Anthropic has announced its plans to release Mythos-class AI models to the general public after developing adequate security measures. Currently, these models are available only to select partners. The announcement was made as part of an initial update on Anthropic’s program Project Glasswing, which provides restricted access to the Mythos.
The company acknowledged that no organization, including Anthropic, has yet developed security measures strong enough to prevent misuse or potential harm to such models. It did not specify what timeframe the public release would be set for in the near future.
Additionally, Anthropic intends to expand Project Glasswing to include more partners, such as US and allied governments, before making the models widely available.
What is Anthropic’s Mythos Model and what has it achieved so far
Mythos is an AI model created by Anthropic, known for its ability to identify security vulnerabilities in software code. this was the first Introduced in early April. Instead of a public release, Anthropic limited access to select organizations through Project Glasswing, citing concerns that cybercriminals could use unrestricted access to quickly find and exploit errors before they could be fixed.
Participants in Project Glasswing have reported that Mythos is effective at identifying many vulnerabilities, although at times the volume exceeds their ability to fix them all in a timely manner.
Anthropic reports that Mythos has scanned more than 1,000 open-source projects that support the Internet and Anthropic’s own infrastructure. The findings so far include a total of 23,019 vulnerabilities identified, of which 6,202 are estimated to be high or critical severity vulnerabilities.
Of the 1,752 high or critical vulnerabilities verified by Anthropic, 90.6% (1,587) were confirmed as legitimate flaws. Of these, 62.4% (1,094) were confirmed as high or severe severity.
A serious flaw exposed by Mythos affected the WolfSSL cryptography library, which is used by billions of devices. Anthropic says Mythos was able to create an exploit that allowed attackers to create forged certificates, potentially impersonating banks or email providers.
The flaw has been fixed, and Anthropic plans to publish a detailed technical analysis in the coming weeks. The vulnerability is tracked as CVE-2026-5194.
Mythos’ vulnerability flood disclosure and patching challenges
Anthropic confirms each defect with the security community before reporting it to maintainers, then writes detailed reports for the affected projects. Of the 530 high or critical vulnerabilities reported, 75 have been fixed and 65 have been issued public advisories.
The company cites the low fix rate as being still early in the 90-day coordinated vulnerability disclosure window. It also notes that the count of patches that occur without public consultation is likely to be an undercount.
The volume of Mythos findings is increasing pressure on maintainers, who are already overwhelmed by the high volume of low-quality bug reports generated by AI. Some maintainers have asked Anthropic to slow down the rate of their releases to give them more time to develop patches.
Why it matters to everyday users and defenders
Even before the public release of Mythos-class models, the widespread implication is that lower AI models are already capable of finding software vulnerabilities. Defenders should expect attackers to weaponize more vulnerabilities, including before patches are available.
Several governments have already responded to the existence of Mythos. Japan ordered a comprehensive security review, and Indian officials called for patching efforts at financial institutions.
Anthropic suggests that overwhelmed security teams use AI tools, including its own cloud model with developer-centric capabilities, to accelerate patch development.
No timeline has been provided for the public release of Mythos-class models.
