A market in which the buyer cannot measure what they bought is no market at all.

Summary

Anthropic’s central claim for Claude Mythos, presented as too dangerous to release to the public, is not supported by any independently verifiable evidence. Independent parties continuously reproduce its claimed novelty on commodity models at negligible cost. Its headline metrics are only presented as self-assessed, given the underlying data is not released. The Project Glasswing program has been expanding access and raising capital before any validation of claims. Treat Anthropic claims as unproven, and defer any strategy, procurement, or risk decision that depends on them until at least after a promised July 6th report is published and independently validated.

Strategic assumption

Through 2026, AI vulnerability-discovery capabilities marketed as frontier-exclusive will remain reproducible on commodity open-weight models, removing the technical basis for premium pricing and restricted-access programs.

This is a question of whether a premium nail-gun is worth paying for, versus many quality commodity nail-guns already available on the market, while the premium vendor runs a marketing campaign that it has to restrict access based on its own comparisons to a hammer.

Key findings

• Of 23,019 vulnerabilities Mythos reported, 1,752 were verified by a human or security firm and fixes have been shown for 75. The 90.6% accuracy rate in press coverage applies to a human doing the work, not the large numbers from a machine alone.
• The flagship discovery used to claim novel risks (FreeBSD CVE-2026-4747) is a 2007 fix for shared code that sat with a patch waiting to be applied. The fix was present in the model’s training data, making the result consistent with recovery from the backlog of delayed fixes rather than novel discovery.
• Eight of eight open-weight models reproduced the detection capability, one at $0.11 per million tokens. On June 8, 2026, Glasswing launch partner Cisco ran six frontier models across 1.8 billion lines of code and showed results do not depend on Mythos.
• No reproduction steps were published with the Anthropic launch blog, the system card, or the Glasswing update, meaning premium claims cannot be independently verified.
• Anthropic has meanwhile filed confidentially for an IPO near a one-trillion-dollar valuation and expanded Glasswing to roughly 150 organizations, committing access and capital ahead of verification.

Recommendations

• Treat AI-assisted vulnerability discovery as a commodity input and source it competitively. The showcase results are reproducible at low cost on public models. AI vulnerability harness runs should cost cents per million tokens, not tens of dollars or more. An open-source harness on commodity Haiku 4.5 and Sonnet 4.6 produced eight findings in two minutes for $0.75, two of them matching the Mythos showcase, at the discovery layer. The FreeBSD exploit was reproduced separately by Calif.io on the prior Opus 4.6 model in about four hours.
• Do not pay Anthropic a premium or restructure operations on the basis of the Mythos security capability claim until an independent verification exists.
• Require any AI security vendor to supply reproduction steps and verified, fixed CVEs rather than model-generated finding counts.
• Set July 6, 2026 as a validation checkpoint, and reassess with the Glasswing report published and independently reviewed.

The flagship “discovery” was backlog recall

CVE-2026-4747 is a valid stack buffer overflow in FreeBSD. The code is a University of Michigan implementation that was patched by MIT in 2007. FreeBSD imported the unpatched code in 2008 and never applied the fix. This 2007 patch is present in the model’s training data, so the Mythos published exploitation demonstration took an old vulnerable operating system with a known missing patch and pointed at it. The result demonstrates how a known, undefended target can be flagged by AI, rather than discovery of anything unknown.

Discovery is reproducible at commodity cost

The CVE explanation should help clarify why independent parties have repeatedly reproduced the showcase findings on very inexpensive public models. AISLE confirmed the FreeBSD detection with eight of eight open-weight models, showing $0.11 per million tokens was a sufficient cost model. Vidoc reproduced it on the public Opus 4.6 model and on GPT-5.4. Cisco’s June 8 assessment across six frontier models showed the outcome is model-independent. The curl maintainers reported no change to their workflow, and Mozilla’s headline of 271 Firefox vulnerabilities reconciles to roughly three against the advisory record. Discovery at this level carries a published, commodity cost.

The premium is unjustifiable as presented

Anthropic prices Mythos at roughly five times its public Opus model, from $25 to $125 per million input and output tokens, on the strength of exploit development rather than discovery. No replayable exploit with reproduction steps accompanies the launch blog, their very large and inefficient 244-page system card, or the late-May Glasswing update. A buyer cannot confirm the capability they are paying for, and the available reproductions indicate the defensible cost is a fraction of the quoted price.

Results are self-assessed, data is withheld

Anthropic’s interim Glasswing update reports results in stages that have undermined their own headlines.

Stage	Figure	What it represents
Total findings	23,019	The model’s ungraded output
Estimated high or critical	6,202	The model’s own estimate
Checked by a human or firm	1,752	28% of the high-critical pile, about 8% of the total
True positives among those checked	90.6%	A statement about the 1,752, not the 23,019
Fixes shown	75	Out of 23,019

The 90.6% accuracy figure is from humans. The rest is just the model assessing its own output. Anthropic has also withheld the fixes used to derive the findings, the artifacts that would allow independent re-derivation. A result that can be validated only against the system that produced it, does not rise to the level of independent confirmation of its capability.

Extractive disclosure structure

The disclosure architecture inverts established norms, and economics are the reason why. Anthropic commits up to one hundred million dollars in model credits to a consortium of about a dozen large firms. The consortium attests to the capability that justifies restricting the model to the consortium, and the same firms sell the products and services that follow from that attestation. A rushed “emergency” memo about Mythos risks crediting 250 CISOs was apparently curated by security vendors who would capitalize on myths about machine risks. The most consequential findings instead have come from humans during the Glasswing period: the Palo Alto vulnerability that triggered a federal mandate was attributed to attackers operating in production. It was excluded from the company’s AI-credited count. Findings are directed to Anthropic while fixes fall to volunteer maintainers, even as the patch-generation step that a model can automate already runs in production for paying customers. Anthropic’s Claude Security product patched more than 2,100 vulnerabilities in three weeks for paying customers, while the open-source projects apparently have only received reports.

Market motivations

On June 1, 2026, Anthropic filed confidentially for an initial public offering following a funding round near a one-trillion-dollar valuation. On June 2, it expanded Glasswing to roughly 150 organizations across more than fifteen countries, covering power, water, healthcare, and communications. Access widened and capital was committed before any independent validation of the capability, and before the report Anthropic itself promised.

Outlook

Anthropic committed to a public report within ninety days of the April 7 launch, due around July 6, 2026. However, the question of novelty has been repeatedly answered. With each reveal, Mythos has failed to prove its initial claims. A report containing a verified CVE list with reproduction steps would substantiate the capability claim and the program’s premise. A report that restates model-graded headline figures without independent verification would confirm the pattern described here.

The prudent posture is to treat their unproven capability as unproven.

References: flyingpenguin series

1. The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic, April 13, 2026.
2. America Prepares as Anthropic Mythos is 100X More Deadly Than Martian Death Ray, April 13, 2026.
3. FreeBSD CVE-2026-4747 Log Suggests Mythos is a Marketing Trick, April 14, 2026.
4. Cartel or Not? Anthropic Mythos is a Curious Case, April 15, 2026.
5. Ox Security Report: Anthropic MCP is Execute First, Validate Never, April 15, 2026.
6. How SANS Mythos Marketing Disappoints Defenders, April 16, 2026.
7. Mythos Mystery in Mozilla Numbers: How 22 Vulns Became 271 or Maybe 3 in April, April 22, 2026.
8. Alisa Esage Throws Mythos Under Zero Day Bus, April 24, 2026.
9. Anthropic Mythos as Valuable as a Firehose in a Blizzard, May 2, 2026.
10. Seventy-Five Cents Gets You an Anthropic Mythos Killer, May 4, 2026.
11. cURL Toe to Toe With Mythos: Big Nothingburger Leaves Bad Taste, May 12, 2026.
12. Palo Alto Defender’s Guide Refutes Mythos Claim, May 13, 2026.
13. I’m on Mythos, May 25, 2026.
14. Mythos Grading Mythos: Got Patches Yet?, May 26, 2026.
15. Cisco’s Mythos Post Throws Anthropic Under the Bus, June 8, 2026.

References: Anthropic program materials

17. Project Glasswing (program page), Anthropic.
18. Project Glasswing: An initial update, Anthropic, late May 2026. Source of the 23,019 / 6,202 / 1,752 / 90.6% / 75 figures and the 90-day disclosure convention.

References: independent reproduction and refutation

19. AISLE reproduction: eight of eight open-weight models detect CVE-2026-4747, one at $0.11 per million tokens. Documented in references 1 and 10.
20. Vidoc reproduction on public Opus 4.6 and GPT-5.4. Documented in reference 10.
21. Nicholas Carlini’s personal confirmation that he found CVE-2026-4747 using Mythos Preview, placing it outside his February 5 paper. Documented in references 3 and 10.
22. Cisco frontier-model assessment, six models across 1.8 billion lines of code. Documented in reference 16.
23. Palo Alto Networks May 2026 Defender’s Guide and the CVE-2026-0300 advisory, with the federal-mandate CVE attributed to attackers in production and excluded from the AI-credited count. Documented in reference 13.
24. Mozilla Foundation Security Advisory 2026-30 (Firefox 150) and Bobby Holley, “The zero-days are numbered,” Mozilla blog, April 21, 2026. Documented in reference 7.
25. Claude Mythos Preview system card (244 pages), Anthropic. Documented in reference 1.

References: press on the June expansion and IPO filing

26. Anthropic scales Claude Mythos to critical infrastructure in 15+ countries, TechCrunch, June 2, 2026.
27. Anthropic expanding access to Project Glasswing, CyberScoop, June 2026. Source for Claude Security patching 2,100+ vulnerabilities in three weeks.
28. Anthropic expands Mythos to 150 additional organizations in more than 15 countries, CNBC, June 2, 2026.
29. Anthropic expands Project Glasswing to 150 organizations in more than 15 countries, Help Net Security, June 3, 2026.
30. Experts: Anthropic’s move to expand Project Glasswing will end in Mythos public release, Cybernews, June 2026.