Anthropic holds back 'Claude Mythos' model after allegedly finding thousands of zero-days autonomously
What it really says
On 7 April 2026 Anthropic announced a new frontier model called 'Claude Mythos Preview' - and at the same time declared it would not release it publicly for now. According to a red-team report from the company, Mythos identified thousands of previously unknown zero-day vulnerabilities over the past few weeks, across every major operating system and web browser. A prominent example: a 17-year-old remote code execution flaw in the FreeBSD NFS server (CVE-2026-4747) for which Mythos, Anthropic says, fully autonomously wrote a working exploit chain. A 27-year-old flaw in OpenBSD and several out-of-bounds write bugs in the Linux kernel were also found. In parallel, Anthropic launched 'Project Glasswing', a joint initiative with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks plus around 40 other critical infrastructure operators. Participants get exclusive access to Mythos Preview via Amazon Bedrock to scan their own systems for vulnerabilities. Anthropic is providing up to 100 million US dollars in usage credits and 4 million US dollars in direct donations to open-source security organisations.
Our assessment
The 'too dangerous to release' headline sounds like marketing, but the technical substance is real and important - and it cuts two ways. On the plus side: if Mythos really writes autonomous exploit chains for decades-old flaws in FreeBSD, OpenBSD and Linux kernel code, defenders get a one-time boost in detection capability over attackers. That is exactly the rationale for Project Glasswing: give vendors and operators a head start before similar capabilities show up in less carefully distributed models. On the minus side: Anthropic alone decides who is in the club - with AWS, Apple, Google, Microsoft and Palo Alto it is the largest US incumbents at the table, no European players in the published list. And the 'we hold the model back because it is too dangerous' framing gives Anthropic a commercial advantage that cannot be independently checked: the full exploit data is not public, the 'thousands of vulnerabilities' number cannot be recomputed outside the programme. In the short term the benefit for defenders prevails, in the medium term this is a preview of how fast offensive AI capabilities grow - and how few players get to decide who gets protection.
Relevance for Germany
For Germany the story matters twice. First: the BSI and state CERTs must assume that models with similar capabilities will end up in attackers' hands within 12-24 months. The BSI already warned in early April of a new wave of generative-AI-driven smishing; Mythos shows that finding bugs in operating systems can also be automated. Second: the Glasswing partner list contains no European hyperscaler, no German DAX company and no European security agency. Anyone in Berlin talking about 'digital sovereignty' has to talk about access to AI-based defensive tooling too - otherwise German operators of critical infrastructure depend on US companies patching themselves first. Enterprises should review their patch management now: FreeBSD, OpenBSD and Linux kernel updates related to CVE-2026-4747 and other entries from the Mythos programme should be rolled out promptly in the coming weeks.
Fact check
The core facts - new Claude Mythos Preview model, Project Glasswing with the listed partners, 100 million USD in usage credits, 4 million USD for open-source security, a 17-year-old FreeBSD NFS vulnerability CVE-2026-4747, a 27-year-old OpenBSD flaw - are consistent across Anthropic's own publication, TechCrunch, The Register, Help Net Security, The Hacker News and heise online. The 'thousands of zero-days' figure comes solely from the Anthropic report; independent confirmation is impossible due to responsible disclosure. The 72.4 percent success rate on Firefox JavaScript shell exploits is Anthropic's own benchmark number and has not been externally validated. The report explicitly acknowledges that Mythos found Linux kernel bugs but could not turn them into remotely triggerable chains because of the kernel's defence-in-depth measures.
Source
- • Anthropic Project Glasswing official page 07.04.2026 (anthropic.com/glasswing)
- • Anthropic Red Team Report Claude Mythos Preview 07.04.2026 (red.anthropic.com)
- • TechCrunch 07.04.2026
- • The Register 07.04.2026
- • Help Net Security 08.04.2026
- • heise online 08.04.2026
- • The Hacker News 08.04.2026
- • Simon Willison blog 07.04.2026