What Is Claude Mythos | A Vulnerability-Focused AI and How Glasswing Works
Claude Mythos, developed by Anthropic, is a specialized model that takes a different approach from general-purpose AI models. A description of it as simply "an AI specialized for cybersecurity" does not fully capture its reality. Reports have emerged one after another — including the discovery and remediation of 271 Firefox vulnerabilities and collaboration with the NSA. This article explains what Claude Mythos actually is, how Project Glasswing works, and which organizations are using it, based on primary information from Anthropic and a summary from Wikipedia.
It has the ability to autonomously discover vulnerabilities in major operating systems and browsers, and has an established track record of identifying and fixing 271 vulnerabilities in Firefox through collaboration with Mozilla.
There are no plans for a general public release — it is available exclusively to more than 150 organizations across 15+ countries through the invitation-only "Project Glasswing".
目次 (9)
- What Is Claude Mythos?
- Background and Announcement Details
- Track Record in Vulnerability Discovery — 271 Firefox Cases
- Project Glasswing — How Access Works
- Participating Organizations — From Big Tech to Infrastructure Companies
- Collaboration with the NSA and the National Security Domain
- Will It Be Released to the General Public?
- Position within the Claude Family
- Summary — The Possibilities Claude Mythos Reveals for AI Security
What Is Claude Mythos?
Claude Mythos is a large language model developed by Anthropic and specialized in the cybersecurity domain. While the standard Claude models (Opus, Sonnet, Haiku) handle general-purpose reasoning, writing, and coding, Claude Mythos is designed specifically to discover software vulnerabilities and help security researchers and organizations plan and implement defensive measures.
Anthropic has announced that Claude Mythos can "discover vulnerabilities in major operating systems and all major web browsers." This refers not merely to a code analysis tool but to the ability to actively explore new attack vectors without being constrained by known patterns.
The model's existence first became widely known through reports of a draft leak in March 2026, but Anthropic officially acknowledged it on April 7, 2026 (Wikipedia: Claude Mythos).
Background and Announcement Details
On April 7, 2026, Anthropic officially acknowledged the existence of Claude Mythos and granted preview access to more than 40 organizations on the same day. There is a reason for this unusual disclosure approach. Because Mythos possesses capabilities that could also be exploited for cyberattacks, Anthropic made it clear from the outset that it would not release it to the general public, providing it only to organizations that pass a screening process.
The information released on the day of the announcement emphasized the following points:
- Claude Mythos is provided exclusively for "defensive cybersecurity purposes"
- Access is managed through the invitation-only "Project Glasswing"
- Anthropic has stated clearly that there are no plans for general availability
This announcement style stands in stark contrast to the standard Claude models being widely available via API, indicating that Anthropic is taking the capability risks of Mythos quite seriously.
Track Record in Vulnerability Discovery — 271 Firefox Cases
The collaboration with Mozilla succinctly demonstrates what Claude Mythos can actually do. Mozilla used the Claude Mythos Preview to conduct a security investigation of Firefox and announced that 271 security vulnerabilities had been discovered and patched (Wikipedia: Claude Mythos).
The figure of 271 potentially represents a discovery speed that is orders of magnitude faster than traditional manual security audits or existing automated scanning tools. The fact that even a technically mature organization like Mozilla had a large number of previously overlooked vulnerabilities detected by Mythos has had a significant impact on the industry.
Some tech media outlets have also reported that an employee at Calif.io used Claude Mythos to create a memory-corruption exploit for an Apple M5 processor, but this information comes from an unconfirmed source and should be treated with caution regarding its reliability. Such reports are sometimes cited as justification for Anthropic's decision to avoid a public release.
Project Glasswing — How Access Works
Using Claude Mythos requires participation in "Project Glasswing." This is an invitation-based screening program operated by Anthropic, with the following characteristics:
- Organizations submit an application, and Anthropic reviews the organization's size, intended use, and security posture
- A prerequisite for participation is that the purpose must be defensive security
- After approval, access is available through Anthropic's own environment, Amazon Bedrock (AWS), Vertex AI (Google Cloud), and Microsoft Azure Foundry
- Data is kept within the boundaries of each cloud provider (particularly when using Vertex AI or Bedrock)
At the time of the April 2026 announcement, Project Glasswing covered more than 40 organizations, but as of June 2, 2026, it has expanded to more than 150 organizations across 15+ countries (Wikipedia: Claude Mythos).
For more details on access via cloud platforms, see our related articles. For application requirements via AWS Bedrock, see "AWS Claude Mythos Preview | Bedrock Application and Glasswing Eligibility"; for requirements via Vertex AI, see "Claude Mythos on Vertex AI | Application Requirements and Glasswing Eligibility".
Participating Organizations — From Big Tech to Infrastructure Companies
The lineup of organizations participating in Project Glasswing is diverse. According to information compiled by Wikipedia, the following companies and institutions are included:
- Big Tech: Microsoft, Apple, Google, AWS (Amazon Web Services)
- Network and Infrastructure: Cisco, Broadcom
- Semiconductors: Nvidia
- OSS Ecosystem: Linux Foundation
- Government agencies: India's CERT-In (Computer Emergency Response Team India)
- US Government agencies: NSA (National Security Agency)
What this lineup reveals is that Mythos is not merely a security enhancement tool for a single company, but is being integrated into the defense of global digital infrastructure.
Collaboration with the NSA and the National Security Domain
One of the most attention-grabbing pieces of news surrounding Claude Mythos is its collaboration with the US National Security Agency (NSA). According to reporting by CXOToday (Anthropic is Now Helping US NSA with Its Mythos Model), the NSA is using Claude Mythos to strengthen its cybersecurity capabilities, and Anthropic engineers are reportedly directly supporting the integration of Mythos into NSA systems.
Notably, some media outlets have reported that the US Department of Defense (DoD) had at one point placed Anthropic on a blacklist, yet the NSA still chose to adopt Mythos. However, there is no official confirmation of the DoD blacklisting, and this remains reporting-level information. Even so, the fact that the NSA adopted Mythos suggests that its technical value may have significantly changed internal government assessments.
It should be noted that official announcements regarding the collaboration with the NSA are limited, and some of the reported content includes unconfirmed information.
Will It Be Released to the General Public?
Anthropic has stated clearly that it currently has no plans to release Claude Mythos to the general public. The likely reasons for this include the following:
- Vulnerability-discovery capabilities are also useful to attackers, making unrestricted public release ethically risky
- Anthropic needs to understand and manage the intentions and security posture of user organizations
- Projects involving collaboration with military and government agencies entail confidentiality obligations and government regulations
While Project Glasswing is expected to continue expanding its roster of participating organizations incrementally, it is currently assessed as unlikely that it will become a service accessible casually via API by individuals or small organizations.
Position within the Claude Family
Claude Mythos is a "derivative of the Claude family" alongside standard models such as Claude Opus, Sonnet, and Haiku, but its intended use, delivery format, and access conditions are all different.
| Comparison Item | General-purpose models like Claude Opus | Claude Mythos |
|---|---|---|
| Use case | General reasoning, coding, writing | Cybersecurity-specialized |
| Delivery format | API / Claude.ai | Project Glasswing (invitation-based screening) |
| General availability | Yes | No |
| Available to | Individuals to enterprises | Screened organizations only |
The existence of Mythos demonstrates a new direction for Anthropic: not only providing general-purpose models, but also offering domain-specific models optimized for particular fields through an invitation-based screening process. It has been suggested that similar approaches in high-risk fields such as healthcare, law, and finance may emerge in the future.
Summary — The Possibilities Claude Mythos Reveals for AI Security
Claude Mythos is a model that anticipates a future in which "AI takes center stage in cybersecurity." Its track record of discovering 271 vulnerabilities in Firefox, and its deployment to more than 150 organizations including the NSA, Microsoft, and Apple, demonstrates that Mythos is not a mere prototype but an AI security tool that has entered practical use.
On the other hand, because there is no general public release, for many developers and organizations it remains something they "know about but cannot use." For those considering participation in Project Glasswing, the realistic option is to organize your organization's intended use and security posture before submitting an application to Anthropic.
For details on applying via AWS Bedrock, see "AWS Claude Mythos Preview"; for Vertex AI, see "Claude Mythos on Vertex AI".
Sources
