Anthropic Mythos: the private gatekeeper of zero-days

The story buried under the Mythos launch is not capability — it is governance. By refusing to ship Mythos as a normal API product and instead routing access through Project Glasswing, Anthropic has effectively made itself the gatekeeper deciding which companies and which governments get to see what may be the most productive zero-day discovery system ever built ^[1][2]. The founding coalition reads like a list of US infrastructure incumbents: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself ^[2]. There is no European telco, no European bank, no European agency on that list. For two months, the practical security map of the internet was being redrawn inside a private US coalition.

That is what makes the June 1 ENISA announcement consequential rather than ceremonial. Anthropic communicated the decision to the European Commission over the weekend, and ENISA becomes the first EU agency authorized to use the model exclusively for defensive purposes ^[3][4]. The path to that decision ran through pressure: EU lawmakers called the asymmetry 'extremely worrying,' Commission representatives flew to San Francisco for briefings, and an invited Anthropic hearing was declined for short notice ^[5]. The deeper question — whether a private lab should be the entity adjudicating sovereign access to defensive cyber capability at all — has not been answered. It has just been deferred behind a one-off accommodation. Other agencies in other jurisdictions will now be measuring their own positions against ENISA's, and Anthropic will be measuring each request against its own internal policy. Self-regulation, as Gary Marcus put it bluntly, is the operating model whether anyone signed off on it or not ^[6].

Anthropic's headline statistic is a deliberately large one: Mythos Preview has surfaced 23,019 potential issues across more than 1,000 open-source projects ^[7]. The 30-day Glasswing update touts more than 10,000 high or critical-severity findings and a true-positive rate above 90% on validated samples ^[8]. Read carefully, the qualifier matters. As of late May 2026, only 1,900 of the 23,000 issues had been reviewed by external security firms, and 1,726 of those were confirmed ^[7]. The cybersecurity community on Reddit has been making exactly that point, and they are not wrong: the gap between 'potential vulnerabilities surfaced' and 'verified, patched, gone' is the gap where most security tooling collapses.

The other number worth scrutinizing is disclosure throughput. Anthropic reports 1,596 vulnerabilities disclosed across 281 open-source projects as of May 22, with only 97 patched ^[7]. That is roughly a 6% patch rate on disclosed bugs, even with a $2.5M grant to Alpha-Omega/OpenSSF and $1.5M to Apache to absorb the workload ^[2]. Triage capacity is the binding constraint, not detection. This is the part of the story Anthropic's marketing flattens: the model is fast enough at finding bugs to overwhelm the human and institutional pipelines that have to verify and fix them. Cloudflare's Grant Bourzikas was right that the qualitative leap is exploit-chain construction, not enumeration ^[9]. But on the defensive side, enumeration is what the world is currently drowning in.

Mythos post-preview pricing is set at $25 per million input tokens and $125 per million output tokens, roughly 5x the rate of Opus 4.6. Concrete workloads make that pricing tangible: about $20,000 for 1,000 OpenBSD scans, around $10,000 for the FFmpeg work that surfaced a 16-year-old H.264 bug missed by five million automated tests, and $1,000 to $2,000 per individual Linux exploit ^[1]. Those numbers explain why Anthropic is underwriting Glasswing partners through a $100M usage-credit pool — at list price, even well-resourced security teams would burn through hundreds of thousands of dollars per audit, and the model's value proposition would collapse under its own cost curve ^[2].

The subsidy reshapes the market in ways worth naming. Glasswing partners get effectively unlimited Mythos against their own codebases; non-partners do not. Open-source maintainers get scans paid for by Anthropic but receive a deluge of disclosures with a 6% patch rate. Security consultancies pricing manual penetration tests now compete against a tool whose marginal cost to its sanctioned users is approximately zero. And the pricing itself — 5x Opus — sets a floor for what frontier-class cyber AI is allowed to cost, which is the kind of signal competitors read carefully. XBOW's positioning of OpenAI's GPT-5.5 as the open alternative to Mythos's invite-only model is not just competitive marketing; it is a wager that openness will be a more durable distribution strategy than gatekeeping once the capability becomes table stakes.

The Palo Alto Networks bake-off is the most concrete data point about what Mythos actually does to the security industry. Palo Alto ran Mythos and GPT-5.5-Cyber across more than 130 of its own products in roughly one month, surfaced 75 legitimate vulnerabilities — well above its typical 5 to 10 per month baseline — and published 26 CVEs ^[10][11]. Three weeks of model-driven analysis matched what would normally be a full year of manual penetration testing, with broader coverage ^[10][12]. Chief Product Officer Lee Klarich's framing was unsentimental: these models are much better at writing working exploits than anything seen before ^[10].

The defensive-window claim that followed is the part the security industry has not metabolized. Palo Alto is telling customers that attackers are 3 to 5 months from comparable capability ^[11]. If that timeline is correct — and there is no way to verify it externally — the implication is that every organization which currently relies on annual or semi-annual third-party penetration tests is on a clock. The economics of the third-party pentest itself are now in question: a one-month engagement against a Glasswing-subsidized tool will plausibly find more in three weeks than a quarterly retainer finds in a year. Cloudflare's internal test of 50+ repositories, Mozilla's 271 surfaced Firefox vulnerabilities, and the 27-year-old OpenBSD TCP/SACK flaw that survived decades of human review all point in the same direction ^[1][7][9]. Manual penetration testing as a primary line of defense is not dead, but it is no longer the most productive use of senior security headcount.

Anthropic's safety framing has worked harder than its technical framing. The company's April 7 disclosure positioned Mythos as too dangerous to release as a normal product, and Project Glasswing was the structural answer to that framing ^[1][2]. Seven weeks later, ENISA is in, the partner list has grown, and the institutional logic of 'controlled defensive access' is being stretched to cover what is starting to look like a fast onboarding curve. The Institute for Security and Technology's reading is the one to take seriously: Anthropic itself acknowledged in its model card that the risk of significantly harmful outcomes substantially enabled by Mythos Preview's misaligned actions is very low, but higher than for previous models ^[13].

That sentence is the safety narrative's real load-bearing claim, and it cuts both ways: it concedes the elevated risk, and it asks the world to trust Anthropic's process for managing it. Gary Marcus's response — that Anthropic showed admirable restraint but that competitors such as OpenAI and xAI may not, and that self-regulation is too little, too late — is the most clarifying take in the public record ^[6]. Mythos is the first concrete test of whether a private AI lab's safety judgment can serve as durable governance for a capability with national-security implications, and the answer is going to come from how the next ten access decisions are made, not from how the first one was.