Anthropic has been explicit about why Mythos isn’t public. The model is too good at finding security flaws repeatedly, in production systems that some of the best engineers in the world have been maintaining for years.
So instead of a public release, Anthropic built Project Glasswing. Around 40 organizations get controlled access. Anthropic committed $100 million in usage credits to support the effort. The list includes Apple, Google and Microsoft, companies that aren’t exactly short on security talent themselves.
One of those organizations is Calif, a Palo Alto cybersecurity firm. In April their researchers used techniques derived from Mythos to find two previously undocumented vulnerabilities in macOS. They chained them together into a privilege escalation exploit capable of bypassing Apple’s memory integrity enforcement, the part of the system that’s supposed to be completely off-limits to normal processes. Then they flew to Cupertino and handed Apple a 55-page report in person.
Apple is reviewing it. Patches are expected. And Mythos just added macOS to a list that already includes a 27-year-old OpenBSD bug and multiple Linux vulnerabilities nobody had caught before.
Not Mythos alone
Calif CEO Thai Dong was direct with the Wall Street Journal: the attack “couldn’t have been pulled off by Mythos alone and leveraged the very human cybersecurity expertise of some of Calif’s hackers.”
That distinction matters in both directions. It’s not a story about AI replacing security researchers, the exploit required serious human expertise layered on top of what the model produced. But it’s also not nothing. Mythos narrowed the search space, surfaced the vulnerabilities, and gave researchers a starting point that would have taken significantly longer to reach on their own. The combination found something Apple missed.
An unavoidable track record
Before Calif walked into Apple’s headquarters, Mythos had already surfaced a vulnerability in OpenBSD that had gone undetected for 27 years. It found exploitable weaknesses in Linux that human researchers had walked past for years without noticing.
That’s not a coincidence or a lucky find. That’s a pattern. And it’s exactly why Anthropic won’t release the model publicly, because it works consistently enough that putting it in the wrong hands is a genuinely serious consideration.
The $100 million in usage credits Anthropic committed to Project Glasswing starts to make more sense in that context. It’s an attempt to extract real defensive value from a capability that exists whether Anthropic monetizes it or not. Better to have Apple and Google finding their own flaws with it than to wonder who else might find those flaws first.
You May Like: OpenMythos: The Closest Thing to Claude Mythos You Can Run (And It’s Open Source)
The question this raises for the rest of the industry
Forty organizations have controlled access to Mythos. The rest of the security research industry doesn’t.
That gap is going to widen. If a model under strict access controls is already finding decades-old bugs in the most scrutinized codebases on the planet, the natural question is what happens when similar capabilities become more broadly available, whether through Anthropic eventually loosening access, a competitor releasing something comparable, or less scrupulous actors building toward the same destination through different means.
Calif’s CEO thinks Apple will patch these bugs quickly. That’s probably true. But the more durable question isn’t about these two specific vulnerabilities. It’s about what the security research industry looks like when this kind of capability stops being rare.
The 55-page report is sitting on a desk in Cupertino right now. Full technical details won’t be released until Apple ships patches. When they do, this will become one of the cleaner documented examples of what AI-assisted vulnerability research actually produces in practice, two real bugs in a real operating system that nobody found until a model that Anthropic won’t let the public touch helped look for them.
