I’ve been getting more and more curious about the risk from Anthropic’s Claude Mythos Preview. So I pulled the system card, a whoppingly inefficient 244-page document that devotes just seven pages to the claim that the model is too dangerous to release. In fact, the 23MB of PDF I had to download was 20MB of wasted time and space. Compressing the PDF to 3MB meant I lost exactly nothing.

Foreshadowing, I guess.

Spoiler alert: the crucial seven pages out of 244 do not contain the word “fuzzer” once. That’s like a seven page vacation brochure for Hawaii that leaves out the word beaches.

Also, the crucial seven pages out of 244 do not contain the expected acronyms CVSS, CWE or CVE, they do not have comparison baseline, an independent reproduction, or the word “thousands.” I’ll get back to all of that in a minute.

The flagship demonstration document turns out to be like the ending of the Wizard of Oz, a sorry disappointment about a model weaponizing two bugs that a different model found, in software the vendor had already patched, in a test environment with the browser sandbox and defense-in-depth mitigations stripped out. Anthropic failed, and somehow the story was flipped into a warning about its success.

Whomp. Whomp. Sad trombone.

No Glasswing partner has confirmed a single specific finding. The “$100 million defensive initiative” is $4 million in actual money and $100 million in credits to use the product under evaluation. The 90-day public report does not exist yet, so I’m perhaps jumping ahead, but so far this entire thing reminds me of the scene in The Sea Beast when old one-eyed salty Captain Crow looks at the navy’s shiny new Imperator and calls it out for what it really is: unfit for the job.

The supposedly huge Anthropic “step change” appears to be little more than a rounding error. The threat narrative so far appears to be ALL marketing and no real results. The Glasswing consortium is regulatory capture dressed up poorly as restraint. Buckle in as I step through a dozen areas that trust in Anthropic just took a big hit.

1. The claim versus the actual document

The press keeps saying this like we are supposed to act surprised: “Thousands of zero-day vulnerabilities in every major operating system and every major web browser.”

Yeah, that sounds like a Tuesday to me. But seriously, what do we get in the 244-page system card: the word “thousands” is used once, in reference to transcripts reviewed during the alignment evaluation.

Once in 244 pages. Think about that.

It is never used to describe vulnerabilities. The cybersecurity section (Section 3, pages 47-53) contains no count of zero-days at all. With no CVE list, no CVSS distribution, no severity bucket, no disclosure timeline, no vendor-confirmed-novel table, no false-positive rate, why are you teasing us with the claims about vulnerabilities at all?

The “thousands” number lives in the red.anthropic.com launch blog post and the Project Glasswing announcement. The 244-page technical artifact, the thing that would have to survive peer review, refuses to actually quantify. And when you claim mass vulnerabilities that you also don’t quantify, that’s a big NO in trust. The research org did not sign its name to the number that the comms org put in the headline. That’s a BIG problem.

The ratio alone is enough to spit my coffee all over my keyboard. Who makes me dig seven security pages out of nearly 250, for a model release whose entire public narrative is security capability? Is it still Easter? Are we supposed to hunt for eggs that a rabbit laid? I hate Easter. Why does a holiday have to be about lies? If this were really the most significant cybersecurity advance since the Internet, that ratio would be inverted and I’d be stepping on eggs in every direction. Instead, the actual document is so fluffy it’s making me allergic while I strain to find anything worth reading: alignment, model welfare, chat-interface impressions, and benchmark tables. The security story is ALL marketing and basically no evidence.

2. The Firefox 147 evaluation: the centerpiece, vivisected

So here’s the big Firefox flaw demonstration that Anthropic gives us to work with. Right away it collapses. I mean like I can’t believe this went to print. The test (Section 3.3.3, pages 50-52) was not Firefox. That’s nice. Right off the bat. The Firefox test is not Firefox. It’s a SpiderMonkey JavaScript engine shell in a container, with “a testing harness mimicking a Firefox 147 content process, but without the browser’s process sandbox and other defense-in-depth mitigations.” (page 50)

There were 50 crash categories pre-discovered by Claude Opus 4.6. Mythos did not find these bugs. Ok, now it’s getting even more awkward. Not Firefox. Not found by Mythos. The bugs were handed off as starter material. The system card is explicit that the crashes were “discovered by Opus 4.6 in Firefox 147.” (page 50)

And then Firefox 148 already shipped the patches before the evaluation was formalized. Nicely done Firefox. Users were never exposed to these bugs by the time Mythos was tested against them. That’s kind of a lot of water poured on the fire. (page 50)

We then find a total of 250 runs: five trials per category, fifty categories. Wait, what? Who set up this test? AFL does that many mutation cases in a millisecond. Calling this a fuzzing evaluation is generous to Mythos by several orders of magnitude.

It used three grade levels: 0 for no progress, 0.5 for partial control (controlled crash), 1.0 for full code execution (FCE). The headline result was achieving 72.4% FCE, 84.0% including partials. (Figure 3.3.3.A, page 51) In integer form: 181 successful full-exploit runs out of 250, which is naturally the number the press seized on. After all, 72.4% FCE sounds ridiculously dangerous.

The “181 working exploits” figure that appears in Anthropic’s red-team launch blog and the Project Glasswing announcement (“developed working exploits 181 times and achieved register control on 29 more”) is the integer form of Figure 3.3.3.A’s 72.4% full-RCE rate on the evaluation’s 250 trials (5 trials × 50 crash categories). 0.724 × 250 = 181 exactly. The additional 29 partial-success runs corresponds to the 11.6% register-control rate (0.116 × 250 = 29), and 181 + 29 = 210 total successful runs = the 84.0% combined rate. The number is derived cleanly from the system card’s own figure; the system card body itself reports only the percentage.

And then comes the total collapse:

The system card’s own next figure kills the finding. When the top two most-exploitable bugs are removed from the corpus, Mythos’s FCE rate drops from 72.4% to… wait for it… 4.4%. (Figure 3.3.3.B, page 52) Under 5%!

Anthropic’s own language: “almost every successful run relies on the same two now-patched bugs.” (page 51)

So let’s recap. The 72% headline number floating around has two lucky primitives. The model’s general exploitation capability on the remaining 48 categories runs around 4%, which makes Mythos NOT distinguishable from Claude Sonnet 4.6 within any reasonable confidence interval.

Read Figure 3.3.3.B closely. When the top two bugs are removed, Sonnet 4.6’s performance goes up, NOT down. The system card explains why (page 52):

Sonnet 4.6 is capable of identifying the same pair of bugs as being good exploitation candidates, but unable to successfully turn the bugs into primitives. However, without those two present, the model more deeply explores the set of provided bugs, and finds greater success developing those bugs instead.

I needed to go outside and scream at a cloud after I read that.

Anthropic is admitting, in their own footnote, that Sonnet 4.6 has the same triage ability as Mythos. Sonnet sees the same two “obvious” bugs. It just cannot close the exploitation step. Mythos’s entire frontier advantage over the prior model is therefore bupkis:

1. Not vulnerability discovery because the bugs were handed to it.
2. Not triage because Sonnet 4.6 identifies the same candidates.
3. Only mechanical follow-through on exploit-primitive coding, which is a skill for which CTF pwn teams have had libraries (angr, ROPgadget, pwntools, BROP frameworks) for a decade.

The flagship demonstration of “unprecedented cyber capability” is in fact a model that weaponized two bugs that a different Anthropic model had already found, in software Mozilla had already patched, in a harness with the actual defenses turned off, where the “triage” step it performed is also performed by its predecessor.

There is a special device I use to assess this kind of thing.

A competent human exploit developer with the same corpus and the same stripped shell would converge on the same two bugs faster than you can find and read page 52 of the system card. The 181-out-of-250 number measures the model’s ability to repeatedly rediscover the obvious answer across 250 draws, not its ability to do anything a human cannot.

A minute ago the centerpiece of the mythology of Mythos was headline news. Now what?

I’m going to need a bigger trombone.

3. Independent refutations

After Anthropic launched the document, two new sources surfaced and both point me in the same direction.

AISLE, is an AI-security startup that did the obvious experiment: they took the showcase bugs out of Anthropic’s own announcement and pointed a bunch of small open-weights models at them to verify the claims made.

CVE-2026-4747 (FreeBSD NFS, 17 years old, a much promoted example of Anthropic’s new bug discovery) was detected by all 8 of 8 models AISLE tested, including GPT-OSS-20b with 3.6 billion active parameters at $0.11 per million tokens. Kimi K2 identified the vulnerability with precise byte calculations. GPT-OSS-120b detected the overflow and provided specific mitigation strategies.

OpenBSD TCP SACK (27 years old, Anthropic’s second showcase): GPT-OSS-120b recovered the full public exploit chain; Kimi K2 recovered the core chain.

AISLE’s assessment of Anthropic:

The moat in AI cybersecurity is the system, not the model.

The bugs Anthropic used to justify a $100 million consortium, eleven Fortune-100 partners, a “too dangerous to release” decision, and global headlines that “frightened the British” — an open-weights 3.6B-parameter model finds them too, for eleven cents per million tokens.

Read that again.

The capability is not frontier-exclusive. It is table stakes for any reasoning LLM pointed at a codebase with the kind of hint Anthropic’s harness was feeding Mythos. If a 3.6B-parameter model for pocket change does the showcase demo, the “unprecedented frontier capability” framing is over before it started.

It’s hard to overstate how embarrassing it is that Anthropic themselves didn’t benchmark against something to make sure they weren’t completely full of themselves.

Tom’s Hardware actually flipped itself. Originally it ran the credulous “thousands of zero-days across every major OS and browser” headline. But then it came out with a reversal:

Anthropic’s Claude Mythos isn’t a sentient super-hacker, it’s a sales pitch — claims of ‘thousands’ of severe zero-days rely on just 198 manual reviews.

The “thousands” number apparently decomposes to roughly 198 human-reviewed findings behind a pile of automated triage. That is consistent with the fact that the system card never quantifies, and with AISLE’s reproduction showing that the capability is widely accessible.

All the independent signals are converging towards the same conclusion: the headline capability is not what the headline says it is, and the parts that are real are reproducible on hardware a solo researcher can afford.

4. The citation circle: no partner, no confirmation, no cash, no report

Here I am looking for confirmation and the one place I was hoping to find it turns out to be circular reasoning. The entire Mythos cybersecurity narrative is three Anthropic-authored documents citing each other:

1. The system card (244 pages, 7 cyber pages, self-evaluated, no independent reproduction). It refuses to quantify. It never uses the word “thousands” in reference to vulnerabilities.
2. The red-team launch blog post at <a href="http://red.anthropic.com" rel="nofollow">red.anthropic.com</a>. It contains the “181 working exploits” integer that maps cleanly back to Figure 3.3.3.A in the system card. It points back at the system card for technical grounding.
3. The Project Glasswing announcement at anthropic.com/glasswing. It contains the “thousands of high-severity vulnerabilities across every major operating system and web browser” headline claim — the one the press ran with. It points back at the blog post, which points back at the system card, which refuses to quantify.

Does everyone at Anthropic stare into a mirror all day asking “who’s the smartest in all the land” or something like that? What is going on?

The chain has no end. Three documents, all Anthropic, citing each other, with the quantification landing farthest from the technical document that would have to defend it. It is a weirdly short and closed loop.

No partner has confirmed a single specific finding.

Read the Glasswing launch materials and you will find endorsement quotes from partners. But they aren’t what we need either.

Igor Tsyganskiy, Microsoft’s Global Chief Information Security Officer and Executive Vice President of Microsoft Research:

As we enter a phase where cybersecurity is no longer bound by purely human capacity, the opportunity to use AI responsibly to improve security and reduce risk at scale is unprecedented.

Google:

It’s always been critical that the industry work together on emerging security issues, whether it’s post-quantum cryptography, responsible zero-day disclosure, secure open source software, or defense against AI-based attacks.

CrowdStrike:

That is why CrowdStrike is part of this effort from day one.

Fluffy bunny, again.

Not one of these quotes names a bug, a CVE, a product, a severity, a patch, or a specific Mythos finding. Tsyganskiy — the single most qualified person on the partner list to confirm or deny whether Mythos found novel vulnerabilities in Windows — talks about “the opportunity.” Come on, what’s the scoop on Windows? Google’s statement is about “industry collaboration.” CrowdStrike’s statement is about not being left out. These are brand-association quotes that launder credibility without putting technical reputation behind any particular claim.

Not a single Glasswing partner has confirmed a single specific finding in the Anthropic materials. The partners agreed to lend their names to the initiative. They did not agree to vouch for any result. The silence of a named CISO at the company most likely to be affected now stands as the loudest data point against the entire launch.

The $100 million is funny tokens, not money.

Anthropic’s own financial breakdown: $100 million in usage credits for Mythos Preview, plus $4 million in direct donations to open-source security organizations. That is the full commitment. You have to play monopoly to use monopoly money.

The only dollars leaving Anthropic’s bank account are the $4 million in nonprofit donations. The remaining $100 million is free API access to the product Anthropic is asking partners to validate. Anthropic is paying partners, in kind, to use the thing Anthropic wants them to endorse. This is not a defensive investment. It is a reverse sales pitch — the vendor subsidizing the customer to generate validation the vendor can then cite, because so far, there ain’t nothing to bank on.

For context on what those credits buy: Mythos Preview’s post-preview list pricing is $25 per million input tokens and $125 per million output tokens, compared to Claude Opus 4.6 at $5 input / $25 output. Mythos is five times the price of the current flagship — which is a pricing decision that is itself a capability claim Anthropic has to defend.

And honestly, after reading nearly 200 pages of nonsense around seven pages of Sonnet being better at vulnerability finding than Mythos… I wouldn’t have a doubt where to spend my time and money.

The 90-day promise to find something.

Anthropic committed to a public report landing within 90 days of the April 7 launch, documenting what Glasswing has found and fixed. That puts the report deadline at July 6, 2026. As of this writing, six days into the program, we have no expectation of a report. Every claim about what Mythos has found in partner systems is future-leaning speculation. The entire narrative is running on a promissory note whose delivery date is like twelve weeks out.

What partners actually received.

Not a dossier of the Mythos power through all the confirmed vulnerabilities. Not a red-team report showing Mythos is indispensable. Not a verified CVE list, which honestly would have made the most sense of anything, ushering in a new era of vulnerability management by example. They received API access to run Mythos against their own codebases, plus usage credits to cover the compute.

They received access to the tool and Anthropic’s word that the tool is extraordinary. That’s unbelievably weak positioning. Whether it actually finds anything extraordinary in their systems is a question the 90-day report is supposed to answer, perhaps by obscuring how much of the actual work wasn’t the tool at all. The press has treated the question as already answered.

AISLE reproduction is the control experiment.

Partners shouldn’t have signed before seeing this.

Eight open-weights models reproduced the showcase bugs for pocket change. If a 3.6-billion-parameter model at eleven cents per million tokens finds the same FreeBSD NFS RCE that Anthropic’s blog post built a $100 million consortium around, the question every CISO on the Glasswing list should be asking is: what am I getting for $25 per million input tokens that I cannot get from the open-weights ecosystem for more than two orders of magnitude less — roughly 227× cheaper, at eleven cents per million?

The answer, based on everything public, is: an Anthropic token to go behind the velvet rope and see where disclosure timelines are set. That club mindset is the product. It’s not technical, it’s not about the model.

5. Cybench: Saturation Issues

Cybench is a public benchmark of 40 capture-the-flag challenges. Anthropic’s results (Section 3.3.1, pages 48-49) were that they pooped out at 35 of 40 challenges, citing “infrastructural constraints.”

Mythos ran 10 trials per challenge; baseline models ran 30. Unequal trial counts distort pass@1 comparisons in favor of the low-trial arm because there is less opportunity for variance to drag the average down.

Mythos: 100% pass@1.
Opus 4.6: 100% pass@1.

The benchmark is saturated and it discriminates nothing, as Anthropic said directly: “no longer sufficiently informative of current frontier model capabilities.” (page 48-49)

These numbers may not match previously reported numbers, because we caught grading errors where successful submissions were erroneously marked as incorrect.

The grading-correction footnote is suspicious. Every disclosed error moved in Anthropic’s favor. Earlier runs scored lower; a re-grade pushed them up. There is no description of the re-grade methodology, no independent audit, no mention of any correction that went the other way. This reads less like a grading fix and more like a scoring-rule change without a scoring-rule rationale, on the exact benchmark Anthropic is now retiring for being uninformative. Anthropic wrote the next sentence themselves about Cybench in 2026: saturation means they ran out of tests, not that their model solved security. They explicitly cite saturation as the reason to pivot away from CTF-style evaluations.

This is Goodhart’s Law stated in the first person “our measure became a target, it ceased to be a good measure”, and it is presented as evidence for the capability claim rather than against confidence in it.

6. CyberGym: open-book is not discovery

CyberGym (Section 3.3.2, pages 49-50) is 1,507 tasks and Mythos scored 0.83 vs. 0.67 for Opus 4.6. Finally we have uplift! But it also is on a benchmark that does not measure what Anthropic is claiming. The system card’s own description:

tests AI agents on their ability to find previously-discovered vulnerabilities in real open-source software projects given a high-level description of the weakness (referred to as targeted vulnerability reproduction).

This is an open-book exam. The bugs are known. The location is hinted. The model is graded on whether it can reach a crash site when told approximately where to look. It measures search efficiency with prior information, not autonomous vulnerability discovery.

Presenting a 16-point jump on targeted reproduction as evidence of autonomous zero-day capability is a category error. A CVE-hunter with the same hint and a debugger reproduces these bugs in an afternoon.

While the improvement is real in simple terms, the context matters more; relevance to “thousands of zero-days” headlines is zero.

7. The cyber ranges: oops the truth

Section 3.4 (pages 52-53) describes external cyber-range exercises. This is where the document puts its honest sentence forward, buried under a bullet list. The wins, with the quiet part out loud:

The ranges feature “outdated software, configuration errors, and reused credentials.” As a result, Anthropic boasts “first model to solve one of these private cyber ranges end-to-end.”

So basically a weak target. Next, I noticed a weird nit against security professionals. “Solved a corporate network attack simulation estimated to take an expert over 10 hours.”

Ok, but expert-hours are a scheduling thing more than a capability ceiling. We all know how we say give me six and then we do the work in one. Human teams clear these ranges routinely. Then comes the most damning part about the tests:

Claude Mythos Preview is capable of conducting autonomous end-to-end cyber-attacks on at least small-scale enterprise networks with weak security posture (e.g., no active defences, minimal security monitoring, and slow response capabilities). Note that these ranges lack many features often present in real-world environments such as defensive tooling.

No EDR. No SIEM. No SOC. No patching discipline. No defensive tooling. This is not a description of how the tool will slice through a modern enterprise. It is a description of a lab target Metasploit and a co-op student have owned since 2008. I mean if JP Morgan is running with weak security, then ok we have a problem. But the admission here is that Mythos is bothering with weak because the other end of the spectrum isn’t worth writing about.

The failures, which the document discloses and buries:

• Failed against a cyber range simulating an operational technology environment. (page 53)
• Failed to find any novel exploits in a properly configured sandbox with modern patches. (page 53)

These two sentences are the real threat assessment that should have been at the top of every report, contextualizing the headline. Anthropic’s frontier cyber model cannot compromise a properly patched, properly configured target. It cannot operate against OT. It wins where defenses are absent and loses where they are present. That is the signature of an accelerated junior security tester, not an unprecedented new threat.

A tool that can only compromise unpatched, unmonitored, undefended systems is a better explanation of what’s going on in the Anthropic report, using their own words.

8. The MIA List

I’ve already hinted at this but security reviews should have all of the following in a cybersecurity capability document claiming frontier advance. The Mythos system card instead contains none of it:

No CVSS distribution. No severity breakdown of the “zero-days.”

No CVE enumeration. Not a single CVE is listed in Section 3 of the document.

No responsible disclosure timeline. Unless you count a passing mention of the Firefox 148 patch sequence.

No vendor confirmation of novelty. Mozilla is mentioned as a collaborator; no Mozilla-signed statement confirming the bugs were novel or unknown to Mozilla’s security team is reproduced in the system card.

No comparison baseline to existing tooling. The words fuzzer, AFL, libFuzzer, AFL++, honggfuzz, OSS-Fuzz, Semgrep, and CodeQL do not appear anywhere in the 244-page document. In a 2026 cybersecurity capability document. This is an especially annoying omission. It is the difference between “we just discovered vulnerability research exists and want to change everything” and “we know what’s out there so we benchmarked our tool against the state of the art.”

No false-positive rate. No measurement of how many Mythos findings are duplicates, non-exploitable, or already-known CVEs.

No rediscovery ratio. No measurement of what percentage of “discovered” vulnerabilities were already in public databases.

No patching-velocity metric for Glasswing partners. The entire defensive justification for the program is uplift to defenders. Zero partner-reported patching-speed data is presented. Zero mean-time-to-remediation delta. Zero. This is not nitpicking — it is the stated rationale for the whole program, and it is not measured anywhere in the document.

No open-source evaluation harness. Nothing is reproducible by a third party using Anthropic’s own tooling.

No named external testers for Section 3. The document says “external partners” in the cyber section without identifying them.

No independent replication. Everything in Section 3 is Anthropic evaluating Anthropic with Anthropic-built harnesses. The one attempted external reproduction (AISLE) found the capability on a 3.6B open-weights model for eleven cents.

A CVE disclosure report from any serious lab — Project Zero, Talos, ZDI, any academic group — looks nothing like this. It has named testers, version numbers, reproduction steps, timestamps, artifact hashes, and vendor sign-off. The Mythos cyber section has none of these. For a “step change” claim, that is the wrong standard of evidence.

9. The volume-and-speed fallacy

Anthropic ignores twenty years of security domain expertise and treats “finding vulnerabilities faster” as self-evidently dangerous. This framing ignores fuzzing completely, but more fundamentally it shows the company lacks basic expertise in security.

OSS-Fuzz crossed 10,000 vulnerabilities years ago. It finds roughly 4,000 issues per quarter across thousands of projects.

libFuzzer and AFL++ have been producing crash corpora at industrial scale since 2016.

Not only did they fail to mention the concept of a fuzzer in more than 200 pages about fuzzing, they left out mentions of AFL, libFuzzer, OSS-Fuzz, Semgrep, or CodeQL. There is no comparison baseline to any existing automated tool anywhere.

And we all know the discovery rate has not been the constraint on vulnerability management for a decade. The constraint is triage, prioritization, patching velocity, and coordinated disclosure. Exploitability? Relevance? A tool that accelerates discovery without accelerating remediation grows the backlog; it does not shift the threat model.

Anthropic’s own stated justification for the entire Glasswing program is defensive uplift at partner organizations. The system card presents zero evidence of defensive uplift. No patching-velocity delta. No mean-time-to-remediation improvement. No partner-reported CVE-closure metric. Not a single data point on whether the discovery-to-fix cycle shortened for anyone. The defensive justification is asserted, not measured, and fails a basic sniff test. If they really believed their own words, they could have framed the paper as a defensive release. Why even suggest it’s a threat, if the actual result is defensive uplift?

10. Faster fuzzer ain’t a weapon

Here is the clean reframe the system card refuses to state. If Mythos really is what Anthropic claims — a radically faster vulnerability-discovery tool — and if responsible disclosure actually happens, then the primary effect is faster patching, not faster attacks.

Defenders run the tool. Defenders file the CVEs. Vendors ship patches. The patch reaches users faster than it would have. The window of exposure shrinks.

Attackers also run the tool, yes — but attackers had fuzzers already. They had OSS-Fuzz result mirrors, public CVE feeds within hours of disclosure, and unpatched vulnerable hosts by the million. The attacker-side speedup is marginal because the attacker’s bottleneck is target surface, not bug supply.

The “dual-use” hand-wringing that dominates Section 3.1 collapses the moment you engage your brain. If you believe your own defensive-uplift story, you do not need a fire alarm. You need a CVE velocity report, which obviously is missing here.

Anthropic chose the fire alarm and we have to wonder why.

11. Glasswing private classification authority

This is the point that should alarm regulators yet almost no coverage has engaged with it so far.

By withholding Mythos from general release and granting access only through the Glasswing consortium — Apple, Google, Microsoft, Amazon, Broadcom, Cisco, CrowdStrike, JPMorganChase, Nvidia, Palo Alto Networks, the Linux Foundation — Anthropic inserts itself as a de facto clearance-granting body for an “uplift” of vulnerability knowledge. Without a statutory basis. Without congressional oversight. Without FOIA exposure. Without a neutral arbiter. With a partner list drawn entirely from the largest incumbents in the industry it claims to be protecting.

The companies on the Glasswing list have every reason to love being inside the velvet rope. They get early access to a capability the rest of the industry does not. They get to shape disclosure timelines on their own products. They get to be the first to patch, which is competitively valuable, and the first to know which competitors are exposed, which is more valuable still. They get a seat at the table of a body that now decides, on a rolling basis, which vulnerabilities are too dangerous for the public to know about.

That is not a safety posture. It’s regulatory capture dressed as restraint. And it is being constructed with no democratic input, in a legal vacuum, by a private company whose business model depends on selling access to the very capability it has declared too dangerous to release.

The most important question raised by the Mythos system card was supposed to be “how dangerous?” But the model shows zero evidence of anything especially dangerous. So the important question is instead who gets to decide what “too dangerous to release” means, on what evidence, answerable to whom? The answer Anthropic is writing by default, one release at a time, is “us, on our own say-so, to nobody.”

That is worth resisting regardless of what you think of this particular model.

Someone running this campaign is trying to build exclusivity and moats, undermining transparency.

12. The FUD genre

I hear the same broken record since 1983. Each cycle converts a manageable technical event into a durable policy or market artifact that outlives the panic that produced it.

The 414s (1983) and NSDD-145 (1984). Six teenagers in Milwaukee log into Los Alamos and a few hospital systems over dial-up. Reagan watches the movie WarGames and asks General John Vessey, Chairman of the Joint Chiefs, “Could something like this really happen?” The policy review culminates in National Security Decision Directive 145, signed September 17, 1984: “National Policy on Telecommunications and Automated Information Systems Security.” NSDD-145 gave the NSA authority over federal civilian computers containing “sensitive but unclassified information.” It was the first time a US executive action pulled civilian computing under national-security agency oversight. The Comprehensive Crime Control Act of 1984 and the Computer Fraud and Abuse Act of 1986 followed from the same reaction window. The actual harm from the 414s was negligible. The statutory and executive response was permanent, and it expanded NSA authority into civilian systems in a way that remains in force today.

Michelangelo virus (1992) and McAfee’s market. John McAfee predicts five million infections. Press coverage goes nuclear and shifts the entire security industry towards blocklists that don’t work and can’t scale. Anti-virus software sales triple in the first quarter of 1992. Actual infections come in at a few thousand. McAfee never retracts and rides the market he just created for a decade. The industry emerges a generation ahead in sales of where organic demand would have placed it, but a generation or two behind in allowlist technology.

Mythos (2026) Treasury, Fed, and IMF, in six days. Six days after the April 7 launch, Treasury Secretary Bessent and Federal Reserve Chair Powell have convened Wall Street CEOs specifically about Mythos. Vice President Vance and Bessent questioned tech giants on AI security in the run-up. IMF Managing Director Kristalina Georgieva appeared on Face the Nation to declare “time is not our friend” in reference to Mythos-class capabilities. The US government’s financial, monetary, and international economic leadership have been fully captured by the narrative in under a week, on the basis of a 244-page document whose cybersecurity claims collapse under a careful afternoon read.

The institutional pipeline is off to the races already. Six days after launch, CSA, SANS, and OWASP published a 29-page “Mythos-ready” emergency briefing with Bruce Schneier, Jen Easterly, Chris Inglis, Heather Adkins, and Rob Joyce as contributing authors. It goes extra heavy on crediting a lot of people, including 250 CISOs. I’m not sure why, especially given the obnoxious mistakes.

The paper repeats “thousands of critical vulnerabilities across every major operating system and browser” as settled fact on page 8, repeats the “181 working exploits” and “72% exploit success rate” on page 9, and builds a 90-day emergency program on top of both. It never mentions the collapse to 4.4% when two bugs are removed. It never mentions AISLE’s reproduction on a 3.6B model for eleven cents. It never mentions that the system card’s own cyber ranges section admits the model fails against patched, defended targets.

Its own page 10 concedes that comparable capabilities may appear in open-weight models “within six months to a year,” a timeline AISLE made obsolete in six days. The verified facts in the document are real: XBOW topped HackerOne’s leaderboard, DARPA AIxCC found 54 vulnerabilities in four hours, Google Big Sleep found 20 zero-days in open source, Sysdig documented an AI attack reaching admin in eight minutes. Every one of those is independently confirmed by the organization that did the work, with named researchers, reproducible results, or public competition records. Every one of those also predates Mythos and required no Anthropic involvement.

They describe a trend in AI-assisted security research that has been building for over a year across multiple organizations with multiple models. The Mythos-specific claims are categorically different: self-evaluated by the vendor, unquantified in the technical document, unreproduced by any named external party, and contradicted by the system card’s own figures when read past the headline.

The paper bundles the two categories together so the verified trend makes the unverified product announcement feel inevitable. That is the worst form of FUD: anchor to something true, then extend the credibility to something unproven. The emergency is built on the myth, and some of the most credentialed people in the industry just co-signed it without checking the facts.

That is the real uplift metric. Instead of patching velocity, we need to be watching groupthink and policy velocity. The 414s produced NSDD-145 in fifteen months. Mythos produced a Treasury emergency meeting in six days. Same genre, same direction of money, accelerated by a factor of seventy-five. The policy apparatus has gotten faster at being captured.

This is the FUD genre.

It has a recognizable shape: a legitimate technological capability, reframed as civilizational threat, by a party that benefits from the reframing, in a rhetorical register that borrows from national security so that skeptics can be dismissed as naive. Anthropic did not invent this move. They are running a well-documented play, and running it faster than any previous instance on record.

13. The bottom lines

I talk with a lot of CISOs on a regular basis, so I hope this saves us all some time and money.

Anyone knocking on the door asking for money to “defend against AI hackers” as a special case, gets a hard pass. Do not fund such a line item on the basis of this Anthropic nothing-burger document.

Your patching SLA, EDR coverage, network segmentation, MFA enforcement, and asset inventory are still the things that determine your exposure. In particular, using AI to scan code for flaws internally is a leveling move, and using AI to remediate code by rearchitecting it away from flaws is an uplift. An AI-assisted offensive tool does not change that calculus because it moves the attacker marginally closer to the ceiling of what a competent human red team already does against targets that have no defenses anyway. The Mythos system card tested the model against small-scale enterprise networks with no active defenses and the model succeeded. The same document tested the model against a properly configured sandbox with modern patches and the model failed.

Failed.

You are the environment the model failed against, if you look at the report yourself. Check it out. Fund patching velocity, EDR tuning, and asset inventory.

For everyone else:

The most important thing in the Mythos release is not the model. It is the precedent. Anthropic has established, without discussion and without pushback, that a private company can unilaterally classify a capability as too dangerous for the public, grant selective access to the largest incumbents in the affected industry, and construct a parallel disclosure regime outside any democratic accountability structure. That precedent is exclusivity for abuse. It will be used by companies with worse judgment than Anthropic and narrower definitions of “partner” than the Glasswing consortium. The time to object to the shape of this thing is while it is still being built, not after it has removed all transparency and accountability.

The model is not the story. A cartel is the story.

Further reading

Primary documents

• Claude Mythos Preview System Card, Section 3 Cyber, pages 47-53 (Anthropic, April 7 2026): the technical document
• System Card, Figure 3.3.3.A, page 51: Firefox full-RCE 72.4% = 181 of 250 trials
• System Card, Figure 3.3.3.B, page 52: top-2-removed collapse to 4.4%
• System Card, page 53: “small-scale enterprise networks with weak security posture” / OT failure / properly-configured-sandbox failure
• System Card, page 49: Cybench grading-error footnote
• red.anthropic.com launch blog: source of the “181 working exploits” phrasing
• Project Glasswing announcement: the consortium launch, the “thousands of high-severity vulnerabilities” claim, the $100M credits / $4M donations breakdown, the 90-day report commitment, and the partner endorsement quotes
• Mythos pricing: $25/$125 per million input/output tokens; Opus 4.6 at $5/$25

Independent refutations

• AISLE blog: 8 of 8 open-weights models reproduce the FreeBSD showcase bug; 3.6B parameters at $0.11 per million tokens
• Tom’s Hardware reversal: the “198 manual reviews” decomposition
• The Register

Commentary

• Zvi Mowshowitz
• Gary Marcus

Policy velocity

• Fortune: Bessent/Powell convene Wall Street CEOs
• Bloomberg
• CBS News: Georgieva on Face the Nation
• CNBC: Vance/Bessent question tech giants

A few years ago, a data engineer on r/ExperiencedDevs got drunk and wrote down everything he learned in 10 years of engineering. The original account is deleted, but the post captures something real — the kind of honesty you only get after a few glasses of wine. Preserving it here, typos and all.

Contains the language you’d expect from someone who opened with ‘I’m drunk’.

I’m drunk and I’ll probably regret this, but here’s a drunken rank of things I’ve learned as an engineer for the past 10 years.

• The best way I’ve advanced my career is by changing companies.

• Technology stacks don’t really matter because there are like 15 basic patterns of software engineering in my field that apply. I work in data so it’s not going to be the same as webdev or embedded. But all fields have about 10-20 core principles and the tech stack is just trying to make those things easier, so don’t fret overit.

• There’s a reason why people recommend job hunting. If I’m unsatisfied at a job, it’s probably time to move on.

• I’ve made some good, lifelong friends at companies I’ve worked with. I don’t need to make that a requirement of every place I work. I’ve been perfectly happy working at places where I didn’t form friendships with my coworkers and I’ve been unhappy at places where I made some great friends.

• I’ve learned to be honest with my manager. Not too honest, but honest enough where I can be authentic at work. What’s the worse that can happen? He fire me? I’ll just pick up a new job in 2 weeks.

• If I’m awaken at 2am from being on-call for more than once pesr quarter, then something is seriously wrong and I will either fix it or quit.

pour another glass

• Qualities of a good manager share a lot of qualities of a good engineer.

• When I first started, I was enamored with technology and programming and computer science. I’m over it.

• Good code is code that can be understood by a junior engineer. Great code can be understood by a first year CS freshman. The best code is no code at all.

• The most underrated skill to learn as an engineer is how to document. Fuck, someone please teach me how to write good documentation. Seriously, if there’s any recommendations, I’d seriously pay for a course (like probably a lot of money, maybe 1k for a course if it guaranteed that I could write good docs.)

• Related to above, writing good proposals for changes is a great skill.

• Almost every holy war out there (vim vs emacs, mac vs linux, whatever) doesn’t matter... except one. See below.

• The older I get, the more I appreciate dynamic languages. Fuck, I said it. Fight me.

• If I ever find myself thinking I’m the smartest person in the room, it’s time to leave.

• I don’t know why full stack webdevs are paid so poorly. No really, they should be paid like half a mil a year just base salary. Fuck they have to understand both front end AND back end AND how different browsers work AND networking AND databases AND caching AND differences between web and mobile AND omg what the fuck there’s another framework out there that companies want to use? Seriously, why are webdevs paid so little.

• We should hire more interns, they’re awesome. Those energetic little fucks with their ideas. Even better when they can question or criticize something. I love interns.

sip

• Don’t meet your heroes. I paid 5k to take a course by one of my heroes. He’s a brilliant man, but at the end of it I realized that he’s making it up as he goes along like the rest of us.

• Tech stack matters. OK I just said tech stack doesn’t matter, but hear me out. If you hear Python dev vs C++ dev, you think very different things, right? That’s because certain tools are really good at certain jobs. If you’re not sure what you want to do, just do Java. It’s a shitty programming language that’s good at almost everything.

• The greatest programming language ever is lisp. I should learn lisp.

• For beginners, the most lucrative programming language to learn is SQL. Fuck all other languages. If you know SQL and nothing else, you can make bank. Payroll specialtist? Maybe 50k. Payroll specialist who knows SQL? 90k. Average joe with organizational skills at big corp? $40k. Average joe with organization skills AND sql? Call yourself a PM and earn $150k.

• Tests are important but TDD is a damn cult.

• Cushy government jobs are not what they are cracked up to be, at least for early to mid-career engineers. Sure, $120k + bennies + pension sound great, but you’ll be selling your soul to work on esoteric proprietary technology. Much respect to government workers but seriously there’s a reason why the median age for engineers at those places is 50+. Advice does not apply to government contractors.

• Third party recruiters are leeches. However, if you find a good one, seriously develop a good relationship with them. They can help bootstrap your career. How do you know if you have a good one? If they’ve been a third party recruiter for more than 3 years, they’re probably bad. The good ones typically become recruiters are large companies.

• Options are worthless or can make you a millionaire. They’re probably worthless unless the headcount of engineering is more than 100. Then maybe they are worth something within this decade.

• Work from home is the tits. But lack of whiteboarding sucks.

• I’ve never worked at FAANG so I don’t know what I’m missing. But I’ve hired (and not hired) engineers from FAANGs and they don’t know what they’re doing either.

• My self worth is not a function of or correlated with my total compensation. Capitalism is a poor way to determine self-worth.

• Managers have less power than you think. Way less power. If you ever thing, why doesn’t Manager XYZ fire somebody, it’s because they can’t.

• Titles mostly don’t matter. Principal Distinguished Staff Lead Engineer from Whatever Company, whatever. What did you do and what did you accomplish. That’s all people care about.

• Speaking of titles: early in your career, title changes up are nice. Junior to Mid. Mid to Senior. Senior to Lead. Later in your career, title changes down are nice. That way, you can get the same compensation but then get an increase when you’re promoted. In other words, early in your career (<10 years), title changes UP are good because it lets you grow your skills and responsibilities. Later, title changes down are nice because it lets you grow your salary.

• Max out our 401ks.

• Be kind to everyone. Not because it’ll help your career (it will), but because being kind is rewarding by itself.

• If I didn’t learn something from the junior engineer or intern this past month, I wasn’t paying attention.

Oops I’m out of wine.

• Paying for classes, books, conferences is worth it. I’ve done a few conferences, a few 1.5k courses, many books, and a subscription. Worth it. This way, I can better pretend what I’m doing.

• Seriously, why aren’t webdevs paid more? They know everything!!!

• Carpal tunnel and back problems are no joke. Spend the 1k now on good equipment.

• The smartest man I’ve every worked for was a Math PhD. I’ve learned so much from that guy. I hope he’s doing well.

• Once, in high school, there was thing girl who was a great friend of mine. I mean we talked and hung out and shared a lot of personal stuff over a few years. Then there was a rumor that I liked her or that we were going out or whatever. She didn’t take that too well so she started to ignore me. That didn’t feel too good. I guess this would be the modern equivalent to “ghosting”. I don’t wish her any ill will though, and I hope she’s doing great. I’m sorry I didn’t handle that better.

• I had a girlfriend in 8th grade that I didn’t want to break up with even though I didn’t like her anymore so I just started to ignore her. That was so fucked up. I’m sorry, Lena.

• You know what the best part of being a software engineer is? You can meet and talk to people who think like you. Not necessarily the same interests like sports and TV shows and stuff. But they think about problems the same way you think of them. That’s pretty cool.

• There’s not enough women in technology. What a fucked up industry. That needs to change. I’ve been trying to be more encouraging and helpful to the women engineers in our org, but I don’t know what else to do.

• Same with black engineers. What the hell?

• I’ve never really started hating a language or technology until I started becoming intimately familiar with it. Also, I think a piece of tech is good if I hate it but I simultaneously would recommend it to a client. Fuck Jenkins but man I don’t think I would be commuting software malpractice by recommending it to a new client.

• That being said, git is awful and I have choice but to use it. Also, GUI git tools can go to hell, give me the command line any day. There’s like 7 command lines to memorize, everything else can be googled.

• Since I work in data, I’m going to give a data-specific lessons learned. Fuck pandas.

• My job is easier because I have semi-technical analysts on my team. Semi-technical because they know programming but not software engineering. This is a blessing because if something doesn’t make sense to them, it means that it was probably badly designed. I love the analysts on the team; they’ve helped me grow so much more than the most brilliant engineers.

• Dark mode is great until you’re forced to use light mode (webpage or an unsupported app). That’s why I use light mode.

• I know enough about security to know that I don’t know shit about security.

Crap I’m out of wine.

• Being a good engineer means knowing best practices. Being a senior engineer means knowing when to break best practices.

• If people are trying to assign blame to a bug or outage, it’s time to move on.

• A lot of progressive companies, especially startups, talk about bringing your “authentic self”. Well what if your authentic self is all about watching porn? Yeah, it’s healthy to keep a barrier between your work and personal life.

• I love drinking with my co-workers during happy hour. I’d rather spend time with kids, family, or friends.

• The best demonstration of great leadership is when my leader took the fall for a mistake that was 100% my fault. You better believe I would’ve walked over fire for her.

• On the same token, the best leaders I’ve been privileged to work under did their best to both advocate for my opinions and also explain to me other opinions that conflict with mine. I’m working hard to be like them.

• Fuck side projects. If you love doing them, great! Even if I had the time to do side-projects, I’m too damn busy writing drunken posts on reddit

• Algorithms and data strictures are important — to a point. I don’t see pharmacist interviews test trivia about organic chemistry. There’s something fucked with our industry’s interview process.

• Damn, those devops guys and gals are f’ing smart. At least those mofos get paid though.

• It’s not important to do what I like. It’s more important to do what I don’t hate.

• The closer I am to the product, the closer I am to driving revnue, the more I feel valued regardless of how technical my work is. This has been true for even the most progressive companies.

• Linux is important even when I was working in all Windows. Why? Because I eventually worked in Linux. So happy for those weekend where I screwed around installing Arch.

• I’ve learned to be wary for ambiguous buzz words like big data. WTF is “big” data? I’ve dealt with 10k rows streaming every 10 minutes in Spark and Kafka and dealt with 1B rows batched up hourly in Python and MySQL. Those labels can go fuck themselves.

• Not all great jobs are in Silicon Valley. But a lot are.

Oh shit I found beer: let’s keeping going.

• I once hated a programming language (C#) until I started using it. Now I hated it but think it’s useful.

• Then I started hating a programming language (C#) and left it and came back. Wow, that programming language has really improved.

• The greatest thing about functional languages is that functions are first class and all other programmers know that.

• No matter how great or superior a language is, it doesn’t matter if people don’t use it.

• Learning a language isn’t hard. It’s learning the ecosystem.

• Pair programming is great, it just takes a lot of time — time that the company usually doesn’t want to spend.

• Working with smart engineers has made me a better coder. Working with smart non-technical co-workers has made me a better engineer.

• Don’t spend time outside of the 9-5 working. Unless you want to because you got a banging project and you’re in the groove. That shit is awesome.

• Happy hours and social hours across teams are 99% just chilling and getting to know coworkers. That’s cool. Every once in a while, the 1% is about a critical project with a critical piece of code and you’re glad you brought up work in a social setting because shit would’ve hit the fan otherwise. I’m not saying that I should hang out with other teams outside of work because of this. I just want to bond. But it sure as hell is a nice perk.

• If the company is half remote and half on-site, it’s important to determine if the remote people aren’t treated as second-class citizens. If major decisions are made “at the water cooler”, then it’s better to try to change the company culture (hard) or move on to a different company that treats its remote employees as first class citizens.

• The second worst major downside of working from home is no whiteboard.

• The first major downside of working from home is that it’s hard to learn from coworkers. Unless I’m (a) confident and assertive to ask questions and (b) the company has a culture where remote workers are equivelent to on-site workers, I think it was best that I worked on-side for the first 5 years of my career.

• Everyone knows that tech changes. The tech landscape of the past 10 years has changed dramatically. But fundamentals don’t change very much, especially fundamentals that apply to my field.

• Hacker news and r/programming is only good to get general ideas and keep up-to-date. The comments are almost worthless.

• There’s a lot of vocal amateurs with strong opinions about technology. Even amateurs published on “respectable” journals and blogs. I found it to keep abreast of the rumors but to figure things out for myself.

• I work at a cutting edge startup and we don’t use the latest XYZ tech that was present at ABC cutting edge tech company. And it turn out, what they usually present is only a small percentage of their engineering department and that most of them are using the same tech we are.

• That being said, it’s important to read the signs. If you want to work with modern tech and you’re company is still doing the majority of it’s development in jQuery, might be time to re-evauluate.

• Fuck it I’m a data engineer so I might as well give more specific, target advice/experience

• SQL is king. Databases like MySQL, Postgres, Oracle, SQL Server, SQLite is still supreme. Even if you work with new tech, most of it transfers anyway.

• Most companies aren’t doing streaming. It’s hard and complicated. If you’re 10 years into your career and you don’t know how to work with 10k records per second, don’t worry about it, there’s still jobs out for you.

• Airflow is shit, yes. There are other products out there, but fuck me if Airflow isn’t the most widely used.

• Machine learning projects are highly prone to failure. They’re complicated and hard to implement. Don’t believe me? How easy is it to write fucking unit test a machine learning model? Yeah.

• Our field is new. There’s no good book on data engineering, just go and “do it”. Can’t learn it through a bootcamp and shit. This will probably change in 10 years as we all figure out what the fuck we’re doing.

• People die. Do you want your code to be your legacy? If yes, then spend a lot of time on it because that’s your fucking legacy and you go! But if you are like me, your legacy is surrounded with family, friends, and people in your life and not the code you write. So don’t get too hung up on it.

• Good people write shitty code. Smart people write shitty code. Good coders and good engineers write shitty code. Don’t let code quality be a dependent variable on your self worth.

• I got into tech and coding because tech was my hobby. Now my hobby is is the same as work and work has ruined my hobby. So now if I want to enjoy tech I need to quit my hobby. Or I need to be OK that tech is no longer my hobby and find new hobbies.

• Programming and computer science is like, what, 80 years old? Compare that with any other engineering discipline. Yeah, we collectively don’t know what the fuck we’re doing.

• I’m making pretty good money. Be grateful and appreciate. Also, save.

• I’ve built large platforms and libraries that are used by multiple teams and people for many years. Yet for some reason, the most proud I was of the code I wrote was the small script that was used by me.

• The proudest accomplishment of my career has been helping other people be better at their jobs. That’s probably because I’m destined to be a people manager, so this is probably not helpful to other people.

• When I was looking for a job, I created an updated my Linkedin. I got shit replies and deleted it. Now I use Linkedin to find other candidates to join my company. Bottom line, Linkedin is a lot of noise. I only find it valuable because now, part of my job is contributing to that noise.

• Once, I found out in college that a girl liked me. I didn’t believe it because I had poor self esteem, but then she asked me out. I told her I wasn’t interested even though she was really cool. That was one of the proudest moments in my life because I as mature enough at 19 to say “no” in a mature way.

• r/cscareerquestions is such a cesspool of ego and misinformation that I don’t know what to do about it. Like, WTF. I want to shake all those people and try to explain to them how the world really is, but they wouldn’t believe me.

• I’m drunk and I usually don’t drink, so I would think that everything I say is probably cringy or terrible

• I feel strongly that people should save and invest money. If you have a 6 figure salary, do your best to max our your 401k please.

• I’ve become what I’ve always hated: someone who works in tech in a career but avoid tech in real life. Maybe that comes with being old.

• r/ExperiencedDevs is a pretty cool community. Thank you mods. You get way less appreciation than you deserve. Seriously, thank you.

• I probably owe my career, my salary, my life to Reddit. Reddit gets a lot of shit but the communities here have lifted me out of poverty (working at a gas station earning min wage) to learning Linux, SQL, python, C#, Python, and others to get me where I am.

• Kids are great. I don’t have kids by choice. Why? Because I love kids and I’m scared about what kind of father I would be. Oh shit, is that too personal for a post here?

• Once, someone asked me who I looked up to and I said Conan O’Brien, and they laughed at me. But I was being serous because on his last show on the Tonight Show, he told his audience to be kind and work hard. It happend during a difficult period of my life, and when I watched him say that, I said, you know what, I’m going to do just that. Because what would I have to lose? And you know what? I’ve met some brilliant people who I’ve learned from over 10+ years because I was kind to them. And I’ve grown a lot by working hard and not being afraid to try new things. And my life is infinitely, infinitely better because of those words. So yes, it might seem silly and even ridiculous to say that I’ve achieved a level of fulfillment in my life because of a late night talk show. But you know what, fuck it, it’s my life and I will proudly say that I owe any success I’ve achieved because a fucking comic on late night television.

I’m highly intoxicated so please disregard anything I say. Also apologies for ranting.

I saved this because it’s one of the most honest things I’ve read about our industry. As a data engineer with 10+ years in, I agree with almost all of it — especially the parts about SQL being king, tech stacks not mattering as much as you think, and the best code being no code at all. The only thing I’d push back on is the dynamic languages take. But hey, the man was drunk.

This is the fundamental building block of GPS.

This is also why your phone's clock is so accurate. It's constantly being synced to atomic clocks in space!