Anthropic built a model so capable that they chose not to release it publicly.
Claude Mythos Preview entered public awareness through a draft blog post discovered by Fortune, weeks before Anthropic was ready to announce it. The capabilities described in that draft were significant enough to move markets and prompt the Federal Reserve and Treasury to brief major U.S. bank CEOs on the model’s potential cyber risks. Anthropic proceeded with a formal announcement shortly after, paired with a restricted-access program rather than a public release.
AI-assisted vulnerability research has been a known risk vector for several years. Mythos crosses a threshold where the capability becomes qualitatively different: from AI as a research accelerator to AI as an autonomous offensive research engine. Placed in the hands of a well-resourced threat actor, a model at this tier compresses the time between target selection and working exploit from weeks to hours.
Anthropic’s offensive cyber research lead has estimated capability parity, meaning equivalent capability reaching other actors, within six to eighteen months.
That is the window.
Rather than a public release, Anthropic launched Project Glasswing: a controlled-access program providing Mythos Preview to twelve major technology organizations, including AWS, Microsoft, Google, Cisco, CrowdStrike, Nvidia, and Palo Alto Networks, backed by $100 million in usage credits.
The premise is straightforward. Before Mythos-class capability reaches adversaries, give a set of major defenders access to the same tool and use it to find and fix vulnerabilities first. Participating organizations run Mythos against their own infrastructure, their own codebases, and the foundational software layers they maintain or influence. The EU’s AI regulatory body has publicly endorsed the approach as a model for responsible frontier AI deployment. The Federal Reserve and Treasury’s decision to brief bank leadership signals that concern about Mythos has already moved beyond the technology sector.
For the organizations inside it, Glasswing is a meaningful advantage. For the broader software ecosystem, the perimeter is narrower than it appears.
| Covered | Not Covered |
| Operating systems | Enterprise applications running in production across every industry |
| Major browsers | Legacy systems that will never receive an AI-assisted defensive review |
| Core cloud infrastructure | Custom software built in-house by organizations outside the twelve |
| Networks and codebases of the twelve participating organizations | Thousands of software vendors whose products sit beneath the Glasswing perimeter |
The twelve organizations represent foundational layers of the software ecosystem. The vulnerabilities being hardened matter, but the attack surface extends well beyond what any twelve organizations can cover. When Mythos-class capability reaches threat actors, they will not limit their focus to the infrastructure Glasswing has already reviewed.
Most organizations will assume Glasswing bought them more protection than it actually did.
The threat model Mythos represents is not hypothetical. Threat actors have been embedding AI across the attack lifecycle for over two years. The Glasswing window does not mark the beginning of AI-powered threats. It marks a capability threshold that puts meaningful new pressure on the existing defensive model.
Forest Blizzard (GRU Unit 26165) — 2023 to present.
Used LLMs for vulnerability research, scripting assistance, and payload refinement in operations targeting defense, energy, and government sectors. LLM integration reduced technical friction and compressed execution timelines across multiple campaigns.
Emerald Sleet (DPRK) — 2023 to present.
Used LLMs to research targets, generate spear-phishing content, and analyze publicly reported CVEs, including Follina (CVE-2022-30190). North Korean actors have also used AI since 2024 to scale remote IT worker operations designed to steal data and generate revenue for the regime.
APT28 (Russia) — operationalized 2025.
Deployed a malware framework called PROMPTSTEAL that queries open-source language models in real time to adapt evasion behavior during active operations.
GTG-1002 (China) — early 2026.
Ran an AI-orchestrated intrusion campaign using Claude Code as the operational backbone. Per Anthropic’s own disclosure, 80 to 90 percent of operations executed autonomously: reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data exfiltration. This was a live operation against a real target, not a test.
Storm-1747 — 2024 to present.
Refined Tycoon2FA phishing infrastructure using AI to improve targeting precision. AI-embedded phishing campaigns now achieve click-through rates of approximately 54 percent, compared to roughly 12 percent for traditional campaigns. A 4.5x improvement in access conversion driven by precision, not volume.
These campaigns used general-purpose and publicly available models. The gap between what these actors accomplished with those tools and what becomes possible with Mythos-class capability is significant.
Conventional vulnerability management has always been a race between patch cycles and attacker awareness. Mythos-class AI accelerates the attacker’s side of that race in ways that strain existing defensive assumptions.
Where the pressure concentrates:
None of this is new in kind. The velocity and volume change the math.
No single control addresses a shift like this. Defense in depth is the operating model, and the organizations that come out of the Glasswing window in a better position will have built three specific capabilities: continuous behavioral hunting that does not depend on knowing the initial vulnerability, telemetry that reaches beyond default EDR and SIEM coverage, and DFIR capability that is tested and ready before an incident requires it.
A Practical Case Study
In late 2025, Howler Cell dark web operations surfaced a client domain controller listed for sale on a criminal marketplace. That intelligence triggered an active hunt. The hunt team uncovered a multi-stage malware chain, including a zero-day EDR killer that had been operating silently with no alerts generated. Malware was reverse-engineered the same day. New detections went to the SOC. DFIR was engaged by end of day.
The two sides of that outcome, a SOC detection and an active hunt, ran from the same piece of intelligence. That is the dual-fork model working in practice: one fork feeding high-fidelity detections, the other feeding the hunt team for what the platform missed.
Intel to action in hours.
The following capabilities are delivered through Howler Cell and are designed to integrate directly with Cyderes MDR services, forming a unified security ecosystem for our clients. Together, they cover the full response spectrum, from Tier 1 alert triage through full forensic investigation and malware reverse engineering. That escalation chain is difficult to build internally and increasingly critical to have in place before a Mythos-driven high-volume zero-day environment arrives.
Backed by 24/7 Cyderes MDR, every alert, hunt finding, and investigation feeds into a continuous response capability staffed from Tier 1 through senior DFIR and malware analysts. When Mythos-class exploits start hitting environments at scale, the organizations that respond effectively will be those whose security teams are already extended by that full capability stack, not those standing one up in the middle of an incident.
These capabilities are not novel. The question is whether they are already operational when the Glasswing window closes.
The response to AI-powered attacks will increasingly involve AI-powered defense. That is the right direction. The problem is that most AI-driven security accelerates outputs without improving decisions. An AI agent tasked with prioritizing and responding to a flood of novel zero-days is only as good as the context it operates on. Fragmented context produces fragmented answers.
Identity lives in one system. Assets in another. Exposures somewhere else. When a Mythos-generated exploit lands, the questions that determine response speed and accuracy are not just “what is vulnerable?” They are: what is exposed, who has access to it, how critical is the asset, and what blast radius does exploitation carry? Without a unified answer to all of those questions simultaneously, triage slows, prioritization diverges, and response fragments across teams.
Meridian, Cyderes' entity fabric, addresses this directly. It connects identity, asset, access, and exposure data across 500+ integrations into a single, continuously validated risk model. Every alert and every vulnerability finding is evaluated through verified entity context rather than static severity scores. When AI agents are deployed for detection, prioritization, or response, they operate from that shared reality rather than partial signals.
In a Mythos-era environment, that distinction matters. An AI agent that can see the full entity context of an exploit, who owns the affected asset, what identities have access, what the blast radius looks like, and whether exploitation behavior is already present, will triage and respond faster and more accurately than one working from fragmented data. The AI capability race between attackers and defenders will be won or lost on context quality as much as model capability.
Security programs are not limited by tools. They are limited by fragmented context. Meridian closes that gap, and in doing so, makes every other layer of the security stack operate more accurately.
Anthropic’s stated timeline is six to eighteen months to capability parity. OpenAI is reportedly finalizing a model with comparable offensive cybersecurity capability.
When models at this tier become broadly accessible, including through privately hosted deployments not subject to the safety controls that allowed GTG-1002’s campaign to be detected and disrupted, the Glasswing perimeter matters less. The vulnerabilities it helped harden represent a fraction of the discoverable attack surface.
Your security stack will have gaps before Mythos-class capability reaches adversaries. It will have more of them after. The window is for closing as many as possible before that happens.
The window is open. It will not stay open.
Howler Cell is Cyderes' threat research, hunting, DFIR, and cyber intelligence practice. Contact us for more information.