Somewhere inside Anthropic’s infrastructure, an AI system called Mythos Preview has been scanning roughly 1,000 widely used open-source software projects and flagging the kinds of bugs that hackers pay seven figures for on gray markets. The worst findings, rated tier 5 on the company’s internal scale, represent what security researchers call a complete control flow hijack: total takeover of a program’s execution path. And as of June 2026, the vast majority of Anthropic’s own engineers are not allowed to touch it.
A newly formed unit called the Frontier Red Team now controls all access to Mythos and decides how its discoveries reach the outside world. The arrangement has no close precedent in the AI industry. It also raises an uncomfortable question: what happens when a single private company sits on thousands of unfixed flaws in the operating systems and browsers that billions of people depend on daily?
What Anthropic has actually shown
Two documents, both published through Anthropic’s own channels, form the backbone of what’s publicly known.
The first is the Frontier Red Team’s technical report. It confirms that Mythos Preview was evaluated against roughly 1,000 repositories drawn from OSS-Fuzz, the corpus Google maintains to continuously test major open-source projects for memory-safety bugs. Each finding was graded on a five-tier severity ladder. Tier 1 covers minor information leaks. Tier 5, the ceiling, means an attacker could redirect a program to run arbitrary code. The report describes the methodology in enough detail for outside researchers to understand the ratings, though Anthropic controlled the testing environment and has not invited independent replication.
The second is the Project Glasswing announcement, which describes a partner-access program for defensive use. Through Glasswing, vetted external organizations receive Mythos-derived vulnerability reports so they can build patches. Anthropic says the effort has already surfaced “thousands of high-severity vulnerabilities” across major operating systems and browsers. That figure has not been broken down by severity tier, affected project, or platform, so it functions as an institutional assertion rather than independently verified data.
Concrete evidence that at least some discoveries have already produced real-world fixes does exist. The technical report references an OpenBSD SACK patch signature, though it does not link to a specific commit or advisory, making independent verification difficult. Anthropic’s published coordinated-vulnerability-disclosure framework outlines how the company notifies affected maintainers before releasing bug details publicly. The process follows the same responsible-disclosure norms that Google’s Project Zero and Microsoft’s Security Response Center have used for years.
Taken together, the sequence is clear: Anthropic built an AI capable of finding deep software flaws at scale, restricted access to a small internal team, created a gated channel for defensive partners, and chose not to ship the tool as a product. That pattern looks more like an internal security capability than a commercial offering, at least for now.
The gaps that matter
Several critical details are missing from the published record, and they are exactly the details that would let outsiders judge whether this arrangement actually works.
Anthropic has not disclosed how many people hold tier-5 access to Mythos Preview. The Frontier Red Team blog describes the evaluation setup but does not name individual members, their prior affiliations, or the reporting line that governs their work. Without that transparency, it is impossible to assess whether the team operates independently from Anthropic’s commercial interests or functions as an extension of product development.
The Glasswing partner selection process is similarly opaque. The announcement describes the program’s purpose but does not publish vetting criteria, contractual obligations, or disclosure timelines. Whether a two-person team maintaining a popular open-source library gets the same access as a Fortune 500 company remains an open question. So does whether any government or intelligence agency sits inside the partner roster.
The “thousands of high-severity vulnerabilities” claim deserves particular scrutiny. Without a distribution by severity tier or affected project, it is hard to tell whether the bulk of findings cluster around well-known attack surfaces or represent genuinely novel bug classes. Automated vulnerability scanning is notorious for count inflation: a single root cause can manifest as dozens of distinct crash signatures. Anthropic has not addressed that possibility.
The total number of patches generated from Mythos findings has not been published either. That means the ratio of discoveries to actual fixes, the metric defenders care about most, cannot be calculated from public data. Nor is there visibility into how long a vulnerability typically sits between internal discovery and notification of the affected maintainer, a gap that matters enormously when hundreds of projects are implicated at once.
Finally, there is no public detail about how Mythos itself is secured. The documents do not describe internal controls preventing model weights, prompts, or raw exploit proofs-of-concept from leaking beyond the Frontier Red Team. Without independent audits or third-party attestations, the security community is asked to take Anthropic at its word. Given the stakes, some practitioners will find that uncomfortable.
Why this is different from what came before
Automated bug-finding is not new. Google’s OSS-Fuzz has been running since 2016 and has logged tens of thousands of defects. Academic groups have demonstrated that large language models can help generate fuzzing inputs, triage crashes, and even suggest exploit strategies. DARPA’s AI Cyber Challenge pushed the concept further by pitting AI systems against each other in live capture-the-flag competitions.
What distinguishes Mythos, based on Anthropic’s own description, is the severity ceiling. Traditional fuzzers excel at finding crashes and memory errors. Tier-5 findings go further: they represent full control flow hijacks, the class of bugs that underpin the zero-day exploits tracked by brokers such as Zerodium, whose public price list advertises payouts ranging from tens of thousands to $2.5 million per exploit. A system that can surface those issues systematically, across hundreds of projects, would represent a qualitative shift in both defensive opportunity and offensive risk.
The decision to withhold Mythos from general availability reflects a genuine tension. Restricting access limits the chance that the tool or its outputs reach attackers who could turn automated discovery into industrialized exploitation. But it also concentrates knowledge of critical software flaws inside a single private company and its chosen partners, creating an information asymmetry that open-source maintainers and smaller vendors cannot offset on their own. If a vulnerability sits in a widely deployed library and Anthropic’s disclosure timeline stretches longer than an attacker’s independent discovery window, the restriction could leave users exposed rather than protected.
What this means for everyone outside the room
For software developers and security teams who are not Glasswing partners, the practical takeaway is narrow but concrete. Anthropic’s disclosure framework signals that patches will flow through conventional channels: maintainers will receive private reports, develop fixes, and coordinate public advisories. Teams that rely heavily on the open-source components covered by OSS-Fuzz should stay current with upstream releases, monitor security mailing lists, and apply patches quickly when they appear, even without seeing the Mythos reports that triggered those fixes.
For policymakers, the Mythos story sharpens a question that has been building for years: should advanced vulnerability-discovery AI be treated as dual-use infrastructure, subject to the same kinds of oversight applied to encryption tools or surveillance technology? The same capability that can harden the software ecosystem could, under different incentives, supercharge offensive operations. Right now, companies like Anthropic are setting de facto policy through internal access rules and partner agreements. No regulator, standards body, or international framework has weighed in.
How quickly Anthropic moves from discovery to disclosure, and how transparently it reports the results, will go a long way toward determining whether Mythos makes the internet’s foundations stronger or simply shifts the balance of who knows where the cracks are.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
