Claude Mythos 5: Inside the World's Most Powerful Cyber AI

TL;DR — Claude Mythos 5 has the strongest offensive cybersecurity capabilities of any AI model ever built. In Anthropic's evaluations the earlier Mythos Preview found thousands of zero-day vulnerabilities across every major operating system and browser, developed working exploits 181 times in a single benchmark (versus just 2 for the prior Opus model), and the UK's AI Security Institute confirmed it can run multi-stage attacks autonomously. That power is exactly why it's gated — locked behind Project Glasswing and wrapped, for the public, in the safer Claude Fable 5. Here's what the offensive cyber evaluations actually show, and why it matters for every defender.

---

What "Mythos-class cyber" means

Anthropic's models are organized into capability tiers — Haiku, Sonnet, Opus, and the frontier Mythos class that sits above them all. Mythos earned its own tier for one reason above others: cybersecurity. These models have reached a level of coding ability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities — and, crucially, at agentic hacking: chaining reconnaissance, vulnerability discovery, lateral movement, and exploitation into a single autonomous campaign.

Mythos 5 (and its safeguarded public twin, Fable 5) is the second generation of that tier. The capability is genuinely dual-use: the same skill that lets a defender find and patch a flaw before attackers do is the skill an attacker would use to break in. That tension is the entire story.

The offensive cyber evaluations

The numbers from Anthropic's evaluations are stark. The standout figures come from the Mythos line's vulnerability-discovery and exploitation testing:

A jump from 2 working exploits to 181 in a single generation is not an incremental gain — it's a phase change. "Register control" (seizing control of a program's execution at the CPU level) on 29 additional targets means the model isn't just spotting bugs; it's weaponizing them end-to-end. And it does this across the software that runs the modern internet — operating systems, browsers, and critical libraries.

The independent verdict: AISI

Anthropic's own numbers would be easy to dismiss as marketing if they stood alone. They don't. The UK's AI Security Institute (AISI) ran its own evaluation of the Mythos line and reported:

• Continued improvement on capture-the-flag (CTF) challenges — the standard proving ground for offensive security skill.
• Significant improvement on multi-step cyber-attack simulations.
• Direct observation that the model could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously.

Independent, government-backed confirmation that a commercial model can autonomously run a multi-stage network attack is a milestone the security industry has been bracing for. It's here.

Project Glasswing: turning the weapon into a shield

Anthropic's response to building the most capable cyber model in the world was not to ship it to everyone. It was to stand up Project Glasswing — a coalition to point that capability at defense and to harden the world's most critical software before attackers catch up.

The launch partners read like a who's-who of global infrastructure:

• Cloud & silicon: Amazon Web Services, Google, Microsoft, NVIDIA, Broadcom, Apple
• Security: CrowdStrike, Palo Alto Networks, Cisco
• Finance & open source: JPMorganChase, the Linux Foundation
• And Anthropic itself, coordinating with the US government

The thesis is simple and urgent: if a frontier model can find thousands of zero-days, you want defenders running it first — auditing critical code, patching at machine speed, and rewriting the playbook for staying ahead of AI-enabled attackers. Glasswing partners can upgrade from Mythos Preview to Mythos 5 today, with cyber safeguards lifted, on the closed track.

How Fable 5 keeps this locked down for the public

If Mythos 5 is this dangerous in the wrong hands, how can Anthropic release the same model publicly as Fable 5? The answer is a layered safety system, and it's the reason a Mythos-class model could ship at all.

• Classifiers + automatic fallback. Fable 5 runs separate AI classifiers alongside the main model. When one detects a cyber, bio/chem, or distillation request, the response is handed off to Opus 4.8 instead — a capable model, but one without frontier offensive cyber skill. The user is told it happened.
• Block-mode results. In testing where Fable was set to block rather than fall back, the classifiers prevented it from making any meaningful progress on offensive cyber tasks.
• Hardened against jailbreaks. An external bug bounty ran 1,000+ hours and found no universal jailbreaks. On single-turn harmful cyber requests — attack planning, exploit development, defense evasion — Fable 5 complied with zero, holding up against 30 different public jailbreak techniques. One external partner rated its cyber safeguards the most robust of any model they'd tested.

The honest caveat: Anthropic concedes that perfectly preventing every jailbreak is likely impossible. The realistic goal is to make any remaining jailbreak slow and costly enough to detect and shut down before it can be used at scale — and to keep the unrestricted model out of public reach entirely.

What it means for defenders and security teams

Strip away the announcements, and a few concrete shifts land on every security team's desk:

1. AI-speed vulnerability discovery is now real on both sides. Assume sophisticated adversaries will eventually have access to frontier-grade cyber reasoning. The defensive answer is to adopt it first — AI-assisted code auditing, continuous fuzzing, and automated patch generation move from "nice to have" to table stakes.
2. Autonomous, multi-stage attacks change detection. When an attacker can chain recon → exploit → lateral movement without human latency, your detection and response windows shrink. Behavioral and identity-based defenses matter more than signature-based ones.
3. Provenance and gating become policy questions. The Glasswing model — capability gated to vetted defenders, public access wrapped in classifiers — is the emerging template. Expect regulators and customers to ask how your AI features prevent misuse.
4. The 30-day data-retention rule. Anthropic now requires 30-day retention on Mythos-class traffic (for safety only, not training). If you're an enterprise adopting Fable 5, loop in compliance before production.

From Mythos Preview to Mythos 5: the timeline

The Mythos line didn't appear overnight. The first Mythos-class model, Mythos Preview, shipped in April 2026 to a small group of cyber defenders and critical-infrastructure providers — already capable enough that Anthropic built a dedicated security program around it. Independent evaluators, including the UK AI Security Institute, tested it through the spring. In June 2026 came the second generation: Fable 5 for everyone, and Mythos 5 — the same model, cyber safeguards lifted — for vetted Glasswing partners, at less than half the price of the preview.

The trajectory matters: each generation's cyber capability has jumped sharply, which is precisely why the gating apparatus grew alongside it.

It's not only cyber: the bio/chem dimension

Cybersecurity is the headline risk, but Mythos-class models triggered a second safeguard category: biology and chemistry. The same model that finds zero-days can complete real scientific tasks — Anthropic reported using the unrestricted model to accelerate parts of drug design roughly tenfold and to generate novel molecular-biology hypotheses that scientists preferred about 80% of the time.

That's enormously valuable for medicine — and dual-use in the same way cyber is. So Fable 5 also falls back to Opus 4.8 on most biology and chemistry requests for now, deliberately broad, with a plan to narrow it as the safeguards mature. A separate trusted-access program for vetted biology researchers is planned.

Why gating buys time

A fair question: if a determined adversary will eventually obtain frontier cyber capability anyway, what does gating accomplish? Three things. It delays broad access, giving defenders a head start to harden critical software. It raises the cost of misuse — would-be attackers can't simply call an API. And it creates a detection surface: mandatory 30-day retention and logged access let Anthropic spot novel, multi-request attacks and shut down jailbreaks before they scale. None of this is a permanent moat — it's a time advantage. And in security, time to patch is everything.

The bigger picture: an AI cyber arms race, refereed

The Fable 5 / Mythos 5 launch is a bet that you can democratize frontier capability without democratizing frontier danger — by building one model, gating the dangerous parts rather than the whole thing, opening the gate gradually for trusted defenders, and being transparent about the trade-offs.

It won't be perfect. The safeguards are deliberately over-cautious for now, false positives will frustrate users, and no jailbreak defense is absolute. But as a posture, it's a credible middle path between "ship the most powerful thing as fast as possible" and "lock everything down until it's provably safe."

For defenders, the practical takeaway is unambiguous: the most powerful cyber tool in the world now exists, it's pointed at defense first through Project Glasswing, and the window to modernize your own program around AI-speed offense and defense is open right now. Use it.