Tom Hundley
Every other article in this series has been about what happened. This one is about what Anthropic told us would happen next โ and gives you a dated, checkable list so you can hold those forecasts against reality instead of taking them on faith.
That framing matters more than usual right now, because some of the "pending" items from the spring have already resolved. On June 9, 2026, Anthropic shipped Claude Fable 5 and Claude Mythos 5 โ so a watch-list written even a week earlier would already be partly out of date. We will separate what is now done, from what is committed but still pending, from what was merely floated as an idea, from what you should genuinely watch because nobody โ Anthropic included โ knows how it resolves.
A note on our role: Elegant Software Solutions is the analyst here, not a participant in Project Glasswing. Everything below is drawn from Anthropic's own public posts and system card, and we label a verbatim commitment differently from an aspiration, and both differently from our own read of the landscape.
The single most consequential forward-looking statement Anthropic has made about Glasswing is also the most quotable. In the June 2 expansion post, the company wrote:
"within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards that prevent misuse."
Both halves carry weight. The first is a capability forecast: Anthropic does not believe it holds a durable lead โ Mythos-class cyber ability emerged largely as a side effect of general coding and reasoning gains, so rivals climbing the same curve are likely to arrive at the same place. The second is a risk forecast, and it is the part that should make defenders uneasy: Anthropic's whole argument for withholding Mythos rests on safeguards "that we (and, to our knowledge, all other AI developers) have yet to develop." If a competitor reaches the same capability without the same restraint, the careful non-release that defines Anthropic's posture stops protecting anyone.
Put a clock on it. That forecast lives in the June 2, 2026 post, so the window runs roughly December 2026 to June 2027 โ the period in which, by Anthropic's own estimate, you should expect at least one comparable model from another lab. The open question is whether it ships with misuse safeguards or without. This is the most falsifiable prediction in the initiative.
Here is where currency bites. The system card promised Anthropic would "launch new safeguards with an upcoming Claude Opus model, allowing us to improve and refine them with a model that does not pose the same level of risk." That promise has now shipped โ but get the details right, because the easy version of this sentence is wrong.
Claude Fable 5 is the public, safeguarded release. Per the June 9 announcement, "Claude Fable 5 is available everywhere today," with safeguards that route sensitive requests to Claude Opus 4.8 as a fallback โ and "more than 95% of Fable sessions involve no fallback at all." The safeguards-on-a-lower-risk-model the system card described are now in production. Note the names: the public model is Fable 5, and Opus 4.8 is its safeguard-routing fallback. Anthropic's post does not explicitly say "this fulfills our earlier Opus-safeguards promise," so we will not put those words in its mouth โ but the shape matches.
Claude Mythos 5 is the new frontier cyber model, and it stays restricted. This is the distinction careless coverage will miss. The June 9 post says, verbatim, that "Claude Mythos 5 is restricted to Glasswing partners (with cyber safeguards lifted) and soon to select biology researchers (with biology and chemistry safeguards lifted) only, until our broader trusted access program is available." First, this is not a public release โ Mythos 5 is vetted-partners-only, exactly as Mythos Preview was. Second, and counterintuitively, "cyber safeguards lifted" means those partners get the raw capability; lifting safeguards for a small set of vetted defenders is the opposite of opening the model to everyone. So a headline implying "Mythos is public now" is wrong twice over: the public model is Fable 5, and the restricted-but-unleashed model is Mythos 5.
Also done: operational scale. The June 2 expansion added roughly 150 organizations across 15-plus countries to the initial cohort of about 50, spanning power, water, healthcare, communications, and hardware. A fact, not a forecast.
These are dated promises that have not yet come due โ the most checkable items on the list, because a commitment with a clock either lands or slips.
The 90-day public report (due roughly July 6, 2026). On the launch page, Anthropic committed that "within 90 days, Anthropic will report publicly on what we've learned, as well as the vulnerabilities fixed and improvements made." From the April 7, 2026 launch, that puts the report at approximately July 6, 2026 โ about four weeks out, and the single best near-term checkpoint in the initiative. Read it against the spring's claims: does the patch rate move off the "fewer than 1% fixed so far" figure the Frontier Red Team reported? Does Anthropic quantify the "thousands" of high-and-critical vulnerabilities more precisely? On-time with real remediation progress validates the defender thesis; a slipped or thin report is a signal the other way.
The broader trusted access program (named, not yet open). The June 9 post conditions Mythos 5's restriction on a future state: partners have access "until our broader trusted access program is available." Named and committed, not yet live. When it opens, watch who it admits and on what terms โ the access-control problem of deciding who counts as a legitimate "defender" is unsolved, and how Anthropic draws that line will reveal how the whole gated-access model works.
The Cyber Verification Program (committed, scaling). Easy to conflate with the trusted-access program above. Anthropic named a Cyber Verification Program at launch โ "Security professionals whose legitimate work is affected by these safeguards will be able to apply to an upcoming Cyber Verification Program" โ and the June 2 post said it intends "to scale up our Cyber Verification Program, which would grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks." The "broader trusted access program" and the Cyber Verification Program may well be the same effort under evolving names, but Anthropic has not explicitly equated them, so neither do we. Two named commitments that may converge. For both: do they open, when, and to whom?
There is one item the spring coverage sometimes promotes into a commitment that does not deserve the promotion.
A third-party governance body. Anthropic raised the idea of independent governance, but in conditional language: "In the medium term, an independent, third-party body โ one that can bring together private- and public-sector organizations โ might be the ideal home for continued work." That is "might be," in "the medium term" โ a floated possibility, not a dated deliverable. It belongs on the watch-list as the softest item: an aspiration, not a promise. If such a body ever materializes it would be a significant governance development, but treating "might be the ideal home" as a commitment is exactly the false precision this series exists to avoid.
The items above either resolved or have clocks. These last ones have no due date and no guaranteed answer โ and they are where the real story of the next year gets written.
Competitor releases (the Dec 2026 โ June 2027 window). This is the watch-list's anchor. OpenAI has already shipped a cyber-focused analog and Google has its own program in this space; the question Anthropic's forecast raises is whether a Mythos-class model arrives from another lab inside that window โ and, more importantly, whether it ships with misuse safeguards or without. A capable, unsafeguarded competitor model is the scenario Anthropic's entire restraint strategy is built to avoid, and the one it cannot control. Watch every frontier lab's release notes for cyber-capability claims, and watch even harder for what they say about safeguards.
The patch rate โ does "finding" become "fixing"? The most uncomfortable number in the story is the remediation gap: fewer than 1% of discovered vulnerabilities had been fully patched as of the spring reporting. The remediation bottleneck โ industrial-scale discovery meeting human-speed patching โ is the critique even Anthropic concedes ("the bottleneck is human capacity to triage, report, and deploy patches"). The 90-day report is the first place this number could move. If the gap closes, the optimistic thesis is holding; if it stays near zero while discovery scales, the firehose is filling faster than anyone can drain it.
Does the defender-favoring thesis hold? Anthropic's central bet, in its own words, is that "the same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws in important software," and that "if we're successful, we hope to enable a permanent advantage for defenders." The hedge underneath that hope is a "tumultuous transitional period" in which attackers may benefit first. No single date resolves this โ it resolves slowly, in the trend of real-world incidents over the next year or two. Leading indicators worth tracking: the ratio of patched-to-disclosed vulnerabilities, whether AI-discovered flaws show up in active exploitation before they are fixed, and whether defensive adoption keeps pace with capability diffusion.
Print this, and come back to it:
The throughline is restraint with a clock on it. Anthropic built a model it judged too dangerous to release, withheld it as a voluntary call rather than a forced one, and made public promises about what it would do next. Some are now kept in a form worth understanding precisely โ Fable 5 public, Mythos 5 still gated. Others, like the 90-day report, come due within a month. The biggest one โ that defenders, not attackers, come out ahead โ has no due date at all. A watch-list turns a year of forecasting into something you can actually check. Hold them to it.
Is Claude Mythos available to the public now? No. The June 9, 2026 public release was Claude Fable 5, "available everywhere today" with safeguards that route sensitive requests to Claude Opus 4.8 as a fallback. Claude Mythos 5 โ the frontier cyber model โ remains "restricted to Glasswing partners (with cyber safeguards lifted) ... only, until our broader trusted access program is available," the same vetted-only posture Mythos Preview had. Anyone saying Mythos went public is conflating it with Fable 5. Note the counterintuitive phrasing too: "cyber safeguards lifted" means trusted partners get the raw capability โ a narrower, more privileged form of access, not a broader one.
When is the promised 90-day report, and what should it tell us? Anthropic committed at launch to "report publicly" within 90 days "on what we've learned, as well as the vulnerabilities fixed and improvements made." From the April 7, 2026 launch, that lands at roughly July 6, 2026 โ about four weeks after this writing. The number to watch is remediation: the Frontier Red Team reported that fewer than 1% of discovered vulnerabilities had been fully patched. If that moves meaningfully, the defender thesis is gaining evidence; if it stays near zero, the remediation bottleneck is winning.
What is the difference between the Cyber Verification Program and the "broader trusted access program"? Both are committed-but-pending ways Anthropic intends to extend Mythos-class capability to vetted defenders. The Cyber Verification Program was named at launch and the June 2 post said Anthropic intends to "scale up" it; the "broader trusted access program" appears in the June 9 release as the future state that will relax Mythos 5's partner-only restriction. They may be the same effort under evolving names, but Anthropic has not explicitly equated them, so we treat them as two commitments that may converge. For both, the live question is identical: do they open, when, and who gets in?
Did Anthropic commit to creating a third-party governance body? Not as a dated promise. It floated the idea, conditionally: "In the medium term, an independent, third-party body ... might be the ideal home for continued work." That is the softest item on the watch-list โ an aspiration, not a commitment. If such a body ever forms it would be a notable milestone, but describing "might be the ideal home" as something Anthropic pledged to build would be a mistake.
What exactly does the "6 to 12 months" forecast predict, and when does the clock start? In the June 2, 2026 expansion post, Anthropic wrote that "within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards that prevent misuse." Anchored to that June 2 post, the window runs roughly December 2026 to June 2027. It is two-part: rivals reaching comparable capability (a capability forecast), and some shipping it without misuse safeguards (a risk forecast). The second part is the one Anthropic cannot control, and the reason its own restraint may not protect the broader ecosystem.
As a security leader, what should I do with this watch-list? Treat the dated items as planning triggers. The competitor window (Dec 2026 โ June 2027) is your horizon for "assume attackers will have tools of this class" โ size your remediation throughput and detection posture for it now, not after confirmation. The 90-day report is a free external benchmark for whether the ecosystem is keeping pace on patching. And the access programs are worth tracking if your team does legitimate offensive-security work that current safeguards may block โ they are the intended path to relief, so knowing when they open lets you get in line early.
Discover more content:
