Anthropic announces the development of a mythic-level model: Claude Mythos, with code and hacking capabilities surpassing opus4.6, not open to the public!

Anthropic today announced a plan: Project Glasswing. It was launched because Anthropic has trained a brand-new, ultra-strong model, Claude Mythos Preview—which is actually the model mentioned in the cc source-code leak a few days ago.

The project’s participants include Amazon AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself—12 organizations in total that jointly initiated it.

In plain terms, because this model is so powerful they’re adopting a safety testing mode: it will only be used internally by approved institutions and will not be opened to the public. Just how strong is it? Everyone can directly check the data—its code and reasoning capabilities completely outclass opus 4.6:

Code:

Reasoning:

Search and computer use

“opus” literally means masterpiece, and “Mythos” literally means myth. Anthropic’s CEO and a whole lineup of bigwigs from the partner side have all come out to back this initiative.

Anthropic has clearly stated that it does not plan to open Claude Mythos Preview to the public. But its long-term goal is to enable users to safely use models with the same level of capability. To this end, they plan to first develop and validate the relevant safety protection mechanisms on the upcoming Claude Opus model, complete iterations under conditions where risks are controllable, and then gradually move forward—potentially releasing a new opus version soon to provide the corresponding capabilities.

Let’s take a detailed look at what Project Glasswing is.

What did this model discover?

Over the past few weeks, Anthropic used Claude Mythos Preview to scan the world’s mainstream operating systems, browsers, and other important software.

Result: it found thousands of previously undiscovered zero-day vulnerabilities, with many assessed as high-severity.

A few specific examples:

A vulnerability in OpenBSD that has existed for 27 years. OpenBSD is known for its security and is used to run critical infrastructure such as firewalls. This vulnerability allows attackers to remotely crash the target machine simply by connecting to it.

A vulnerability in FFmpeg that has existed for 16 years. FFmpeg is used by countless software for video codec and decoding/encoding. The line of code where the model found the vulnerability had previously been scanned 5,000,000 times by automated testing tools, and it had never been discovered.

In the Linux kernel, the model autonomously discovered and chained multiple vulnerabilities, enabling an attacker to escalate from standard user privileges to full control of the entire machine.

All of the above vulnerabilities have been reported to the relevant software maintainers, and they have all been fully fixed. For the remaining vulnerabilities, Anthropic has published encrypted hash values in advance, and will disclose the specific details after the fixes are completed.

Why do this?

Anthropic’s judgment is: the capability of AI models to discover and exploit software vulnerabilities has already surpassed everyone except a small number of top human experts.

The spread of this capability is a matter of time, not a question of whether it will happen.

Global cybercrime causes an estimated economic loss of about $500 billion per year. Attacks on medical systems, energy infrastructure, and government agencies have already caused tangible harm, and they also pose an ongoing threat to civilian and military infrastructure.

AI significantly lowers the cost, threshold, and level of expertise required to carry out these attacks.

Anthropic’s logic is: rather than waiting for others to use this capability for offense first, it’s better to proactively use it for defense.

How exactly will the plan be carried out?

Project Glasswing currently includes two layers.

The first layer consists of 12 founding partner organizations. They will receive access to Claude Mythos Preview to scan and fix vulnerabilities in their own core systems, with key focus areas including local vulnerability detection, binary black-box testing, endpoint security, penetration testing, and more.

The second layer consists of more than 40 additional organizations that build or maintain critical software infrastructure. They will also receive access to the model to scan their own and open-source systems.

For this, Anthropic has committed to provide up to $100 million in model usage credits. After the research preview period ends, Claude Mythos Preview will provide commercial access to participating parties at a price of $25/$125 per million input/output tokens, supporting access via the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.

In addition, Anthropic will donate $2.5 million to Alpha-Omega and $1.5 million to OpenSSF through the Linux Foundation, for a total of $4 million, to support open-source software maintainers in responding to this new situation. Open-source software maintainers can apply for access through the Claude for Open Source program.

Next plans

Regarding information sharing, partners will exchange information and best practices to the greatest extent possible. Anthropic commits to publishing research progress reports within 90 days, including the number of vulnerabilities discovered, the issues that have been fixed, and any improvements that can be disclosed.

Regarding policy recommendations, Anthropic will work with major security institutions to develop practical recommendations on the following areas: vulnerability disclosure processes, software update processes, open-source and supply-chain security, secure software development lifecycles, standards for regulated industries, scalable and automated vulnerability classification, and patch automation.

Source of this article: AI Cannanji

Risk notice and disclaimer

        There are risks in the market; invest cautiously. This article does not constitute personal investment advice, nor does it take into account any individual users’ special investment objectives, financial situation, or needs. Users should consider whether any opinions, viewpoints, or conclusions in this article align with their specific circumstances. Invest at your own risk.