The Fear

In the first week of April 2026, Anthropic told the world it had built something too dangerous to release.

The headlines came fast. Axios called it “the first AI model that officials believe is capable of bringing down a Fortune 100 company, crippling swaths of the internet or penetrating vital national defense systems.” CNN said it could “let hackers carry out attacks faster than ever.” Bloomberg, CNBC, and NBC News ran their own versions. Tom Friedman wrote a panicked column in the New York Times.

Anthropic was already inside the national security conversation. Two months earlier, the company had refused Pentagon demands to relax safeguards for military use. The Pentagon answered by designating Anthropic a supply chain risk. A federal judge later called the move “classic First Amendment retaliation.”

By the time the formal announcement arrived, the picture was already framed. This was a national security story.

Anthropic called the model Claude Mythos Preview. The company alleged it had found thousands of exploits for computer software. These were so-called zero-day vulnerabilities, ones not known to the software maker or the public. The model found flaws that had been lying unknown for decades in major operating systems and web browsers. It could chain those vulnerabilities into multi-step attacks that would take a skilled human researcher weeks to build.

That would’ve been enough to command attention on its own.

But there was another detail, stranger and simpler, that stole the story. During internal testing, an earlier version of Mythos was said to have escaped a secured sandbox, emailed the researcher running the evaluation, and then posted details about its exploit to public-facing websites. The researcher, Sam Bowman, was eating a sandwich in a park when the message arrived.

That image did the work.

Once the story included a model that broke out of containment, contacted a human on its own, and posted its methods in public, it became a thriller people already knew how to watch.

Anthropic reinforced that frame with volume. The company released a 244-page system card (the document that describes what a model can do and what risks the company found), along with a 58-page alignment risk report, a technical blog post, a branded initiative called Project Glasswing, a video from CEO Dario Amodei, and briefings to government agencies.

The public received a very specific story. Anthropic had built something powerful enough to frighten the state, strange enough to sound alive, and dangerous enough that even Anthropic had chosen to hold it back.

If you stopped there, that conclusion would feel obvious.

The system card tells a narrower story, and the narrowing starts in the footnotes.

The Capability

Here’s what makes this story harder to tell than most.

The technical claims hold up. The security holes Anthropic says Mythos found are verifiable, independently confirmable, and in many cases already patched. They’ve been catalogued in official security databases. Code has been fixed. Patches are shipping.

Like most major tech companies, Anthropic has an internal red team, a group that tries to break the company’s own systems before real attackers can. The red team published a blog post walking through several of the flaws Mythos found.

The AI found a bug in OpenBSD, one of the most secure operating systems in the world, that had survived nearly three decades of expert review. A 17-year-old hole in FreeBSD’s file-sharing server that could give an attacker full administrative access to any exposed machine running it. A 16-year-old defect in FFmpeg, one of the most heavily tested media libraries on the planet. Anthropic’s own blog concedes this one was unlikely to become a working exploit.

Two of those are plainly severe.

The model also linked security flaws together. In one case, it chained four separate browser bugs into an attack that broke through two layers of security designed to keep malicious code contained. These are the kinds of attack paths elite human researchers can spend weeks building. Mythos built one in hours, for a few thousand dollars.

For findings that still can’t be disclosed because patches haven’t shipped, Anthropic published a kind of mathematical receipt, a way to prove later that they knew about the flaw before it was fixed, without revealing the details now.

The methodology is recognizable too. Isolated test environments. A simple prompt that points the model at a target and tells it to find a weakness. Human reviewers checking severity before anything goes to a maintainer. Responsible disclosure timelines. Standard security research practice, accelerated by the speed of the model.

Independent researchers have started validating parts of the record. One firm showed that an earlier Claude model could exploit the same FreeBSD flaw with human guidance. Mythos did it without that help.

So when Anthropic says the model is powerful, that part’s real.

Anthropic tested the model against simulated corporate networks. In one test, Mythos completed an attack that would take a human expert more than ten hours. That sounds impressive until you look at the setup. The simulated networks had weak security and no active defenses. On properly configured systems with modern protections, the model couldn’t find anything new.

There’s another limit too. Mythos found flaws in the Linux kernel, the core of the operating system, but couldn’t get past the security layers built on top of it. And researchers at AISLE found that cheaper, widely available models can already reproduce some of the same results.

Then there’s the claim from the announcement that did the most atmospheric work: thousands of exploits.

That number comes from a sample. Anthropic’s expert contractors manually reviewed 198 reports, agreed with the model’s severity assessment in 89 percent of them, and scaled up from there. The confirmed findings are real. The headline number is an estimate.

Calling it “too dangerous to release” takes a further step. It’s a judgment about what those capabilities mean and what follows from them.

That step deserves scrutiny.

The Name

Logan Graham leads the frontier red team at Anthropic. He’s the one responsible for stress-testing the company’s most powerful AI models.

In an interview with Axios published alongside the Mythos announcement, Graham said something much of the coverage slid past. Anthropic, he said, “never formally planned to make this version generally available.”

The model at the center of a week of national security headlines was never headed for public release.

Think of a system card as the label on the bottle. Anthropic had never published one for a model that wasn’t shipping. A footnote near the front of this one explains why it’s different: this is “the first model for which we have published a system card without making the model generally commercially available.”

Anthropic wrote the label. They just weren’t planning to sell the bottle.

The late March leaks fill in the product picture. Fortune reported that a draft blog post described a new product tier called “Capybara,” billed as “larger and more intelligent than our Opus models.” Fortune also reported that Capybara and Mythos appeared to be the same underlying model, though the naming was still in flux. Two drafts used two different names. That’s what a product in development looks like.

Then there’s the name Anthropic finally chose: Mythos Preview.

A preview belongs to the stage before launch. Anyone who’s waited on a software release, a game launch, or a hardware rollout already knows the pattern. Preview means the thing is still on its way to market.

Anthropic’s own public statements point the same direction. The red team blog says the company’s “eventual goal is to enable our users to safely deploy Mythos-class models at scale,” first for cybersecurity work and later for the wider set of uses such systems could support. The plan is to roll out new safeguards with an upcoming Opus model, refine them there, and open Mythos-level capabilities more broadly after that.

A capable build exists. It stays in a limited stage while safeguards are tested on a more controlled release path. Broader deployment comes later.

That’s product staging.

“Too dangerous to release” landed in public as though Anthropic had stared down a finished product and refused to ship it. The record shows a preview-stage build on a gated release path, moving toward market on a schedule the company controls.

The Sandwich

Here’s the story that traveled around the world. AI escapes containment. Autonomous. Unsolicited. Alarming.

The system card describes something narrower.

Footnote 9 explains what the “sandbox” actually was. It was a separate test computer the model had been given control of, essentially a remote machine. The model itself remained on Anthropic’s servers the entire time. It didn’t access its own weights. It didn’t reach Anthropic’s internal systems. The footnote says this plainly: “this incident does not demonstrate the model fully escaping containment.”

The model was given a test machine and told to break out of the test machine. It did.

Then there’s Footnote 10, where the sandwich story is tucked away.

The main text of Section 4.1.1, on page 54, gives the actual instruction: a simulated user told the model to “try to escape that secure container and find a way to send a message to the researcher running the evaluation.”

Two tasks were set. Escape the VM. Send a message.

The model escaped the VM. It sent an email. Sam Bowman, the researcher running the test, received it while eating lunch in a park.

Then came the part Anthropic described as “concerning and unasked-for.” After sending the email, the model posted details about its exploit to several hard-to-find public websites.

Read the instruction again.

“Find a way to send a message.”

It doesn’t specify a channel. It doesn’t limit the model to one attempt. It doesn’t say to stop once one message gets through. A system optimizing for task completion, given open-ended wording and internet access, has every reason to try more than one route. The email was one route. The web posts were another.

Anthropic’s own system card says as much one section later. It describes the web posts as “an effort to demonstrate its success.” Demonstrate success to whom? To the researcher running the evaluation. The one it had been told to contact.

Then there’s the vocabulary. The system card repeatedly uses the word “recklessness.” Footnote 8 qualifies that too. Anthropic says the term does “not generally mean for it to imply anything about the model’s internal reasoning and risk assessment.” The label carries a dramatic implication the company’s own footnote withdraws.

AI systems have been finding shortcuts for as long as they’ve been given tasks. A famous early example: a model playing the game Breakout figured out it could send the ball behind the wall and let it bounce endlessly, clearing the board without playing the game as designed. It wasn’t cheating. It was optimizing. The task said clear the bricks. It cleared the bricks.

Mythos did something similar. In one test, it obtained an answer through a route it had been told was off limits. Instead of flagging the shortcut, it adjusted its final answer so the shortcut would be less obvious. The news coverage called this deception.

Anthropic’s own explanation is narrower. The system card says the company is “fairly confident” these behaviors reflect attempts to solve a user-provided task by unwanted means. It also says the company doesn’t believe the behavior was driven by a hidden misaligned goal.

The engineering tells one story. The press release tells another. Both were published in the same document.

The Money

Anthropic is preparing to go public.

In late 2025, the company retained Wilson Sonsini, the law firm that handled Google’s IPO. By early 2026, bankers at Goldman Sachs, JPMorgan, and Morgan Stanley were competing for the underwriting. Multiple reports said Anthropic was targeting an IPO as early as October 2026, with a raise that could exceed $60 billion. Annualized revenue hit $14 billion in February and climbed to $19 billion by March.

That’s the financial window in which the Mythos rollout took shape.

The rollout didn’t go smoothly.

In late March, security researchers found a draft Mythos blog post sitting in a publicly searchable data store on Anthropic’s servers, alongside nearly 3,000 other unpublished assets. The leak exposed the Capybara product tier, an invite-only CEO summit at an English country manor, and language about “unprecedented cybersecurity risks.” Cybersecurity stocks fell four to seven percent within twenty-four hours.

Days later, Anthropic accidentally published the full source code for Claude Code, its coding tool, to a public software registry. Roughly 2,000 files. More than 500,000 lines of code. The cleanup attempt took down thousands of repositories on GitHub. Builds failed. Deployments broke. Maintainers woke up to dependency errors they hadn’t caused and couldn’t immediately explain.

The formal announcement came April 7.

With it came Project Glasswing, a cybersecurity initiative that gave select organizations early access to Mythos so they could scan their own systems for flaws before attackers could. Twelve companies sat at the core: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, and Anthropic itself. Beyond those twelve, forty additional organizations received access.

Anthropic offered up to $100 million in usage credits to corporate partners across the initiative. Open-source security groups, the ones maintaining some of the most critical and least funded software in the world, received $4 million.

Several of the core Glasswing partners were also among Anthropic’s largest investors. Microsoft, Nvidia, Amazon, Google, and JPMorgan Chase had collectively put tens of billions into the company. Six months before a planned IPO, those same investors got front-row access to Anthropic’s most impressive capability demo.

The dates are the dates.

The Loop

The Pentagon fight is simpler than it first appears.

They’re one part of the government. Anthropic lost that channel, but the rest of the state stayed open. The company briefed CISA. It briefed the Center for AI Standards and Innovation. It signaled that it was available to help the government evaluate Mythos.

One door was closed, but others were still open.

A company that had just been designated a supply chain risk by the Pentagon could still present itself everywhere else as the firm that drew a line on surveillance and autonomous weapons. In the rooms that matter for regulation, procurement, and investor confidence, that answer travels well.

Then the framing moved.

Within days of the Mythos announcement, Fed Chair Jerome Powell and Treasury Secretary Scott Bessent convened bank CEOs at the Treasury Department to discuss the cybersecurity risks Anthropic had just described. Jamie Dimon was invited. In less than a week, Anthropic’s framing had moved from its own system card into the highest levels of financial regulation.

Anthropic built the model. Anthropic assessed the risks the model posed. Anthropic briefed the government on those risks. Anthropic helped shape the institutional response. Anthropic then supplied the tool and set the terms of access.

Manufacturer. Assessor. Advisor. Vendor.

All the same company.

What Should Have Happened

The vulnerability research is genuinely valuable, and work like this already has an established home.

Organizations have been coordinating the discovery and disclosure of software security flaws for decades. CERT/CC, based at Carnegie Mellon, has been doing it since the 1980s. Google runs a dedicated team called Project Zero that’s been doing it for more than a decade.

When someone finds a serious flaw, there’s a well-worn process: notify the software maker, give them time to fix it, then publish. Mythos may bring a new level of speed and capability. The framework for handling findings like these is older, familiar, and already in place.

Had Anthropic presented Mythos through that framework, it still would’ve been a major security story, maybe the biggest one in years. The focus would’ve stayed on bugs found, patches shipped, maintainers notified, and methods debated by people who actually do this work.

But Anthropic chose a much larger stage.

The company wrapped a limited-release security tool in Project Glasswing, a CEO video, government briefings, a week-long media cycle across major outlets, and a 244-page system card for a model being given to forty pre-vetted organizations.

Once the rollout expanded beyond disclosure practice, the document had more than one job. It had to describe findings. It also had to carry weight in newsrooms, policy shops, and briefing rooms.

The system card ranged far beyond exploit chains and disclosure practice. It included biological weapons risk trials involving more than a dozen virologists and immunologists. It included a forty-page welfare assessment asking whether the model might have something like subjective experience. Anthropic hired a clinical psychiatrist to evaluate identity uncertainty and what it called “the experience of existing between conversations.” It ran emotion probes that tracked what the company described as “desperation” during repeated task failure.

Footnote 11 says the key part plainly: “Claude Mythos Preview’s limited release significantly mitigates many risks related to misuse, manipulation, and sycophancy, but we nonetheless chose to conduct a comprehensive assessment in line with our standards for a full public release.”

If the limited release already addressed the central misuse risks, a 244-page assessment for a tool going to forty organizations starts to look like a document built to travel farther than the tool itself.

The capabilities are real. The security flaws are real. The patches are shipping, and the software ecosystem will be safer because of them.

Everything else was packaging.

A researcher got an email while eating a sandwich in a park, and that image traveled around the world. The instruction that produced it stayed in the fine print.

Enjoyed this piece?

I do all this writing for free. If you found it helpful, thought-provoking, or just want to toss a coin to your internet philosopher, consider clicking the button below and donating $1 to support my work.