Anthropic’s Mythos Preview and Project Glasswing Raise Security Alerts as Its Code‑Gen

Anthropic’s internal “Claude Mythos” model can generate code so proficiently it writes exploits without prompting, the company disclosed in a blog post, prompting immediate security alerts, Schneier reports.

The firm said it will not release Mythos to the public, citing “cyber‑attack capabilities” that could be weaponized. Instead, Anthropic launched Project Glasswing, a testing program that runs the model against a wide array of open‑source and proprietary software to locate and patch vulnerabilities before malicious actors can exploit them, Schneier adds.

Schneier notes the move is as much a public‑relations effort as a safety measure, pointing out that many outlets have echoed Anthropic’s talking points without critical analysis. He also observes that OpenAI responded in kind, announcing that its own next‑generation model will be withheld from general release for similar security concerns.

Independent security firm Aisle demonstrated that the vulnerabilities Mythos discovers are not unique to the new model; older, cheaper public models can replicate the same findings, according to Schneier. The key distinction, he says, is Mythos’s ability to turn identified bugs into fully operational exploits with a single prompt, eliminating the need for complex orchestration.

A separate Medium report confirms the technical leap: Mythos scored 93.9 % on the SWE‑bench bug‑fixing benchmark, far above Anthropic’s previous Opus model (80.8 %). On a cybersecurity benchmark measuring find‑and‑exploit performance, Mythos achieved 83.1 % versus Opus’s 66.6 %, indicating a generational jump in automated hacking capability, the author writes.

The combined disclosures have ignited a warning bell across the industry. If a model can autonomously locate, reason about, and weaponize code flaws, the line between “good engineer” and “elite hacker” blurs, Schneier warns. Anthropic’s Project Glasswing may mitigate some risk, but the underlying capability—unintended by design—poses a new threat vector that security teams must now confront.