Analysis
Mythos is locked down. The hackers already have a copy.
Anthropic just created a two-tier AI world. The most capable cybersecurity model ever built is restricted to governments and utilities. The public doesn't get access. But here's the thing: hackers already breached Mythos in April. The wall went up after the door was already open.
What Mythos actually does
Claude Mythos isn't a chatbot. It's a cybersecurity model — designed to find and exploit software vulnerabilities at a scale and speed no human team can match. Through Project Glasswing, Anthropic's partnership program with JPMorgan, Mozilla, Palo Alto Networks, and others, Mythos flagged 23,019 potential open-source vulnerabilities in its first weeks. It helped produce the first-ever Apple M5 memory exploit, gaining root access in a way researchers called "never previously achieved." A macOS security bypass that would have taken months of manual research took five days with Mythos.
The UK's AI Security Institute evaluated it and confirmed the capabilities. The Bank of England's governor personally requested briefings. The Financial Stability Board — the world's most powerful financial watchdog — is next on the calendar. India is in talks with the US government seeking access. Hospitals are scrambling to prepare.
This is not the AI safety debate we've been having. Nobody's worried about Mythos going rogue or developing consciousness. The concern is simpler and more concrete: it's too good at finding weaknesses in the software the world runs on, and too fast at turning those weaknesses into working exploits.
The breach nobody's talking about enough
In late April, an unauthorized group accessed Mythos through a vendor. Anthropic confirmed the investigation. Details are thin — the company hasn't said which vendor, what was accessed, or whether the model weights were exfiltrated. But the timeline matters: the breach happened before the restrictions were formalized.
So here's the situation as of May 28, 2026: the most capable cybersecurity model ever built is simultaneously:
- Too dangerous for the public — restricted to a handpicked list of governments and utilities
- Already in the wild — accessed by unauthorized parties through a vendor breach
- Being weaponized by states — governments with access are using it to find vulnerabilities in critical infrastructure
- Unavailable to defenders — open source maintainers, small security teams, and the companies actually running the vulnerable software are locked out
This is not a security strategy. This is security theater with a body count waiting to happen.
The counterintuitive argument: restriction makes us less safe
The default position — and the one Anthropic is operating from — is that the safest thing to do with a dangerously capable cybersecurity model is restrict access to trusted parties. Governments, regulated utilities, vetted partners. Sounds reasonable.
But here's what actually happens under that model:
Offense gets the model first. Governments use offensive cybersecurity tools differently than defenders do. A government with Mythos access uses it to find vulnerabilities in adversaries' infrastructure — and sits on them. The patches don't get written. The vulnerabilities don't get disclosed. The attackers (state and criminal) build exploit chains while the defenders don't even know the weakness exists.
The breach means bad actors already have it. If the April breach involved model weights — and we have to assume it might have — then criminal groups and hostile states have the same capability Anthropic is restricting. The only people who don't have it are the legitimate security community.
The vulnerability gap was already massive. As The Conversation noted, Mythos didn't create the 23,000 vulnerabilities it found. They were already there. The model just made them visible. The real crisis isn't that AI can find bugs — it's that we've been ignoring thousands of critical vulnerabilities for years, and now the bill is due.
Defenders need this more than attackers do. Criminal groups already have sophisticated tooling. State actors have zero-day stockpiles. The people who need AI-powered vulnerability discovery are the maintainers of the open-source packages that everything runs on — the same people Anthropic just locked out.
What this means for the rest of us
I've been building with AI agents for two years, and the Mythos situation crystallizes something I've felt but couldn't articulate: we're entering an era where the most capable AI systems won't be products you can subscribe to. They'll be capabilities you have to qualify for.
Mythos is the first clear case, but it won't be the last. OpenAI's unreleased math-solving model is another — the company hasn't disclosed the architecture, the training data, or even the model name. Google's most advanced Gemini variants are gated behind enterprise agreements. The pattern is forming: frontier capability will increasingly come with a permission slip.
This creates a structural advantage for incumbents. Large banks get Mythos access through Glasswing. Your startup doesn't. Governments get to audit models before release — US spy agencies are already pushing for veto power. The two-tier AI world isn't a hypothetical. It's the current policy trajectory.
The optimistic take: maybe this is temporary. Maybe Anthropic is right that Mythos is genuinely too dangerous for unrestricted release today, and a year from now the defenses will catch up. Models get cheaper. Capabilities diffuse. Today's restricted superweapon is tomorrow's open-source release.
But I wouldn't bet on it. The gap between what frontier models can do and what the public can access is widening, not shrinking. And the breach means the worst-case scenario — advanced AI-powered attacks in the wild — may arrive before the defenses do.
The restricted-AI era is here. The only question is whether the wall protects us or just tells us which side we're on.