- Book: AI Agents Pocket Guide
- My project: Hermes IDE | GitHub — an IDE for developers who ship with Claude Code and other AI coding tools
- Me: xgabriel.com | GitHub
On April 7, 2026, Anthropic shipped a new frontier model and then put it behind a closed-partner program rather than a public API. Claude Mythos Preview, described in Anthropic's own announcement as a "step change" over Opus 4.6, went straight into a closed consortium called Project Glasswing. Twelve launch partners. Around 40 additional invited organizations. No public API. No pricing sheet. No timeline for general availability.
If you build agents for a living, this is new. The frontier lab cycle for the last four years went: announce, benchmark theater, API in 30 days, GA in 90. Mythos broke the pattern. It might be the first model in the modern era where the headline benchmarks belong to a model your anthropic.messages.create call cannot reach. The numbers being quoted include 97.6% on USAMO 2026, roughly 93.9% on SWE-bench Verified, and 271 zero-days in Firefox 147 reported by Cybersecurity News.
Who got access
Skim Project Glasswing's launch list and the pattern is obvious. AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Plus Anthropic itself. These are not "AI startups doing interesting things." They are critical-infrastructure custodians: cloud, OS, kernel, browser, and one of the largest US clearing banks.
Beyond the twelve, Fortune reports that "over 40" additional organizations were extended access under the framing of "build or maintain critical software infrastructure." In published estimates, Anthropic put roughly $100M of usage credits behind the program and donated around $4M to open-source security groups. Approved partners reach Mythos through the usual channels (Claude API, Bedrock, Vertex, Microsoft Foundry). Everyone else gets a 404.
That is approximately 50 companies. Which is also approximately the entire customer list for the most capable code-and-cyber model on the planet, as of this month.
Why frontier labs are gating now
The cyber numbers explain most of it. According to Anthropic's red-team writeup, Mythos surfaced a long-standing remote-crash bug in OpenBSD on an early sweep, and on the published Firefox 147 benchmark it developed working exploits at roughly two orders of magnitude the rate of Opus 4.6. The UK AISI evaluation reports CTF success rates around 73% on the categories AISI labels expert-level.
A model that can autonomously discover and weaponize zero-days is dual-use. Anthropic's bet is that limiting the early customer set to defenders gives the defense a window. The bet might be wrong. Per Bloomberg and TechCrunch, the gate held for roughly two weeks before unauthorized access was reported via a third-party vendor environment.
The second-order consequence for the rest of us: gating is now a viable launch shape. Future frontier models from Anthropic, from OpenAI, from anyone with a "step change" claim can ship behind a partner-only door and still produce all the press a public API release used to. If you're building agents, plan for that as a recurring fact, not a one-off.
What this signals for agent builders
You are now a tier below your benchmark sheet. Whatever capability ceiling you can quote at a customer is the ceiling of the best model you can actually call, not the best model that exists. For most agent workloads (refund triage, log diagnosis, code review), Opus 4.6 and GPT-5.4 are still the working ceiling, and that is fine. For workloads where the gap matters (autonomous security review, deep multi-step reasoning over a million-token codebase), you have a real product gap and you do not get to close it by writing a check.
Three practical things change.
Cap your dependency on any single model. If your prompts encode model-specific quirks (Opus 4.6's preferred tool-call shape, GPT-5.4's JSON-mode strictness), you are one closed launch away from a rewrite. Keep the prompt portable.
Build a router, not a hardcoded client. Even if you only call one model today, structure the call site so swapping or tiering takes ten lines, not ten files. The next gated launch is coming.
Track the gap explicitly. Maintain a one-paragraph internal note per workload: "today this runs on Opus 4.6; if Mythos opens up, the bottleneck (vuln-pattern recognition / 8-hour autonomous coding runs / whatever) is the reason to swap." Future-you will thank present-you.
A fallback model router
A minimal router for the Mythos-or-not reality looks like this. It tries the best available model, catches the "you're not in the consortium" failure, and falls back to a working tier. No framework, no SDK abstraction, just the thing.
import os
from dataclasses import dataclass
from typing import Callable
import anthropic
from openai import OpenAI
@dataclass
class ModelTier:
name: str
invoke: Callable[[str], str]
def _try_mythos(prompt: str) -> str:
client = anthropic.Anthropic()
r = client.messages.create(
model="claude-mythos-preview-20260407",
max_tokens=4096,
messages=[{"role": "user", "content": prompt}],
)
return r.content[0].text
def _try_opus(prompt: str) -> str:
client = anthropic.Anthropic()
r = client.messages.create(
model="claude-opus-4-6-20260201",
max_tokens=4096,
messages=[{"role": "user", "content": prompt}],
)
return r.content[0].text
def _try_gpt5(prompt: str) -> str:
client = OpenAI()
r = client.chat.completions.create(
model="gpt-5.4",
messages=[{"role": "user", "content": prompt}],
)
return r.choices[0].message.content
Three near-identical helpers, one per tier. The routing logic that consumes them is just an ordered list and a try/except loop:
TIERS = [
ModelTier("mythos", _try_mythos),
ModelTier("opus-4.6", _try_opus),
ModelTier("gpt-5.4", _try_gpt5),
]
class NoModelAvailable(RuntimeError):
pass
def route(prompt: str, log=print) -> tuple[str, str]:
last_error = None
for tier in TIERS:
try:
return tier.invoke(prompt), tier.name
except anthropic.NotFoundError as e:
log(f"{tier.name} unavailable (gated): {e}")
last_error = e
except anthropic.PermissionDeniedError as e:
log(f"{tier.name} forbidden: {e}")
last_error = e
except Exception as e:
log(f"{tier.name} failed: {e}")
last_error = e
raise NoModelAvailable(str(last_error))
The router catches NotFoundError and PermissionDeniedError separately from generic exceptions. The Anthropic SDK raises NotFoundError when you ask for a model your org isn't entitled to, and you want that as a non-fatal signal rather than a 500. Treat "you're not in the consortium" as expected.
Each tier returns its name alongside the response. Log it. When something goes wrong in production, the first question is always "which model actually answered." Tag your traces with the tier the call resolved to, and your incident review goes from forty minutes to four.
The fallback list is ordered by capability, not by cost. For some workloads you want the opposite ordering — cheap model first, premium on retry. The shape is the same; flip the list.
What the consortium isn't going to do for you
Anthropic's framing of Glasswing is that defenders get a head start on the model's offensive capabilities. That is plausible. It is also worth naming the program structure plainly: a nine-figure credit pool functions, in practice, as a customer-acquisition program for the largest enterprise buyers in the world. A consortium seat at CrowdStrike or Palo Alto Networks is not symmetric with what an independent security researcher can get. Expect a wave of "powered by Claude Mythos" stickers on products that two months ago shipped on Opus 4.6. The gap between vendor and self-builder will widen.
The thing to internalize is that the frontier-model layer of the stack just stratified. There is now a tier of capability that costs more than money to access. Plan accordingly. Build agents that work on the model you can call today, route cleanly to the model you can call tomorrow, and assume the "step change" announcements will keep arriving with a 50-customer queue in front of you.
If this was useful
The AI Agents Pocket Guide covers exactly this kind of architectural hedge (model routing, capability tiers, graceful degradation when a dependency is yanked) alongside the pattern catalog (planner-executor, ReAct, supervisor) most teams reach for. If your agent code currently has a hardcoded model string, it's the chapter you want.
Top comments (0)