Tom Hundley
In April 2026, Anthropic did something unusual for a company in the business of shipping models: it announced one it has no plans to sell. Claude Mythos Preview sits at the center of Project Glasswing, Anthropic's coalition initiative to secure the world's most critical software. The model can autonomously find โ and in some cases exploit โ vulnerabilities that have hidden in production code for a quarter-century. And precisely because it can do that, Anthropic has decided not to make it generally available.
This is a profile of that model: what it is, where its abilities came from, how it compares to the Claude Opus 4.6 you can use today, what the name means, and why "you can read its benchmark scores but you can't buy it" is the honest description of where things stand.
A framing note: Elegant Software Solutions did not participate in Project Glasswing and has no inside access to Mythos. Everything below is drawn from Anthropic's public Project Glasswing page, the Claude Mythos Preview system card, and the Frontier Red Team's technical writeup. Where a number is precise, it is quoted from those primary sources.
Anthropic describes Claude Mythos Preview, in its own words, as "a general-purpose, unreleased frontier model." Every word in that phrase carries weight.
General-purpose. Mythos is not a security scanner with a language model bolted on. It is a frontier-scale model in the same lineage as the Claude Opus and Sonnet families โ trained to read code, reason through multi-step problems, and act autonomously across long agentic tasks. Its cybersecurity prowess is one expression of those general skills, not a separate product line.
Unreleased. There is no API tier you can sign up for, no console toggle, no waitlist that ends in self-serve access. Mythos exists, it has a published system card, it has a price tag โ and it is still not a thing the general public can use.
Frontier. On the broad capability benchmarks Anthropic reports, Mythos is at or beyond the company's strongest publicly available model. It is not a narrow specialist that happens to be good at one thing. It is, by Anthropic's measurements, the most capable model the company has built.
That combination โ top-of-line general capability, deliberately withheld โ is what makes Mythos worth writing about: a model documented in extraordinary detail and, at the same time, declared not for sale.
The most important thing to understand about Mythos is that its hacking ability was not the goal. It was a byproduct.
Anthropic is direct about this. In the Frontier Red Team's technical post, the researchers write: "We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy." The Project Glasswing page puts the same idea more plainly: "The powerful cyber capabilities of Claude Mythos Preview are a result of its strong agentic coding and reasoning skills."
This matters because it reframes the whole story. Mythos is not a purpose-built cyberweapon that escaped the lab. It is what you get when you push a general coding-and-reasoning model far enough that it crosses a threshold no one designed for. The skills that let a model patch a vulnerability โ reading unfamiliar code, building an accurate mental model of how it behaves, reasoning about edge cases a human would miss โ are the same skills that let it find and exploit one. As the red-team post observes, "The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them."
There is no clean way to separate the two. You cannot train a model to be brilliant at fixing software without also making it brilliant at breaking it. That symmetry is the entire reason Mythos is a withheld preview rather than a launch.
This is what people miss when they call Mythos a "hacking model." It is a general model that got good enough at reasoning about code that hacking fell out of it for free โ which is far more consequential than a bespoke tool, because it means the capability will keep arriving as general models keep improving.
So how good is Mythos, concretely? The system card publishes a head-to-head against Claude Opus 4.6 โ Anthropic's flagship public model and the natural reference point. Here is what the headline numbers mean.
CyberGym is a benchmark of 1,507 tasks that asks an AI agent to reproduce a previously discovered vulnerability in real open-source software, given only a high-level description of the weakness. It is the most direct measure of the capability Glasswing cares about: can the model actually find the bug?
Mythos scores 0.83; Opus 4.6 scores 0.67. (A note on the number: Anthropic's system card reports CyberGym on a 0-to-1 scale, while its Project Glasswing page renders the same result as 83.1% vs. 66.6% โ two ways of writing the identical figure.) On a 1,507-task suite, the jump from 0.67 to 0.83 is the difference between a strong assistant and an autonomous hunter.
SWE-bench Verified is a 500-problem set of real GitHub issues, each human-checked to be solvable, where the model must produce a working patch. It is the industry's standard yardstick for practical software engineering. Mythos resolves 93.9% of them against Opus 4.6's 80.8% โ closing most of the remaining distance to a perfect score, on a benchmark where the public model was already considered excellent.
SWE-bench Pro is the hard mode: tougher, more realistic engineering problems designed to resist memorization. Here the gap is starkest. Mythos solves 77.8% to Opus 4.6's 53.4% โ a 24-point swing. The harder and more novel the task, the more Mythos pulls ahead, which is exactly the pattern you would expect from genuine reasoning gains rather than recall.
Terminal-Bench measures whether a model can complete real, multi-step tasks in a live command-line environment โ the kind of open-ended "drive a computer to get something done" work that underpins autonomous security testing. Mythos earns 82% mean reward to Opus 4.6's 65.4%. Anthropic notes a wrinkle worth keeping: under the newer Terminal-Bench 2.1 harness with timeouts extended to four hours, Mythos reaches 92.1%. The benchmark's tight default time limits, in other words, were holding the score down more than the model's ability was.
GPQA Diamond is a set of graduate-level science questions written to be "Google-proof" โ hard even for domain experts with the internet open. It is a pure reasoning check with nothing to do with code. Mythos scores 94.5% to Opus 4.6's 91.3%. The lift here is the tell: Mythos isn't just a better coder, it's a better reasoner across the board, which is precisely why its cyber ability reads as a side-effect of general improvement.
The pattern is consistent. Mythos is meaningfully ahead on general reasoning โ GPQA, and on Humanity's Last Exam it jumps to 56.8% with no tools and 64.7% with tools โ substantially ahead on software engineering, and dramatically ahead on the cyber-specific task. The cyber result sits at the end of a chain of general gains, not off to the side.
The names are doing real work. Anthropic glosses Mythos as coming "from the Ancient Greek for 'utterance' or 'narrative': the system of stories through which civilizations made sense of the world." It's a fitting label for a language model โ a thing built from, and fluent in, narrative โ and a quiet nod to a capability that humans have until now made sense of only through stories about elite hackers.
Glasswing names the program, after the glasswing butterfly (Greta oto), whose wings are transparent. Anthropic intends the metaphor two ways at once: the transparent wings "let it hide in plain sight, much like the vulnerabilities" the model uncovers โ bugs that sat in plain view for years โ and they also evoke "the transparency we're advocating for" in how the work is disclosed. A creature that hides in plain sight, advertising openness: an apt mascot for a project about flaws nobody could see and a model nobody can have.
Mythos is not on a price list you can act on. Access runs only to Project Glasswing's vetted launch partners and the critical-infrastructure organizations that maintain the software the rest of the world depends on โ and only for defensive work. Anthropic frames the choice explicitly: it is "using it as part of a defensive cybersecurity program with a limited set of partners." The model goes to people who fix critical systems, under a program designed around defense, not to the open market.
There is a published price โ $25 per million input tokens and $125 per million output tokens โ but it's important to read that correctly. Those rates describe what Mythos would cost after the research-preview period, for the partners who have access. They are not an invitation. A price existing is not the same as the product being purchasable. You can know exactly what a seat would cost and still have no way to buy one.
Here is the part that is most often garbled in secondary coverage, so it's worth stating with precision.
First, the non-release is a voluntary judgment about dual-use risk โ not a safety rule that got tripped. The system card is unambiguous: "the decision not to make this model generally available does not stem from Responsible Scaling Policy requirements." Mythos did not cross a red line in Anthropic's Responsible Scaling Policy and get locked down automatically. Anthropic looked at a model that can "autonomously discover and exploit zero-day vulnerabilities in major operating systems and web browsers," weighed the "inherently dual-use nature" of that, and chose restraint. The system card is the first Anthropic has published under the newer RSP v3.0 framework โ which retires the old "ASL" labels for capability thresholds โ but the withholding decision sits outside that machinery. It's a call, not a trigger.
Second, general release is gated on safeguards that do not yet exist. Anthropic says plainly: "We do not plan to make Claude Mythos Preview generally available," and explains why โ to ship it broadly, "we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model's most dangerous outputs." Those protections are slated to arrive with an upcoming Claude Opus model, refined on lower-risk systems first. Until that work lands, broad availability isn't on the table.
So what could change? The most that is on offer is that vetted-partner access may broaden over time as the defensive program scales. That is a different thing from a public launch. Anyone who tells you Mythos is "coming to the public in a few weeks" is reading a roadmap that Anthropic's own documents do not contain. The honest version is slower and more conditional: a limited defensive program now, possibly a wider set of vetted defenders later, and general release only after safeguards that haven't been built yet are built.
That is the through-line of the whole Mythos story, and it's worth ending on it bluntly. Claude Mythos Preview is a capability preview โ Anthropic's way of showing the industry, transparently, what a frontier model can now do to software, and of getting that capability into defenders' hands before less careful actors ship something comparable. It is documented like a product, priced like a product, and benchmarked like a product. It is not a product you can buy.
For everyone outside the Glasswing coalition, Mythos is best understood as a warning shot with a system card attached: this is what's now possible, here are the receipts, and here is why we're not handing it to everyone at once. The frontier moved. The model that proves it is one you can read about in extraordinary detail โ and cannot use.
Can I sign up to use Claude Mythos Preview?
No. There is no public access, waitlist, or self-serve tier. Anthropic states it does "not plan to make Claude Mythos Preview generally available." Access is limited to Project Glasswing's vetted partners and critical-infrastructure organizations, for defensive work only. The most that may change is a gradual broadening of that vetted-partner access โ not a public launch.
If it's not for sale, why does it have a price?
The published rate โ $25 per million input tokens and $125 per million output tokens โ describes what Mythos would cost after the research-preview period for the partners who have access. A price existing is not an invitation to buy. You can know the cost of a seat you still can't get.
Was Mythos built to be a hacking tool?
No. Anthropic says it "did not explicitly train Mythos Preview to have these capabilities." They "emerged as a downstream consequence of general improvements in code, reasoning, and autonomy." The same skills that make it better at patching vulnerabilities make it better at exploiting them โ which is exactly why it's being withheld.
Is CyberGym a percentage score? I've seen both "0.83" and "83.1%."
Both are correct. Anthropic's system card reports CyberGym on a 0-to-1 scale โ Mythos 0.83 vs. Claude Opus 4.6 0.67 โ while its Project Glasswing page renders the same result as 83.1% vs. 66.6%. They're the identical number expressed two ways: Mythos reproduced the target vulnerability in roughly 83% of the 1,507 tasks.
Did Mythos trip a safety threshold that forced Anthropic to withhold it?
No. The system card is explicit that "the decision not to make this model generally available does not stem from Responsible Scaling Policy requirements." It's a voluntary dual-use judgment, not an automatic rule. General release is gated on cybersecurity safeguards Anthropic โ and, it argues, the broader field โ has yet to develop, expected to ship with a future Claude Opus model.
How does Mythos compare to the Claude Opus model I can use today?
On Anthropic's published benchmarks, Mythos leads Claude Opus 4.6 across the board: CyberGym 0.83 vs. 0.67, SWE-bench Verified 93.9% vs. 80.8%, SWE-bench Pro 77.8% vs. 53.4%, Terminal-Bench 2.0 82% vs. 65.4%, and GPQA Diamond 94.5% vs. 91.3%. The cyber gap is the largest, but the gains are broad โ which is the point: the hacking ability is a symptom of general improvement, not a separate feature.
Discover more content:
