The Mythos-Adjacent Security Tools You Can Actually Use

Most of the coverage around Anthropic's Project Glasswing has been about a model you cannot have. Claude Mythos Preview — the unreleased frontier system at the center of the coalition — found a 27-year-old remote crash in OpenBSD's TCP stack and a 17-year-old remote-code-execution flaw in FreeBSD's NFS code that it then exploited end to end, fully autonomously, after a single prompt. Anthropic deliberately withheld it: the model is available only to vetted Glasswing partners, and a general release is gated on safeguards the company says the field has yet to build.

So here is the question a normal engineering team should be asking: while the Mythos-class capability stays behind glass, what can we adopt today, using the public Claude models we can already buy, to find and fix vulnerabilities in our own code?

The answer is more concrete than the Glasswing headlines suggest, and Anthropic itself drew the line. In its June 2 post expanding the coalition, the company wrote: "We recently released Claude Security, a product that uses our latest public frontier models, like Claude Opus 4.8, to scan codebases and suggest patches." That sentence is the whole thesis of this piece. There is a withheld, Mythos-class capability, and there is a shipped, public-model capability; they are not the same thing, the gap between them matters, and the second one is the one you can use. (Elegant Software Solutions is the analyst here, not a Glasswing participant; everything below comes from Anthropic's own product and announcement pages and its public GitHub.)

Three things that are actually shipping

Separate three artifacts the press tends to blur together.

Claude Security is the managed product. Per Anthropic's product page, it is "accessed through Claude.ai and Claude Code on the web," it "reads a codebase in context, finds vulnerabilities a rules-based scanner would miss," and when it finds something real it "generates a targeted patch and creates a branch ready for PR review." The guardrail is stated plainly: "Nothing ships without your approval." Per the launch announcement, what began as a "limited research preview" is now in public beta. Per the current product page (claude.com/product/claude-security), "Claude Security is available in public beta for Claude Enterprise. Access to Claude Team and Max plans coming soon" — so Enterprise customers can use it today, while Team and Max access is not yet available. There is no published price.

The claude-code-security-review GitHub Action is the most adoptable thing here for a normal team, because it is free and installs in an afternoon. It is an official Anthropic repository under the MIT license that — in the repo's own words — provides "an AI-powered security review GitHub Action using Claude to analyze code changes for security vulnerabilities." On a pull request it analyzes only the changed files, comments findings inline, and detects classes including SQL injection, command injection, authentication flaws, hardcoded secrets, XSS, and RCE, in any language. One honest caveat: the repo's default model is an older Claude Opus build, but the model is a configurable input — so set it to a current build rather than inherit the default.

"Claude Code Security" is not a fourth thing — it is the launch-announcement name for the same managed product family; treat it as a synonym for Claude Security.

The practical takeaway: a team with a GitHub repo can wire up the Action today at no cost, and a Claude Enterprise plan can use the managed public beta now (Team and Max access is "coming soon," not yet available). Both are genuinely available; neither is Mythos.

What it actually does

What makes all three artifacts more interesting than a conventional scanner is the same thing: they reason about code instead of pattern-matching against a rules database. Anthropic's framing is that Claude Security "finds vulnerabilities a rules-based scanner would miss" — specifically "business logic flaws, broken access control, and unsafe data flows that span files and components." That last clause is the meaningful one. Traditional static analysis is strong on local, syntactic patterns and weak on anything requiring data to be followed across file boundaries — exactly where a reasoning model can trace a tainted value from an HTTP handler into a database call and recognize the trust boundary it crosses.

False positives are the chronic failure mode of every scanner, and this is where the design gets careful. Per the product page, "Every finding goes through multi-stage verification. Claude re-examines each result to prove or disprove it, filters false positives, and assigns severity and confidence ratings." The model argues against its own findings before a human sees them, so what reaches you carries a severity and confidence score rather than an undifferentiated wall of alerts. The remediation step is equally deliberate: a finding becomes a concrete patch on a branch "ready for PR review" — a reviewable change request, not a ticket that says "investigate."

The capability claim is specific and bounded: the research behind the product "surfaced over 500 previously unknown vulnerabilities" in open-source software, including bugs that survived "decades of expert review." Attribution matters — the launch announcement credits that 500-plus result to Claude Opus 4.6, while the shipped product now runs on the latest public frontier models, which Anthropic names as Opus 4.8. Those are two facts from two posts; do not fuse them into "Opus 4.8 found 500 bugs," which no source supports.

How it differs from Mythos — and why that matters

This is where honest scoping earns its keep, because the temptation is to let Glasswing's numbers leak onto the public product. Mythos is an autonomous discovery-and-exploitation engine. Anthropic's public account describes a pipeline that, after one prompt, runs unattended in an internet-isolated container: Claude Code drives the model, a memory-safety sanitizer acts as a near-perfect crash oracle, files are ranked for bug-likelihood, and a final agent re-reviews every report. It does not just find a flaw — in the FreeBSD case it built a working exploit with no human in the loop. On CyberGym the Mythos system card scores 0.83 against 0.67 for the prior public Opus generation (Anthropic's Glasswing page renders the same result as 83.1% versus 66.6%). That is a different category of system: superhuman, autonomous, deliberately not for sale. Anthropic's Mythos pricing and its coalition-wide vulnerability tally are Mythos facts, not Claude Security facts — putting them on the public product would be a fabrication by transposition.

Claude Security is the find-and-suggest-a-fix-for-a-human half of that capability, scoped to what a public model can responsibly do. It scans, reasons, verifies, and proposes a patch — then stops and waits for your approval. It does not autonomously weaponize what it finds, and Anthropic has not claimed Mythos-class autonomous zero-day discovery for the public product. The capability is real and genuinely useful, and by design a rung below the withheld system. A team that adopts it and expects Mythos has misread the product; a team that dismisses it as "just another scanner" has misread it the other way.

Where it fits a real workflow

The most useful framing is not "replace your scanner" but "add a reasoning layer where rules-based tools are weakest."

On the pull request. The open-source Action reviews changed files on every PR and comments inline, putting a contextual security reviewer in front of code before it merges — the moment a reviewer is most receptive to a specific, located finding. Set the model input to a current Opus build rather than the repo's older default, and treat its comments the way you treat a senior engineer's review: signal to weigh, not a gate to obey blindly.

On the existing codebase. The managed Claude Security product targets standing debt: pointing a reasoning model at a whole repository to surface the cross-file, business-logic, and access-control flaws that accumulate in mature code and that pattern scanners structurally cannot see. The output — a verified, severity-rated finding plus a patch on a branch — drops into a normal review-and-merge flow rather than a separate security backlog.

A few sober guardrails belong on any adoption plan. This is an assistive reviewer, not an oracle: verification reduces false positives but does not eliminate them, severity and confidence are model judgments to be checked, and the product is in public beta, so access and behavior may shift. It also solves only the finding and fix-suggestion side of security — reviewing, releasing, and deploying fixes across your estate is unchanged, and remains where most security programs fall behind. The public tools make one side of the ledger cheaper; they do not touch the other.

None of that diminishes the headline. For the first time, a team that cannot get anywhere near the Glasswing coalition can still put a reasoning model — the same public Opus line behind Anthropic's own shipped product — in front of its code, find the bugs a rules engine would walk past, and get a reviewable patch back. That is not the model Anthropic won't release; it is the part of that capability the company decided it could responsibly hand to everyone, and it is shipping now.

Frequently asked questions

Is "Claude Security" a real, available product, or am I confusing it with Mythos?
It is real and distinct from Mythos. Anthropic's product page describes Claude Security as a tool accessed through Claude.ai and Claude Code on the web that scans codebases, verifies findings, and generates patches for human approval; the June 2 Glasswing post says Anthropic "released Claude Security, a product that uses our latest public frontier models, like Claude Opus 4.8." Mythos, by contrast, is the unreleased, Glasswing-only model — a different thing at a different capability tier.

What can a normal team adopt today, and what does it cost?
Two things. The claude-code-security-review GitHub Action is an official Anthropic MIT-licensed repository — free, it reviews changed files on PRs and comments findings in any language. The managed Claude Security product is in public beta for Claude Enterprise (per claude.com/product/claude-security, with Team and Max access "coming soon," not yet available); Anthropic publishes no price. The Action is the zero-cost on-ramp.

Which Claude model powers this?
It depends on the artifact. The launch announcement attributes the research that "found over 500 vulnerabilities" to Claude Opus 4.6. The shipped product, per the expansion post, runs on "our latest public frontier models, like Claude Opus 4.8." The GitHub Action defaults to an older Opus build but exposes the model as a configurable input, so set it deliberately. Keep each claim attached to its source.

How is this different from a traditional static-analysis scanner?
Reasoning versus pattern-matching. Claude Security is built to "find vulnerabilities a rules-based scanner would miss" — "business logic flaws, broken access control, and unsafe data flows that span files and components" — self-verifies to filter false positives, and returns a severity- and confidence-rated finding plus a patch on a branch rather than a raw alert. Use it alongside, not instead of, conventional tooling.

Does it find zero-days autonomously like Mythos does?
No, and that is the central scoping point. The public capability is contextual find-and-suggest-a-fix with a human approving every change; Anthropic's guardrail is "nothing ships without your approval." Mythos-class autonomous discovery and end-to-end exploitation is the withheld coalition capability, not something claimed for the public product.

What problem does it not solve?
Deployment. These tools make finding flaws and drafting fixes cheaper, but reviewing, releasing, and rolling out patches across every system you run is unchanged — and for most organizations that downstream pipeline, not the bug hunt, is the real bottleneck.