Anthropic did not ship Claude Mythos Preview to the public. They staged it through Project Glasswing, a coordinated disclosure program routing the model to critical-infrastructure operators and upstream open-source maintainers first. The public gets the model after the patches land, not before.
It is worth asking what the other timeline looks like. Same model, same capabilities, but pushed to the API on launch day. What actually happens?
What the weapon does
Mythos Preview is not a better fuzzer. It reasons about code. The published evaluations are the relevant data:
- Thousands of previously unknown vulnerabilities across every major operating system (Linux, Windows, macOS, OpenBSD, FreeBSD) and every major browser (Chrome, Safari, Edge, Firefox).
- Tier-5 control-flow hijack on ten separate, fully-patched OSS-Fuzz targets. Opus 4.6, for comparison, reached tier-3 on one.
- Multi-bug exploit chains against the Linux kernel, the kind of work previously associated with elite human researchers.
- A guest-to-host memory-corruption flaw in a production hypervisor. That one matters because it breaks the boundary cloud providers sell you.
- A 27-year-old OpenBSD TCP SACK kernel-crash chain and a 16-year-old FFmpeg H.264 decoder flaw, both hiding in plain sight.
- Roughly $20,000 for one thousand agent runs against OpenBSD, surfacing dozens of findings. The marginal cost per exploit is dinner money.
Exploit capability was not explicitly trained. It emerged as a downstream consequence of code-reasoning improvements, which is the part that should concern anyone modeling where capability is headed.
The defender has a structural problem
Every serious answer to "what would happen" turns on one number: the gap between how fast an attacker can weaponize and how fast a defender can patch.
The attacker cycle, with Mythos in hand, is minutes per target. Spin up a hundred parallel agents and it is seconds per target in aggregate.
The defender cycle is this:
- Browser emergency patch: three to seven days to ship, then weeks for users to actually apply it.
- Enterprise Windows rollout: thirty to ninety days is routine.
- Embedded systems, routers, IoT, industrial control: months to never.
That gap is not a detail. It is the entire game.
Who gets hit
Drive-by browser compromise is the unsexy answer that matters most. Every consumer device on the internet runs one of four browsers that have known-exploitable zero-days in the public release scenario. Malvertising networks and watering-hole campaigns do not require users to make mistakes. They require users to load a webpage.
Four concentric rings of harm, from center out:
Consumers. Info-stealers, banking trojans, ransomware delivered via ordinary web traffic. Tens to hundreds of millions of endpoints touched in the first month. Not a guess. The browsers in question have billions of users between them, and the exploits work before patches ship.
Cloud tenants. The hypervisor escape means a ten-dollar-per-hour attacker VM on the same physical host as your production workload can pivot to it. Multi-tenant isolation was the architectural assumption underneath the entire public-cloud industry.
Critical infrastructure. Hospitals, utilities, municipal government, school districts. The organizations least equipped to patch in days rather than months. Every Change Healthcare, every Colonial Pipeline, but concurrent.
The long tail. Home routers, consumer IoT, industrial controllers, embedded medical devices. These never fully patch. They become a permanent botnet substrate.
Timeline
Rough, but grounded in how past mass-exploitation events actually unfolded:
- Hour 0 to 24. Proofs of concept spread on private channels. Nation-state actors scale first because they already have the infrastructure.
- Day 1 to 7. First malvertising waves. Browser vendors push emergency patches. Adoption is days to weeks behind.
- Week 1 to 4. Enterprise ransomware wave hits before patch rollouts complete. Cloud tenant breaches start surfacing in disclosures.
- Month 1 to 3. Hospitals, schools, small businesses without patching discipline absorb the impact. Long-tail exploitation of infrastructure that will never get patched begins.
The right comparison is not a single past event
Every analogy people reach for undershoots. EternalBlue gave us WannaCry. Heartbleed exposed roughly seventeen percent of secure web servers. Log4Shell touched hundreds of millions of devices. Stagefright covered most of Android. Spectre covered most CPUs.
The counterfactual Mythos release is not any one of those. It is all of them simultaneously, plus an agent that weaponizes each one autonomously for the price of a coffee. The direct-harm population, meaning people who lose money, have data stolen, or lose access to services they need, is plausibly north of one hundred million in the first quarter. The indirect-harm population, through degraded healthcare and finance and utilities, is effectively everyone connected to the internet.
Why Glasswing is the actual story
The conversation around Mythos has focused on whether Anthropic is being paternalistic by withholding it. That framing misses the point. The model is withheld because the defender patch cycle cannot keep up with the attacker weaponization cycle, and the only way to close that gap is to patch before the weapon is public.
Project Glasswing is the patch window. The reason the public release is delayed is that the staged release is the one that results in fewer people getting hurt.
The counterfactual question is useful mostly because it makes the existing decision legible. The decision is not "do we want this capability in the world." The capability is coming, from Anthropic or from someone else, with or without coordinated disclosure. The decision is whether the first day it exists in the open is a day defenders have had a chance to prepare for.
That is the whole argument.
Top comments (0)