What Mythos can actually do, and why Anthropic isn't shipping it
Anthropic announced Claude Mythos Preview on April 7, 2026 as a frontier model a full capability tier above Opus 4.7 — 93.9% on SWE-bench Verified, 77.8% on SWE-bench Pro, 82.0% on Terminal-Bench 2.0, 97.6% on USAMO 2026 in Anthropic's own evals. Those are the headline numbers, and they are not the reason the model isn't generally available.
The reason the model isn't generally available is in the cybersecurity section. Mythos Preview can, when directed by a user, identify and then exploit zero-day vulnerabilities in every major operating system and every major web browser. Many of the vulnerabilities it surfaces are ten or twenty years old. The oldest found so far is a now-patched 27-year-old OpenBSD bug. The model can independently find and chain several minor vulnerabilities into a single attack sequence that achieves complete system control — no human-supplied exploit chain, no scaffolding, just the model reasoning across a codebase and the published advisories around it.
The operational implication is straightforward and uncomfortable. A model that finds 0-days in production OSes at this rate, available through a standard API, is a model whose first weekend of public availability is a global incident. So Anthropic chose not to. Instead, the company stood up Project Glasswing: an industry consortium of 40+ vetted organizations that maintain critical software — operating system vendors, browser teams, infrastructure providers, financial-system maintainers — with monitored access to use Mythos against their own systems before any wider release. CrowdStrike is a founding member. Central banks have held emergency briefings about the implications for the legacy COBOL and C code underlying the global banking system.
This is a different deployment shape than the industry has shipped a frontier model into before. It's worth understanding why.
The 'ship to API, see what happens' model just broke
For the first five years of the modern frontier-model era, the deployment model was the same: a lab trained a model, ran some red-team evaluations, published a system card, and exposed the model through an API. Capability uplift was managed through policies (usage terms, content filters, abuse monitoring) rather than through gating who could use the model at all. The bet was that the model's capabilities, while strong, were not so asymmetrically dangerous that gating access to the public was warranted.
Mythos is the first model where that bet visibly failed. Specifically: the time-to-exploit gap between a defender (who needs to patch every system) and an attacker (who needs to compromise one) inverted the math. A 27-year-old OpenBSD bug means that for 27 years, defenders couldn't find it. Mythos finds it in a single session. Shipped through a standard API, every script kiddie has access to the same capability — and the time-to-patch for a class of bugs that have been sleeping for decades just collapsed to weeks at most.
Project Glasswing is the operational response: gate the model behind vetted human experts with audit-logged access, give them a head start to patch their own systems, then release publicly once the asymmetry is repaired. The gating layer is no longer a policy filter. It is a roster of humans with domain credentials.
What 'vetted human experts' actually means as deployment infrastructure
Glasswing pulls into the open a category of work that has been a slide-deck function at most enterprises for two years and is now becoming an operational role: expert reviewer with capability-tiered access. The job description is specific.
Domain credentials, not generic security clearance. A reviewer with access to Mythos for browser vulnerability discovery needs to be someone who maintains a major browser engine — not a generalist security engineer with a CISSP. The access is tiered by what the reviewer is qualified to catch and patch, because access without remediation capacity is just early warning of an incident.
Monitored use, not autonomous use. Glasswing access is audit-logged. Every query, every chain, every successful exploit Mythos finds is recorded — both to track what was found (so it can be patched) and to detect misuse (so the program can revoke access). The infrastructure for this is non-trivial: structured query logging, exploit-finding triage, coordinated disclosure pipelines between the consortium members. That is operational engineering, not a policy document.
Capability-tiered staged release. The Glasswing pattern is preview → consortium → vetted public → general availability, with each tier gated by the demonstrated patch coverage of the previous tier. This is the FDA-trials pattern, ported to model deployment. It will become the template for every frontier capability that has a credible dual-use story — biology, chemistry, computer security, anything else that uplifts both creation and defense.
For enterprises building on Anthropic — or on any frontier lab — this matters for a specific reason. Your team is now downstream of a deployment model that includes vetted-reviewer tiers. The next time a model with significant new capability ships, your access to it may depend on whether your team has the kind of expert-reviewer roster Glasswing demands. Responsible AI used to be a slide. It is now an operational staffing question.
The same labor pool powers AI training
Here is the part that makes Glasswing legible from a different angle. The skill set that gates frontier-capability access is the same skill set that powers high-end AI training work: a securities attorney red-teaming a financial agent, a radiologist evaluating a clinical model, a senior software engineer ranking the outputs of a coding agent, a browser-engine maintainer auditing Mythos's vulnerability claims. Different domains, same role: the human who can catch the failure mode a generalist would miss.
The frontier-lab data labeling market — Surge AI at $1.2B revenue, the broader human-in-the-loop spend at ~$1B/year per major lab — runs on this same pool. Glasswing is that pool, reorganized for cybersecurity deployment gating instead of training-data evaluation. Both directions of the role (training the model to be useful, gating the model from being dangerous) are the same human capability, deployed against different objectives. The cost structure is identical. The supply constraints are identical. The teams that already have access to a senior, domain-credentialed reviewer pool for one of those uses can credibly stand up the other.
This is why enterprises that have been treating AI training data and AI safety/security review as separate vendor categories are about to consolidate the buying decision. They're the same labor market. The vendor that supplies one is in a position to supply the other.
What enterprise teams should plan for
Three pieces of operational planning that did not need to be on a 2025 roadmap need to be on the 2026 one.
Map your access path to frontier-capability tiers. When the next Glasswing-style program opens — and the cybersecurity case suggests Anthropic and others will use the pattern again for biology, chemistry, and high-uplift coding capabilities — does your team have an existing relationship that grants you a seat at the consortium? Or are you waiting for general availability and getting the model six to twelve months after the teams that did the work? The answer determines whether your roadmap gets the capability bump or just hears about it.
Build a capability-tiered rollout pipeline of your own. Inside your own enterprise, the same staged-release logic applies to whatever AI capabilities you ship to users: internal preview → vetted pilot → broad pilot → GA, with each tier gated by demonstrated review coverage of the previous tier. This is not novel — software has shipped this way for decades — but most AI rollouts skip the tier gating because the model itself doesn't enforce it. Your platform engineering has to.
Staff the expert-reviewer function as a function, not a side project. A reviewer pool that exists on paper but has no time on the calendar to do the work is not a control. It is a checkbox. Glasswing's monitored-access design only works because the vetted experts are paid to spend time using the model adversarially. Apply the same discipline inside your enterprise: domain experts with calendared time, structured rubrics, audit-logged findings.
Where Sonnet Code fits
A frontier model gated behind vetted experts is the easy half of the story. The hard half — the half most enterprises haven't staffed — is the operating model that turns responsible AI from a slide into a function with named people, structured rubrics, and audit-logged work. AI training at Sonnet Code is exactly that operating model: senior engineers and domain experts who can stand up the vetted-reviewer role at enterprise scale, design the failure-mode rubrics that make adversarial review meaningful, and run the red-team work that catches the regressions a vendor's general-purpose evals would never see. AI development is the engineering layer: the access controls, monitoring, audit-logging, and capability-tiered rollout pipelines that let your team actually implement Glasswing-style staged deployment for whatever model you ship to users.
The gating layer for frontier AI is now human. The teams that build a credible version of that layer get early access to the next capability tier; the teams that don't, get the capability after everyone else has already deployed it. That gap is now the strategy.
