The Restriction as a Product Decision
Most product launches announce what a new system can do. Anthropic’s Claude Mythos Preview announcement is defined by what the company decided not to let it do, at least not publicly.
The facts on the table: Anthropic describes Claude Mythos as its most capable model to date. Its own testing found the model can identify and exploit zero-day vulnerabilities across major operating systems. The company’s response was not to publish a safety report and proceed with general availability. It was to build a closed access program, name it Project Glasswing, enroll roughly 50 organizations for defensive cybersecurity use, and set a partner-tier price of $25 per million input tokens and $125 per million output tokens. No public API. No waitlist. No timeline for broader release.
That’s not a delayed launch. It’s a deliberate structural decision to create a new access tier between “internal use” and “public availability.” Understanding who wins and who loses from that decision requires mapping the stakeholders who exist within it.
Stakeholder Map: Three Positions on Restricted Access
Anthropic: Safety as Deployment Architecture
Anthropic’s stated position is that Mythos Preview’s capability profile, specifically its demonstrated ability to find and exploit vulnerabilities at scale, creates a risk that standard commercial deployment doesn’t adequately manage. The company’s own red-team documentation is the primary source for the capability claims. This is worth noting: Anthropic is using its own safety research as the justification for its own access controls. There’s no external adjudicator of whether the restriction is calibrated correctly.
The Glasswing structure reflects Anthropic’s attempt to capture commercial value from a capability it’s simultaneously afraid to generalize. Partner pricing at $25/$125 per million tokens isn’t cheap, it signals that access is rationed by price as well as selection. Anthropic earns revenue from the program, gets real-world defensive-use data from 50 sophisticated organizations, and maintains reputational positioning as the lab that takes safety seriously enough to restrict its own flagship. Those incentives align. The question is whether the alignment is principled or convenient.
Importantly, Mythos is also available through Google Cloud’s Vertex AI in Private Preview, meaning distribution is controlled at two levels simultaneously, Anthropic’s Glasswing program and Google Cloud’s partner access layer. This dual-gate architecture adds operational complexity and raises a question about whether Google Cloud’s selection criteria for its preview cohort match Anthropic’s Glasswing criteria, or whether they’re independent determinations.
Security Researchers: Capability Without Access
The independent security research community occupies an uncomfortable position. A tool that can find zero-day vulnerabilities at significant scale is, in principle, exactly what vulnerability researchers need. Bug bounty programs, red teams, and threat intelligence organizations all benefit from capabilities that find flaws before adversaries do. Mythos Preview, if its capabilities are as described, would be transformative for that work.
But “if” is doing real work in that sentence. Independent security researchers have no access to Mythos and no way to evaluate the capability claims independently. The Hacker News and other T3 journalism have reported the capability framing from Anthropic’s own documentation. No third-party evaluation has been published. The independent security community is being asked to accept that a model they can’t test has capabilities that justify the access restrictions they’re experiencing.
This creates a specific problem: the organizations most capable of evaluating whether Mythos’s capabilities actually justify restricted access, experienced offensive security researchers who understand zero-day discovery pipelines, are largely excluded from the program. Glasswing’s stated purpose is defensive use. Offensive security researchers, who might argue their work is ultimately defensive too, aren’t the obvious selection targets.
Enterprises and Glasswing Partners: Asymmetric Advantage
The 50 organizations in Project Glasswing have something no one else has: access to the most capable AI vulnerability scanner currently available from a commercial frontier lab. What that means in practice depends on what they do with it.
The stated use case is scanning their own infrastructure. That’s a genuine defensive capability, finding vulnerabilities in your own systems before attackers do. For large enterprises with complex infrastructure and mature security operations, a model that can identify zero-days at scale is meaningful. For organizations with smaller security teams, it could be transformative, effectively adding analytical capacity that would otherwise require significant headcount.
The asymmetry matters for the broader market. Organizations inside Glasswing are operating at a different security capability level than organizations outside it. That gap isn’t the result of better internal security practices or smarter hiring, it’s the result of a selection decision made by Anthropic. The criteria for that selection aren’t public. The appeal process, if one exists, isn’t documented. And the gap between Glasswing partners and non-partners will persist for as long as Mythos remains restricted.
The Pricing Signal and What It Reveals
Preview pricing of $25/$125 per million tokens merits a specific analysis because pricing at this tier communicates intent, not just cost.
For context: public-tier frontier models from major labs typically price at fractions of this level for input tokens. Output tokens carry higher costs across the industry, but $125 per million output tokens is a steep premium. That price isn’t just recovering compute cost. It’s a rationing mechanism. At that price, only organizations with serious security budgets and a specific, defined use case will absorb the cost. Casual experimentation, broad-based access, and secondary use cases are effectively priced out.
Price-as-access-control is a different governance tool than application-based selection. It doesn’t require Anthropic to evaluate every potential use case or organization. It self-selects for organizations that have already decided the use case is worth the investment. The combination of selection (Glasswing enrollment) and price (partner-tier rates) creates two independent filters. Getting through both requires organizational resources and a demonstrated security mission.
Whether that’s a reasonable access architecture or an imperfect substitute for actual governance depends on what you think access governance is supposed to accomplish.
The Governance Gap
Here’s the gap that no stakeholder in this map has filled: there is no external standard governing how frontier labs decide which capabilities require restricted access, no public criteria for how Glasswing partners were selected, and no accountability mechanism for what happens if a Glasswing partner misuses the access they’ve been granted.
The EU AI Act, which represents the most developed regulatory framework for AI systems in any major jurisdiction, addresses high-risk AI systems through conformity assessment and transparency requirements. But the act’s risk tiers are built around categories of use, not capability levels. A model that can exploit zero-day vulnerabilities at scale doesn’t map cleanly onto the act’s existing risk categories, which focus on applications in healthcare, employment, critical infrastructure, and law enforcement. The cybersecurity capability question is largely unaddressed by current regulatory text.
NIST’s AI Risk Management Framework offers voluntary guidance on governance and accountability, but voluntary is the operative word. Neither framework currently imposes external requirements on how a company like Anthropic decides to tier access to its most capable models, who it enrolls in a restricted program, or what audit rights exist for organizations affected by the access decision.
The result is that Anthropic is simultaneously the developer, the safety evaluator, the access gatekeeper, and the commercial beneficiary of Project Glasswing. Those are four roles that governance frameworks typically try to separate. In the current regulatory environment, no institution is requiring that separation.
The Counter-Model: GLM-5.1 and What Openness Actually Offers
The same week Anthropic built a vault, Zhipu AI opened a warehouse. GLM-5.1, a 744-billion-parameter mixture-of-experts model, was released under the MIT license with no access controls and no application process. Zhipu AI claims it outperforms GPT-5.4 on coding benchmarks, a claim that, because the model is open-source, any developer can now attempt to verify independently.
The open-source position on restricted access is direct: if powerful AI exists, concentration of that capability in closed systems controlled by a single company is itself a risk. The open-weight counter-argument is that wide distribution of powerful tools is worse. Both positions have merit. Neither resolves cleanly into policy.
What GLM-5.1 illustrates is that the restricted access architecture Anthropic has built for Mythos isn’t technically inevitable. It’s a choice. Frontier-level capability can be shipped openly. The question Glasswing raises is whether the specific capability profile of a model that can identify and exploit zero-day vulnerabilities across major operating systems is one where that choice is defensible, and who gets to make that determination.
What to Watch
Four specific developments will clarify whether Project Glasswing is a template or an experiment. First: whether Anthropic publishes selection criteria for Glasswing partners, and whether those criteria are subject to any external review. The current opacity is a governance problem regardless of whether the selection decisions themselves are sound. Second: whether independent security researchers eventually get access, through an expanded program or a research track, and what their evaluation of Mythos’s capabilities shows relative to the vendor’s own assessment. Third: whether any regulatory body responds to the Mythos announcement with guidance or inquiry. The EU AI Act’s implementing bodies and NIST’s AI Safety Institute are the most likely candidates for a formal response. Fourth: whether other frontier labs adopt similar restricted tiers. If both Anthropic and OpenAI are building gated programs for their most capable security-relevant models, that’s a market structure, not an isolated decision.
The deeper question Glasswing poses is whether private companies can effectively govern access to capabilities that have significant public consequence, or whether the current moment of regulatory absence simply means those decisions are being made by default, with no external check on whether they’re being made well.