Claude Mythos

BLUF

Claude Mythos is Anthropic’s most advanced frontier model as of April 2026, unreleased to the public and distributed exclusively via the Project Glasswing private-sector cybersecurity consortium and via independent government testing. The National Security Agency is operationally testing Mythos against Microsoft products for defensive vulnerability research (Bloomberg, 2026-04-30), even as the White House opposes Anthropic’s plan to expand Glasswing to approximately 120 organizations. The model occupies a doctrinal grey zone: a commercially developed frontier capability, privately distributed, now operationalized by a national signals-intelligence agency without a public legal framework governing offensive-use authorization or proliferation controls.

Model Profile

• Fact: Announced 2026-04-07 via the Project Glasswing preview on red.anthropic.com/2026/mythos-preview/.
• Fact: Characterized in Anthropic primary materials as a “general-purpose, unreleased frontier model” and a “step change” above Claude Opus 4.6 in capability (Fortune leak, 2026-03-26).
• Fact: Not publicly released. Access is restricted to (a) Project Glasswing consortium members via private API, and (b) independent government evaluators (e.g., NSA testing, separate from Glasswing).
• Gap: Architecture, parameter count, training compute, context window, and benchmark scores have not been publicly disclosed.
• Gap: Safety-evaluation results under Anthropic’s Responsible Scaling Policy have not been published for Mythos.

Project Glasswing

• Fact: Private-sector cybersecurity consortium of approximately 50 companies, with Apple, Amazon Web Services, Microsoft, Google, and CrowdStrike named in primary reporting.
• Fact: Anthropic committed $100M in Mythos usage credits to participants.
• Fact: Stated purpose is defensive — using Mythos’s reasoning capability to identify software vulnerabilities before adversary exploitation.
• Fact: Anthropic proposed expanding the consortium from approximately 50 to approximately 120 organizations; the White House informed Anthropic it does not agree (WSJ, 2026-04-30).
• Assessment: Glasswing functions as a privately governed, lightly regulated bug-bounty multiplier at frontier-capability scale. Confidence: High.

NSA Deployment (2026-04-30)

• Fact: National Security Agency is independently testing Mythos to find security flaws in Microsoft products (Bloomberg, 2026-04-30). NSA access is independent of, and parallel to, Project Glasswing.
• Fact: Bloomberg framing is explicitly defensive — vulnerability discovery prior to adversary exploitation — with no confirmed offensive deployment disclosed. Bloomberg notes “officials did not know what, if any, security bugs the intelligence agency’s testing had turned up.”
• Fact: Pentagon has separately designated Anthropic a “supply chain risk” and ordered phase-out from classified systems (March 2026; reaffirmed in late April 2026 reporting).
• Assessment: Concurrent NSA operational testing and Pentagon supply-chain-risk designation indicate intra-government friction — the IC is willing to operationalize a commercial frontier model that DoD has formally distanced itself from. This is unusual and signals divergent risk calculus across the US national-security apparatus. Confidence: Medium-High.
• Assessment: White House opposition to Glasswing expansion, simultaneous with NSA’s own use, is inconsistent on its face. The most plausible reconciliation is that the executive branch wishes to constrain proliferation of Mythos access to private firms while preserving exclusive IC access — a classic dual-use access-control posture rather than a safety objection. Confidence: Medium.

Dual-Use Governance Gap

• Fact: Mythos is commercially developed, privately distributed, and now operationally used by a national signals-intelligence agency for vulnerability research. There is no public legal framework specifying under what authority NSA’s use occurs, what offensive-use authorizations apply if vulnerabilities are weaponized, or what proliferation controls apply to Glasswing participants.
• Comparison context — GPT-5.5 (OpenAI, released 2026-04-23):
  • Fact: GPT-5.5 achieves a 71.4% pass rate on expert-level cybersecurity tasks per OpenAI’s evaluation; rated “High” capability under OpenAI’s Preparedness Framework. Independent UK AISI evaluation corroborates the rating.
  • Gap: Equivalent benchmark data for Claude Mythos has not been publicly released. Mythos capability is characterized only relatively — “step change” above Opus 4.6 — without quantitative grounding.
• Assessment: OpenAI’s Preparedness Framework provides at least a public reference for capability-tier disclosure. Anthropic’s Responsible Scaling Policy applies in principle to Mythos but no published evaluation has been released, leaving external observers unable to assess whether Mythos crosses RSP thresholds for restricted deployment. Confidence: High.
• Assessment: White House opposition to Glasswing expansion likely reflects concern about adversary acquisition (PRC / Russian state actor exfiltration via consortium members), allied-nation proliferation risk, or loss of US classification advantage — not safety ethics alone. Confidence: Medium.
• Gap: No public framework currently governs (a) NSA’s authority to use commercial frontier LLMs against US-vendor software, (b) whether vulnerabilities discovered are subject to the Vulnerabilities Equities Process (VEP), or (c) whether Glasswing participants are subject to export-control or end-use restrictions on Mythos outputs.

Strategic Implications

• NSA operationalization signals AI-enabled defensive-cyber doctrine has moved from research pilot to production use. Frontier commercial LLMs are now part of the IC’s vulnerability-research toolchain. This compresses the discovery → patch cycle for friendly-vendor software but also compresses adversary discovery cycles once equivalent capability proliferates. Assessment, Medium-High.
• White House opposition to Glasswing expansion signals an emerging US proliferation-control posture for frontier AI. The administration appears unwilling to let Anthropic unilaterally decide which 120 firms — potentially including foreign affiliates of named participants — receive frontier-cyber capability. Expect formal export-control or Defense Production Act mechanisms to follow. Assessment, Medium.
• PRC and Russian state actors will treat confirmation of NSA use of a commercial LLM as validation to accelerate equivalent indigenous capability. Expect intensified domestic-LLM cyber-tooling programs in PLA-SSF and FSB/GRU pipelines, plus increased intelligence collection against Glasswing consortium members as soft targets for capability exfiltration. Assessment, Medium-High.
• Pentagon supply-chain-risk designation alongside NSA operational use creates a doctrinal contradiction the US government will eventually be forced to resolve. Either the supply-chain risk is real (in which case NSA use is reckless), or it is overstated (in which case the DoD phase-out should be reversed). The unresolved contradiction is itself an OPSEC signal to adversaries about US intra-government coordination weakness. Assessment, Medium.

Standing Gaps

• Mythos cybersecurity benchmark data — no quantitative public disclosure (e.g., pass rates on standardized evaluations comparable to GPT-5.5’s 71.4%).
• Direct text of the Bloomberg 2026-04-30 NSA-testing article — paywalled; relying on syndication and secondary relays.
• Direct text of the WSJ 2026-04-30 White House opposition article — paywalled; relying on Bloomberg relay.
• Whether NSA use of Mythos is conducted under Title 50 authority, Executive Order 12333, or another framework.
• Whether vulnerabilities discovered via NSA testing of Microsoft products are subject to the Vulnerabilities Equities Process for disclosure.
• Operational scope: defensive-only (vulnerability discovery for patching) vs. dual-use (vulnerability stockpiling for offensive cyber operations). Bloomberg framing is defensive; offensive use is neither confirmed nor excluded.
• Whether Glasswing participants face export-control or end-use restrictions on Mythos outputs.
• Whether Mythos has been evaluated against Anthropic’s Responsible Scaling Policy thresholds and, if so, the outcome.

Key Connections

• Anthropic
• Claude
• Microsoft
• Project Maven and Kill Chain Compression
• Dual-Use Technology
• Cyber Warfare
• National Security Agency
• Pentagon
• Department of Defense
• Dario Amodei
• Constitutional AI
• Responsible Scaling Policy
• Project Glasswing
• Vulnerabilities Equities Process

Sources

• Anthropic — red.anthropic.com/2026/mythos-preview/ (Project Glasswing preview, model description). [primary, High confidence]
• Anthropic — anthropic.com/glasswing (consortium structure, $100M credit commitment). [primary, High confidence]
• Bloomberg — 2026-04-30, NSA testing of Mythos against Microsoft products. [primary, paywalled, Medium-High confidence via strong syndication]
• Wall Street Journal — 2026-04-30, White House opposition to Glasswing expansion. [primary, paywalled, Medium-High confidence via Bloomberg relay]
• Axios — 2026-04-29 and 2026-05-01, Pentagon supply-chain-risk framing and Dario Amodei White House meetings. [secondary, Medium-High confidence]
• Fortune — 2026-03-26, pre-announcement leak characterizing Mythos as a “step change” above Opus 4.6. [secondary, Medium confidence]
• TechCrunch — 2026-04-07, Project Glasswing launch coverage. [secondary, Medium-High confidence]
• Security Affairs — 2026-04-30, supply-chain-risk framing and NSA testing relay. [secondary, Medium confidence]
• Yahoo Finance — Bloomberg syndication of 2026-04-30 NSA-testing reporting. [secondary, Medium confidence]
• UK Turing Institute / CETaS — “Claude Mythos: What Does It Mean for Cybersecurity?” (analytical commentary). [secondary, Medium confidence]