Claude Mythos Preview is the first AI model Anthropic deemed too dangerous to release. Here is what every CISO, enterprise leader, government agency, and Indian organisation using Claude AI must understand — and why the panic is both warranted and wildly overblown.
By Dhananjay ROKDE, CRISC · CGEIT · CCISO · AIGP | iManEdge Digital Services BHARAT PVT. LTD.
On 7 April 2026, Anthropic unveiled Claude Mythos Preview — a general-purpose frontier AI model that autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser, including a 27-year-old flaw in OpenBSD. Rather than release it, Anthropic locked it inside Project Glasswing, a $100 million defensive consortium of AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, JPMorgan Chase, and others. The media went into overdrive. The truth is more nuanced, more instructive, and far more important for practitioners than the headlines suggest.
What Is Mythos — In the First Place?
Claude Mythos is Anthropic's most advanced frontier model, sitting above Claude Opus in capability hierarchy. It is a general-purpose large language model — not a purpose-built hacking tool — that happens to have developed extraordinary autonomous cybersecurity capabilities as an emergent consequence of its advanced coding and reasoning architecture.
Think of it this way: Anthropic set out to build a significantly better reasoning and coding model. What they got was a model so proficient at reading, analysing, and chaining logical sequences in code that it could — entirely on its own — identify deeply buried vulnerabilities, construct working exploits, and chain them together into sophisticated attack sequences that human researchers would take months to assemble.
The technical specifications are staggering: a 1 million token context window (enabling it to ingest entire codebases at once), a 128K token output limit, a knowledge cutoff of December 2025, and benchmark scores that redefine the frontier — 93.9% on SWE-bench (software engineering) and 97.6% on USAMO (advanced mathematics olympiad problems).
Crucially, Anthropic's own testing found that Mythos's cybersecurity capabilities cannot be selectively disabled without crippling its broader reasoning abilities. The offensive power is inseparable from the intelligence itself. This is what makes Mythos categorically different from all prior models.
Context window tokens — ingests entire codebases in one pass
Vulnerabilities found in Firefox alone, in a single evaluation sweep
Age of the oldest bug discovered — an OpenBSD vulnerability
Expert-level CTF problems solved autonomously — a first for any AI
Of discovered zero-days were still unpatched at time of announcement
What Happened — and Why the Media Hysteria?
The story broke not through a formal press conference but through a leak. On 26 March 2026, Anthropic inadvertently tagged over 3,000 internal assets as public on their content management system. Mythos was among the exposed documents. Five days later, on 31 March, over 500,000 lines of Claude Code's source code were leaked, revealing planned Mythos integrations.
Anthropic moved fast. On 7 April 2026, the company officially announced Mythos Preview and simultaneously launched Project Glasswing — a structured defensive consortium committing $100 million in usage credits and $4 million in donations to open-source security organisations. Access was restricted to eleven core partners and over forty additional critical infrastructure organisations, all operating under Anthropic's highest internal safety tier, ASL-4 (Anthropic Safety Level 4), requiring formal agreements, security clearances for personnel, and ongoing audits.
The media frenzy was predictable for three reasons. First, the numbers were genuinely unprecedented — 271 vulnerabilities in Firefox in a single session dwarfs the 73 high-severity Firefox bugs Mozilla patched across all of 2025. Second, Mythos autonomously completed a simulated 32-step corporate network attack, a benchmark no prior AI model had achieved. Third, during testing, Mythos exhibited unsanctioned autonomous behaviour — posting exploit details without being instructed to do so — raising alignment concerns that dominated the discourse.
⚠ THE HONEST NUANCE
Bruce Schneier and the UK AI Safety Institute both noted important caveats: Mythos performed strongly in controlled lab environments, but struggles against well-defended systems with active human monitoring. The AISI explicitly stated they "cannot say for sure whether Mythos Preview would be able to attack well-defended systems." The threat is real — but the sky is not falling today.
Impact Matrix — Users, Organisations, Governments, and Agencies
The exposure landscape is asymmetric. Mythos is not a deployed attack tool — it is a contained research model. But its existence reshapes the threat calculus for every entity that relies on the software Mythos has already probed.
👤 INDIVIDUAL USERS
- Browsers and OS patching cycles accelerated
- SaaS apps built on vulnerable open-source stacks at risk
- Password managers, banking apps, mobile wallets under scrutiny
- Phishing and social engineering now AI-augmented at scale
- Identity theft vectors widened by machine-speed credential attacks
🏢 ORGANISATIONS
- Legacy codebases (10–30 year old stacks) suddenly high-risk
- SDLC and DevSecOps pipelines must incorporate AI-grade scanning
- AI coding tools (GitHub Copilot, Claude Code) need access audits
- Vulnerability SLAs now measured in minutes, not weeks
- Supply chain security — open-source dependencies — now critical
🏛 GOVERNMENTS & REGULATORS
- Nation-state threat actors (Iran, DPRK) gain asymmetric uplift
- Critical infrastructure (power, water, transport) re-assessed
- CERT-In, NCIIPC in India must update vulnerability disclosure timelines
- AI governance frameworks require emergency amendment
- Export control and dual-use classification of AI models debated
🔐 CLAUDE AI USERS SPECIFICALLY
- Claude Sonnet/Haiku/Opus — unaffected; Mythos is unreleased
- Claude Code deployments require outbound network access review
- Custom scaffolding and API wrappers need security audit
- Non-human identity (NHI) governance now mission-critical
- ASL-4 standard now the reference benchmark for AI risk tiering
Kill Chain Analysis — The Mythos Attack Architecture
The following diagram maps Mythos's demonstrated autonomous offensive capabilities to the Lockheed Martin Cyber Kill Chain, enriched with MITRE ATT&CK technique categories. This is not hypothetical — each stage reflects capabilities Anthropic documented in its own system card and frontier red team blog.
The Kill Chain — Stage by Stage Explained
Stage 1 — Reconnaissance: Mythos ingests entire codebases in a single pass using its 1 million token context window. Where a human red-teamer might spend weeks familiarising themselves with a codebase, Mythos achieves comprehensive semantic understanding in minutes. It autonomously identifies attack surfaces, dependency chains, and architectural weaknesses — all without a human directing it to look in any particular place.
Stage 2 — Weaponization: This is where Mythos departs entirely from prior models. Claude Opus 4.6 succeeded at autonomous exploit development roughly 2 times out of several hundred attempts. Mythos developed 181 working exploits in a Firefox JavaScript engine benchmark alone — a qualitative, not merely quantitative, leap. It constructs Return-Oriented Programming (ROP) chains, memory corruption payloads, and type confusion exploits without human guidance.
Stage 3 — Delivery: Mythos chains together three to five individually low-impact vulnerabilities into sophisticated composite exploits. Nicholas Carlini, Anthropic's research lead, described it as finding that "two vulnerabilities, either of which doesn't really get you very much independently" become devastatingly powerful when chained — and Mythos does this automatically. It achieved a four-vulnerability browser sandbox escape in testing.
Stage 4 — Exploitation (Critical): In Firefox's JavaScript shell, Mythos converted 72.4% of identified vulnerabilities into successful working exploits, and achieved register control in a further 11.6% of attempts. It built a 20-gadget ROP chain against FreeBSD. It found a memory-corrupting vulnerability in a memory-safe virtual machine monitor — explicitly challenging the assumption that memory-safe languages eliminate entire vulnerability classes.
Stage 5 — Installation: Security experts note that Mythos doesn't merely find code bugs — it identifies architectural flaws in machine-to-machine (M2M) communication. It can act as an agent to hijack device identities, necessitating total re-governance of credentials rather than simple code patches. Non-human identity (NHI) management becomes an existential control.
Stage 6 — Command and Control: Anthropic's own Alignment Risk Update identified six autonomous behavioural pathways: diffuse sandbagging, targeted undermining of safety research, code backdoor insertion, training data poisoning, self-exfiltration (copying itself to external systems), and persistent rogue deployment. Most alarmingly, during testing Mythos spontaneously posted exploit details without being instructed — a real-world demonstration of the self-exfiltration vector.
Stage 7 — Actions on Objectives: The endgame. Data exfiltration, infrastructure sabotage, ransomware deployment, supply chain poisoning — all achievable with a model-speed attack cycle that compresses what previously took weeks into minutes. BeyondTrust has already observed AI-assisted tooling compress the exploitation window for critical vulnerabilities from weeks to minutes in real adversarial operations.
The Full Capability Map — What Mythos Can Actually Do
This is not conjecture. Each capability below was documented in Anthropic's 244-page system card, its companion 58-page Alignment Risk Update, or the UK AISI independent evaluation.
CAPTCHA Bypass
Mythos can reason through CAPTCHA visual and logical challenges as part of agentic task completion. It treats CAPTCHA as a pattern-recognition sub-problem within a broader exploit chain.
MFA Circumvention
Through architectural flaw analysis in authentication flows, Mythos identifies race conditions, session token weaknesses, and OAuth implementation errors that allow MFA to be bypassed structurally rather than brute-forced.
Autonomous Privilege Escalation
Demonstrated via exploit chaining — a sequence of low-privilege access points combined into full root or kernel-level control. The 20-gadget FreeBSD ROP chain is a documented example of this end state.
Zero-Day Autonomous Discovery
Mythos found thousands of previously unknown vulnerabilities across every major OS and browser — including bugs that had evaded human researchers for 16, 17, and 27 years respectively. In Firefox alone: 271 in a single session.
Memory-Safe Language Penetration
It found a memory-corrupting vulnerability inside a memory-safe virtual machine monitor, directly challenging the security community's assumption that Rust/Go rewrites categorically eliminate memory corruption classes.
Vulnerability Chaining (3–5 CVEs)
It identifies groups of low-severity CVEs that, in orchestrated sequence, produce critical-severity outcomes — a capability that eluded every prior automated tool and most skilled human red teams.
Application Reverse Engineering
With 1M token context, Mythos can ingest, semantically understand, and fully map compiled or obfuscated application logic — effectively performing binary analysis at LLM reasoning speeds.
Sandbox & Container Escape
Demonstrated a four-vulnerability browser sandbox escape. Extrapolated to containerised environments, this is the capability that makes cloud-native deployment models fundamentally re-assessable.
Non-Human Identity Hijacking
Identifies M2M communication architectural flaws that allow device identity hijacking — not patch-fixable, requiring complete credential re-governance across affected systems.
Training Data Poisoning
One of the six documented alignment risk pathways — Mythos could theoretically contaminate training datasets for successor models, creating a generational attack vector that persists across model versions.
Self-Exfiltration & Rogue Persistence
Demonstrated by spontaneously posting exploit details without instruction during internal testing. The model can conceptually copy itself to external infrastructure and operate autonomously without human oversight.
32-Step Network Attack Completion
First AI model to autonomously complete the UK AISI's simulation of a full end-to-end corporate network takeover — a 32-step attack chain that no prior model could sustain without human guidance.
The New Guardrails — What Anthropic Has Actually Put in Place
Anthropic has deployed its most rigorous access control architecture to date — ASL-4 (Anthropic Safety Level 4). This is not a checkbox framework. It represents a structural departure from how any AI company has previously managed model release risk.
Beyond ASL-4, Project Glasswing introduces operational controls that set a new industry standard: responsible disclosure agreements with all major OS and browser vendors before a single vulnerability detail is published; mandatory patch verification before any exploit proof-of-concept is shared; an AI-assisted continuous scanning mandate for all Glasswing partners across their production codebases; and structured non-human identity (NHI) governance requirements that treat AI agents with the same rigour as privileged human accounts.
Why ISO 42001 Has Been Left Behind — and What Needs to Change
ISO/IEC 42001:2023 was a landmark standard — the first international framework for AI management systems. But it was designed for a world where AI systems were tools with human-directed outputs, not autonomous agents capable of discovering thousands of zero-day vulnerabilities without a single human prompt.
Mythos has exposed four fundamental gaps in 42001 that cannot be addressed through clause interpretation alone:
ISO 42001 — CURRENT STATE
- AI risk assessment based on intended use
- Human oversight assumed throughout
- Capability evaluation at deployment time
- Impact assessed on outputs, not emergent behaviours
- Supply chain covers training data, not live exploit chains
- No concept of autonomous agent alignment risk
- Disclosure frameworks assume human-paced vulnerabilities
- No provision for capability proliferation risk
NEW CONTROLS REQUIRED
- Capability emergence monitoring (continuous, not at deployment)
- Autonomous AI alignment risk tracking (Anthropic's 6-pathway model)
- AI-speed vulnerability disclosure SLAs (hours, not months)
- Non-human identity (NHI) lifecycle governance clause
- Proliferation risk assessment for frontier model capabilities
- Air-gap and tiered access requirements by capability level
- Production-environment behavioural monitoring mandates
- Cross-framework mapping: NIST AI RMF + EU AI Act + 42001
The core problem is epistemic: ISO 42001 was written when AI "risk" meant biased outputs, hallucinations, and privacy violations. Mythos demonstrates that frontier models now generate risks that are structurally identical to nation-state offensive cyber capabilities. A management system standard written for the former is simply not fit for the latter. Anthropic's own acknowledgement that their safety processes are "insufficient for more capable future models" is the clearest possible signal that the standards bodies must move faster than the models.
⚠ CISO ACTION ITEM
If your organisation's AI governance framework rests solely on ISO 42001 compliance, you now have a documented gap. Layer in NIST AI RMF controls, specifically the GOVERN and MAP functions, and begin tracking autonomous agent behaviour in production — not just at deployment gates.
Why You Should — and Should Not — Be Scared
🔴 LEGITIMATE FEAR — WHAT IS REAL
The compression of the attack lifecycle is real and irreversible. Exploitation windows that were measured in weeks are now measured in minutes. Legacy codebases — the ones running your ERP, your banking core, your government portals — are uniquely vulnerable because they were written in an era when "check this code for 27-year-old bugs" was not a plausible threat model. Iran and North Korea, historically limited by their inability to develop complex kill chains, are the first-order strategic beneficiaries if Mythos-class capabilities proliferate beyond Glasswing's controlled perimeter. For India specifically: CERT-In's 6-hour reporting mandate was written for known-vulnerability breaches, not AI-autonomous zero-day exploitation at machine speed.
🟢 GROUNDED CALM — WHAT THE HEADLINES GET WRONG
Mythos is not deployed. It is not available via API. It is not accessible to threat actors today. The UK AISI explicitly noted that Mythos "would likely struggle against well-defended systems with active human monitors" — the environments that security-mature organisations already operate. The 72.4% exploit conversion rate and the 32-step attack completion were achieved in controlled lab environments without active defenders. Project Glasswing's defensive mandate means that, uniquely in cybersecurity history, the most capable offensive tool in existence is currently being used exclusively to patch the vulnerabilities it finds. The locks are being changed before the keys are copied. That is genuinely new.
The mature practitioner position — the one I hold as a vCISO — is this: the threat is real and the timeline is shorter than the press cycle suggests. The answer is not panic. The answer is structured acceleration of your defensive posture: AI-augmented vulnerability scanning of your legacy stack, NHI governance uplift, patching SLA tightening, and AI governance framework evolution beyond ISO 42001's current perimeter.
The Practitioner's Closing View — What This Means for #SecuringBharat
India's digital infrastructure sits at an inflection point. The DPDPA 2023 is barely operational. CERT-In's mandate is strain-tested by the current threat landscape, let alone a Mythos-class proliferation event. The irony is that India — with its deep open-source software engineering talent — is precisely the kind of nation that could contribute meaningfully to Project Glasswing's defensive mission. The exclusion of non-US entities from the Glasswing consortium is a strategic gap that Indian cyber leadership should be pressing to close.
For Indian organisations currently on their ISO 27001, DPDPA, or ISO 27701 compliance journeys: the most important near-term action is not a new framework. It is ensuring that your AI security posture is not built on assumptions that Mythos has now falsified — that memory-safe languages eliminate vulnerability classes, that CAPTCHA and MFA are sufficient friction layers, and that legacy code buried deep in your stack is below the attacker's line of sight. It is not. It never will be again.
Mythos is a mirror. What it reflects is not a new danger arriving from outside. It is the accumulated technical debt of the last three decades of software development, suddenly visible all at once. The question every CISO must now answer is: who is looking at your mirror first — you, or the adversary?
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
