Anthropic unveils Mythos AI model for cybersecurity applications

On Tuesday, Anthropic released a preview of its new AI model, Mythos, which will be utilized by a select group of partner organizations for cybersecurity efforts. In a previously leaked memo, the AI startup described this model as one of its “most powerful” to date. The limited debut of Mythos is part of a new security initiative called Project Glasswing, where over 40 partner organizations will deploy the model for “defensive security work” and to secure critical software.

While not specifically trained for cybersecurity tasks, the preview will be used to scan both first-party and open-source software systems for code vulnerabilities. According to Anthropic, Mythos has identified “thousands of zero-day vulnerabilities, many of which are critical,” with many being one to two decades old.

Mythos is a general-purpose model for Anthropic's Claude AI systems, boasting strong coding and reasoning capabilities. Anthropic's frontier models are regarded as its most sophisticated and high-performance offerings, designed for more complex tasks, including agent-building and coding.

Partner organizations testing Mythos include Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks. As part of the initiative, these partners will eventually share their insights from using the model, allowing the broader tech industry to benefit.

The preview will not be made generally available, Anthropic stated. The company also claims to be in “ongoing discussions” with federal officials regarding the use of Mythos, although it's likely that these discussions are complicated by Anthropic's current legal battle with the Trump administration after the Pentagon labeled the AI lab a supply-chain risk due to its refusal to allow autonomous targeting or surveillance of U.S. citizens.

The news about Mythos was initially leaked during a data security incident reported last month. A draft blog about the model, then referred to as “Capybara,” was left in an unsecured cache of documents available on a publicly inspectable data lake. The leak, attributed to “human error,” was first spotted by security researchers.