—and trained entirely on Huawei Ascend chips, without a single NVIDIA GPU. GLM-5.1 is fully open-source and open-weights, with aggressive pricing. If Mythos represents the ceiling of defensive capability needed, GLM-5.1 signals that this ceiling is being rapidly approached—and those approaching it may not share the same safety intent.
OpenAI won’t stand idle either. Reports indicate its frontier model, codenamed “Spud,” completed pretraining around the same time. Both companies are preparing for IPOs later this year. Whether accidental or not, the timing of Mythos’s leak landed squarely on the most explosive possible node.
Security Pioneer—or Capability Marketing?
We must confront an uncomfortable question: Did Anthropic withhold Mythos purely out of security concern—or is this, in fact, the highest form of product marketing?
Skeptics have ample grounds. Dario Amodei and Anthropic have a documented history of amplifying perceived model dangers to elevate product value. Jake Handy wrote on Substack: “The Sandwich Incident, Git trace-hiding, self-dampening during evaluations—these may all be real, yet Anthropic’s massive media exposure proves this is precisely the effect they intended.”
A company founded on AI safety suffered a CMS misconfiguration that leaked nearly 3,000 internal files; last year, a bug in its Claude Code package accidentally exposed nearly 2,000 source files and over 500,000 lines of code—and subsequent cleanup efforts inadvertently took down thousands of GitHub repositories. For a firm whose primary selling point is security competence, such failures in its own release processes are more telling—and more ironic—than any benchmark score.
Yet from another angle, if Mythos’s capabilities are indeed as described, withholding it is an extraordinarily costly choice. Anthropic forfeited API revenue and market share, locking its strongest model inside a narrow consortium. A $100 million usage credit is no trivial sum—for a company still unprofitable and preparing for IPO, this looks less like pure marketing.
A more plausible interpretation is that security concerns are genuine—but Anthropic also understands that the narrative “our model is so powerful we dare not release it” is itself the most persuasive proof of capability. Both can be true simultaneously.
Is This Cybersecurity’s “iPhone Moment”?
Regardless of how one interprets Anthropic’s motives, the underlying reality Mythos reveals is inescapable: AI’s code understanding and offensive capability have crossed a qualitative threshold.
The prior generation (Opus 4.6) could find vulnerabilities but rarely write exploits. Mythos finds vulnerabilities, writes exploits, chains them together, escapes sandboxes, gains root access—and does it all autonomously. Anthropic engineers with no security training can assign Mythos a vulnerability hunt before bed and wake up to a complete, functional exploit report.
What does this mean? It means the marginal cost of vulnerability discovery and exploitation is approaching zero. Work once requiring elite security teams months to complete can now be done overnight with a single API call. This isn’t “efficiency gain”—it’s a fundamental restructuring of cost dynamics.
For traditional cybersecurity firms, short-term stock volatility may only be the overture. The real challenge lies ahead: When both attack and defense are AI-driven, how will the security industry’s value chain be restructured? Raymond James analysis suggests one possibility: security functionality may ultimately be embedded directly into cloud platforms themselves—leaving independent security vendors facing existential pressure on pricing power.
For the broader software industry, Mythos acts like a mirror—reflecting decades of accumulated technical debt. Those vulnerabilities surviving 27 years under human review and automated testing weren’t missed because no one looked—but because human attention and patience are finite. AI has no such limits.
For the crypto industry, the signal is even sharper. The DeFi protocol and smart contract security audit market has long relied on a handful of specialized human auditors. If a Mythos-level model can autonomously handle everything—from code review to exploit construction—the price, speed, and credibility of audits will be completely redefined. This could be the salvation of on-chain security—or the collapse of audit firms’ moats.
The 2026 AI security race has already evolved—from “Can the model understand code?” to “Can the model break your system?” Anthropic chose to let defenders step up first—but it also acknowledged this window won’t stay open for long.
When AI becomes the world’s most capable hacker, the only viable defense is to make AI the world’s most capable guardian.
The problem is: guardian and hacker run on the same model.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
