Anthropic built the most capable autonomous hacking tool in AI history—and then decided not to sell it. That collision between safety-first positioning and enterprise demand is now the defining tension of the company's next chapter.
On Monday, Anthropic unveiled Claude Mythos Preview under Project Glasswing, a restricted access program that gives the cybersecurity community exactly what it asked for: a model that can autonomously find and exploit vulnerabilities at a scale never before possible. In internal testing, Mythos Preview transformed vulnerabilities into working exploits 181 times out of 200 attempts. Claude Opus 4.6, the company's previous flagship, managed the same feat just twice in several hundred tries. The new model has already uncovered thousands of high-severity flaws across every major operating system and browser. In one documented case, it chained four vulnerabilities into a browser exploit that escaped both renderer and OS sandboxes—a feat that would require a human expert team weeks of effort.
Yet this capability will not be available to the enterprises lining up to pay for it.
Instead, Anthropic has assembled a coalition of 45 partners—including Apple, Google, and major infrastructure providers—who will receive Glasswing access to proactively harden their systems. Everyone else waits. This represents a fundamental strategic choice: Anthropic is betting that staged deployment based on capability concerns will become the industry standard, even if it means turning away revenue from security firms, pentesting companies, and enterprise customers who want the tool now.
The argument for restriction is straightforward. If Mythos Preview's abilities represent a genuine capability threshold—where AI-assisted exploit development becomes trivially accessible—then wider release without preparation time could accelerate real-world attacks. Anthropic's red team documented exploits that escaped OS sandboxes and achieved root access on Linux and FreeBSD through subtle race conditions. Releasing that capability indiscriminately would be, as the company frames it, "deploying unsafely."
But the counterargument cuts hard. Critics on developer forums and security communities point out that malicious actors face no such restrictions. Nation-state hackers and criminal enterprises will not sign partnership agreements or wait for industry preparation. By limiting access to a curated coalition, Anthropic may simply be creating a competitive moat disguised as safety responsibility—while the actual threat landscape moves forward regardless.
The Glasswing model also raises questions about whether "security research access" translates to genuine ecosystem protection. Partners will use Mythos Preview to find and patch their own vulnerabilities, but that leaves third-party software, legacy systems, and smaller organizations outside the coalition's reach. The world's shared cyberattack surface is vast; 45 partners—however large—cannot cover it.
What Anthropic is really testing is whether the industry will accept restricted deployment as the new normal for frontier models. If Glasswing succeeds, it establishes a precedent: capability thresholds that trigger mandatory access restrictions, coordinated disclosure, and staged rollouts. If it fails—because enterprises defect to less cautious competitors, or because malicious actors exploit the same vulnerabilities anyway—the security-first positioning becomes a liability.
For now, the doors stay closed. The question is how long enterprises will wait at that gate.