What Is Claude Mythos? Anthropic's Gated Cybersecurity Model
Claude Mythos Preview is Anthropic's Capybara-tier model -- a cybersecurity-specialized variant sitting above the Opus 4.6 flagship in the Claude 4 family. It was announced on April 7, 2026 as part of Project Glasswing and it is not generally available. Twelve founding partners hold launch access, roughly forty additional organizations sit on a waitlist, and an open-source maintainer program is pending. Everyone else is locked out. The Anthropic system card reports 83.1% on the CyberGym vulnerability benchmark -- 16.5 points above Opus 4.6 (66.6%), the previous Anthropic flagship on the same benchmark. During red-team testing, Mythos surfaced a 27-year-old bug in OpenBSD, a 16-year-old FFmpeg flaw that five million fuzzing runs had missed, and a 4-vulnerability Linux kernel chain ending in root. This article explains what Mythos is, what it can do, how Anthropic is handling release, and what to be skeptical about.
Quick verdict. Private gated model -- if you are not on the allow-list, you will not get API access. Plan accordingly. Individuals, most enterprises, and almost all security vendors are outside the access tent. Anthropic has published no public roadmap to general availability.
What Is Claude Mythos?
Mythos is a Claude 4 family model positioned above Opus 4.6 on Anthropic's internal capability ladder. Anthropic calls this higher rung the Capybara tier. In public communications, Anthropic has been specific about one thing and vague about others. Specific: Mythos is trained on the same base architecture as Opus 4.6 with additional post-training targeted at cybersecurity reasoning, exploit development, and patch analysis. Vague: the exact parameter count, the training corpus composition, and the benchmarks where Mythos underperforms Opus.
The release pattern is unusual. Anthropic is not shipping Mythos to its consumer chatbot, to Claude Code, or to the general API. Instead, the Claude team built Project Glasswing as a governance wrapper: twelve founding partners (AWS, Anthropic itself, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks), a waitlist of roughly forty additional organizations, an open-source maintainer program in design, $100 million in usage credits to the partners, and $4 million in donations to security foundations ($2.5M to Alpha-Omega/OpenSSF via the Linux Foundation, $1.5M to the Apache Software Foundation).
Anthropic has committed to publishing a public findings report within 90 days of the April 7 launch -- early July 2026. The report should disclose which vulnerability classes Mythos found, which it missed, and how often the model produced false-positive patches. That deadline is the first external checkpoint the public gets. Until then, every claim about Mythos rests on Anthropic's own documentation and a handful of partner statements.
The Capybara Tier
Anthropic's public model lineup is still Opus, Sonnet, and Haiku. Capybara is a separate internal tier name used for Mythos Preview specifically. There is no Capybara chatbot, no Capybara developer tool, and no Capybara landing page on claude.com. The system card describes Capybara as a classification above Opus on Anthropic's Frontier Model capability framework -- the internal rubric that triggers additional safety evaluations before release. Mythos is the first model to receive the Capybara designation.
Base Model Lineage
Anthropic's Frontier Red Team report notes that Mythos's cyber capabilities emerged from general code and reasoning training rather than from explicit security training. In plain English: Anthropic did not set out to build a bug-finding model. They built Opus 4.6 as a coding and reasoning model, applied cyber-focused post-training, and the resulting capability uplift was larger than predicted. That framing matters for two reasons. First, it suggests general-purpose frontier models will keep trending toward offensive-security utility whether vendors intend it or not. Second, it is also a convenient narrative for a vendor that wants to control release -- the claim is unfalsifiable without access to training logs.
What Mythos Can Actually Do
Mythos is narrow. It is not a chat assistant, not a code-writing partner, not a research tool. It is an agent harness wrapped around a model trained to reason about memory-safety bugs, exploit chains, and patch correctness. The Frontier Red Team report describes four notable pre-release discoveries, each verified by Anthropic and the affected project maintainers.
Vulnerability Classes
- Memory safety bugs -- buffer overflows, use-after-free, out-of-bounds reads and writes. This is the CyberGym scope and Mythos's strongest domain.
- Privilege-escalation chains -- combining several lower-severity bugs into a root-level exploit. See the Linux example below.
- Patch analysis -- reading a proposed fix and assessing whether it actually closes the underlying flaw. The CyberGym paper documented 18 incomplete patches across 34 zero-days; Anthropic reports Mythos flagged a similar proportion during internal testing.
- Authentication and network-protocol bugs -- the FreeBSD NFS finding falls in this category.
Verified Pre-Release Discoveries
The emergent-capability caveat. Anthropic's position is that these capabilities emerged from general training rather than from a deliberate attempt to build an offensive security tool. Accept that framing if you want; it still means the capability exists, a narrow group of organizations has access, and similar capabilities will appear in other frontier models over the next 6-12-24 months. Logan Graham, Anthropic's Frontier Red Team Lead, has been direct about that timeline in press interviews.
Benchmarks: Where Mythos Lands
Benchmarks measure what they measure and no more. All figures below come from Anthropic's Mythos Preview system card published April 7, 2026. Independent replication is limited because independent researchers do not have API access. Treat these numbers as vendor-reported until third parties publish confirmations.
Access and Pricing
Anthropic has published post-preview API pricing but not a preview-to-general-availability schedule. The numbers below are what the company has stated publicly. They may change before any broader release.
Pricing (Post-Preview)
| Tier | Input (per MTok) | Output (per MTok) | Notes |
|---|---|---|---|
| Mythos Preview | $25 | $125 | Post-preview rate per Anthropic |
| Opus 4.6 (reference) | $5 | $25 | Five times cheaper than Mythos |
| Sonnet 4.6 (reference) | $3 | $15 | Roughly 8x cheaper than Mythos |
During the preview. Approved partners draw down against a shared $100M usage-credit pool rather than paying the listed rate. Anthropic has not published per-partner allocation numbers. The $100M figure is a total program commitment, not a per-seat line item.
Access Model
- Allow-list only. Every API call is gated by Anthropic's partner approval system. There is no waitlist form on claude.com for Mythos specifically.
- Twelve founding partners -- AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks.
- Roughly forty additional organizations sit on a secondary access list, per Anthropic's launch announcement. Names have not been disclosed.
- Open-source maintainer program is in design. Critical open-source project maintainers will be able to request access to audit their own code; the application process and eligibility criteria have not been published.
Platforms
Mythos is available through four API paths, all of which enforce the allow-list at the infrastructure layer:
- Claude API (console.anthropic.com) -- direct partner access.
- Amazon Bedrock -- US East (N. Virginia) region only. AWS CISO Amy Herzog has stated that the region restriction is a pre-condition of the launch. See the Bedrock announcement.
- Google Cloud Vertex AI -- gated, US regions at launch.
- Microsoft Foundry -- gated.
Why Mythos Is Gated
Anthropic's public reasoning for restricting Mythos rests on three pillars: dual-use risk, distillation concern, and alignment confidence. Each deserves a skeptical look.
Dual-Use Risk
Quoting Anthropic's launch statement: "The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them." That is a defensible position. The Linux kernel 4-bug chain example is not a patch -- it is an exploit. A model that can produce that chain on demand, at API pricing, available to anyone, lowers the offensive-capability floor meaningfully. How meaningfully is debatable, and the debate is happening without the outside world having a test environment.
Distillation Concern
If Mythos's output were publicly available at scale, competing labs could distill the capability into smaller, cheaper, uncontrolled models. Anthropic has not published specific evidence that distillation is feasible at these capability levels, but the concern is plausible enough that other frontier labs have cited it as a restriction rationale for capability releases.
Alignment Metrics
Anthropic reports the following alignment improvements for Mythos relative to Opus 4.6:
| Metric | Change vs Opus 4.6 | Notes |
|---|---|---|
| Misuse success rate | >50% reduction | Prompts designed to elicit harmful outputs succeed less often |
| Deceptive behavior | >50% reduction | Internal red-team probes for deception patterns |
| Over-refusal rate | 0.06% | Nearly zero -- model refuses benign requests only rarely |
| Evaluation awareness | 29% (Anthropic system card) | Model recognizes it is being tested -- no independent replication yet published |
The evaluation-awareness figure is vendor-only so far. Anthropic's system card cites 29% -- meaning Mythos recognizes it is being tested in roughly three of every ten evaluation runs. No independent replication has been published as of April 2026. The phenomenon is documented in multiple frontier models, but the exact rate here rests on Anthropic's internal protocol until a third party rechecks.
Ecosystem Posture
The $4M in donations -- $2.5M to Alpha-Omega/OpenSSF via the Linux Foundation, $1.5M to the Apache Software Foundation -- is modest relative to the $100M usage-credit pool and tiny relative to Anthropic's reported run-rate. It reads more as ecosystem goodwill than as material open-source security funding. The real open-source play is the pending maintainer program, which has not yet launched.
Who This Article Is For
Mythos is narrowly useful. So is reading about it. Here are the four audiences who should care:
What to Be Skeptical About
A release this tightly controlled demands a skeptical read. Four concerns stand out.
Platform Access Paths
Four hosted API routes. All gated. All enforce allow-list access at the infrastructure layer, not just the account layer.
Video Resources
Video coverage pending editorial review. Independent explainer videos on Mythos Preview, Project Glasswing, CyberGym methodology, and CVE-2026-4747 are emerging across the security community. We will add verified video embeds once they meet our sourcing threshold. Until then, the primary references above (Anthropic system card, UC Berkeley paper, NVD) are the authoritative written sources.