Anthropic is shifting pieces around Mythos, their most sensitive cybersecurity model, and the latest signals point to an upcoming integration with Claude Code and Claude Security. There’s no official announcement of general availability yet, but the appearance of internal references like claude-mythos-1-preview and mentions of “access to the Claude Mythos model in Claude Code and Claude Security” suggest the company is already working on bringing this technology from the controlled environment of Project Glasswing to a more accessible product for technical teams.
The difference from other AI launches for developers is significant. Mythos is not designed solely for autocompleting code, generating tests, or explaining functions. Anthropic has presented it as a model capable of identifying real vulnerabilities in complex software and, in certain scenarios, helping demonstrate that these flaws are exploitable. This capability makes it an attractive tool for defenders but also a technology that requires more controls than a conventional programming assistant.
From Restricted Program to Developer Product
Mythos originated within Project Glasswing, an initiative by Anthropic to strengthen the security of critical software before models with similar capabilities become accessible to more actors. The program has been set with restricted access and selected partners precisely because the company considers the model crossing a delicate boundary: it can accelerate defensive work but also lower the technical barrier to finding and exploiting vulnerabilities.
Now, focus is shifting to Claude Code and Claude Security. TestingCatalog has reported signals in the interface and code that point to a product called Mythos 1, with a preview label. BleepingComputer also reports that some users may have seen the model temporarily in the interface before it disappeared. The cautious interpretation is that Anthropic is laying the groundwork, not that access has already been opened to all users.
The fit with Claude Code seems natural. If a tool can already read repositories, understand dependencies, modify files, and reason about changes, adding a specialized layer for vulnerabilities makes it much closer to an integrated security auditor in the developer’s daily workflow. It would no longer be an external review at the end of the cycle but a continuous check during writing, reviewing, and deploying code.
| Piece | What Mythos Could Contribute |
|---|---|
| Claude Code | Repository review, flaw detection, patch suggestions, and PR analysis |
| Claude Security | Vulnerability dashboard, history, prioritization, and technical triage |
| AppSec Teams | Faster identification of real flaws and impact validation |
| DevOps / DevSecOps | Early integration into pipelines and delivery flows |
| Open Source | Help in detecting critical errors but also increased pressure on maintainers |
The most interesting part of Claude Security would be turning findings into actionable work. A model that only returns thousands of potential bugs can overwhelm any team. The real value lies in explaining the risk, filtering false positives, indicating if exploitation is feasible, suggesting fixes, and prioritizing what should be addressed first.
Discovery Will No Longer Be the Bottleneck
Project Glasswing has revealed an uncomfortable reality: AI is beginning to find flaws at a pace that can outstrip human capacity to verify and patch them. Anthropic has stated that Mythos Preview is being used to protect widely-used software, and recent reports point to thousands of vulnerabilities detected in significant projects, although many of these details remain limited for security reasons.
This shifts the industry balance. For years, a significant part of security work involved finding the flaw. With models like Mythos, the problem moves: validation, reproduction, prioritization, fixing, and deploying patches must be much faster. AI can reduce discovery time but doesn’t fix broken dependencies, slow release cycles, or the resource shortages in open-source projects on its own.
Cloudflare, one of the organizations that has worked with Mythos within Project Glasswing, explained that these models can reason about exploitation chains and find complex vulnerabilities, but also emphasized the need for strong controls. Opening such capabilities without safeguards is not enough; reliance on them without oversight is risky.
The clear takeaway for companies is that Mythos can be an advantage if there’s a mature security culture. Without asset inventories, dependency management, SBOMs, controlled CI/CD pipelines, responsible teams, and realistic patch windows, an advanced tool could become a source of ongoing debt.
A Defensive Tool with Dual-Use Risks
Anthropic is walking a tightrope. Limiting Mythos too much could make security teams see it as a distant promise. Opening it too wide could enable offensive capabilities to inexperienced users or malicious actors. The company has indicated it plans to make Mythos-class models available once stronger safeguards are in place, likely first in enterprise or controlled environments.
The risk is not theoretical. Anthropic’s public documentation about Mythos Preview describes scenarios where individuals without formal security training managed to leverage the model to discover advanced vulnerabilities and obtain functional proof of concepts. This explains why this launch cannot be treated as just another feature inside a coding assistant.
For defense teams, the ability to demonstrate exploitability is valuable. It helps distinguish minor flaws from urgent vulnerabilities. For attackers, that same capability reduces effort, time, and cost. Therefore, the product will need safeguards: traceability, usage controls, access policies, continuous red teaming, restrictions on sensitive outputs, and likely different levels based on client profile.
| Defense Benefit | Associated Risk |
|---|---|
| Identifies deep vulnerabilities | May accelerate offensive research |
| Helps reproduce flaws | May generate sensitive exploit proofs |
| Prioritizes real issues | Could produce unmanageable reports at scale |
| Improves code review | Could foster over-reliance on the model |
| Reduces AppSec workload | May shift the bottleneck to patching |
The arrival of Mythos will also impact the security tools market. SAST, DAST, dependency scanners, and AppSec platforms have been evolving for years, but many still rely on relatively static rules, patterns, and analysis. A model capable of reasoning about code and behavior can raise the bar—if its accuracy is sufficient and its results are auditable.
What Should Technical Teams Prepare?
The potential arrival of Mythos in Claude Code should not be seen as an invitation to replace current security practices but as a signal to strengthen them. Development teams will need to figure out how to integrate AI into code reviews, pull requests, pipelines, and audits without turning it into a black box.
The first step is defining where it can operate. It’s not the same to use Mythos on internal repositories, open-source libraries, third-party code, firmware, critical systems, or regulated environments. It will also be necessary to decide who can launch deep analyses, how results are stored, what data leaves the corporate environment, and how findings affecting vendors or external projects are managed.
The second step is to prepare triage processes. If the tool flags a vulnerability, someone must confirm its existence, evaluate impact, assign responsibility, decide on patches, test regressions, and document fixes. AI can speed up many of these steps, but accountability remains human and organizational.
The third step is to accept that open source may receive an influx of AI-assisted reports. Some will be valuable; others will be noise. Without proper management, maintainers could become overwhelmed by partially correct, duplicate, or hard-to-reproduce reports. Responsible coordination will be as crucial as the technical capabilities of the model.
Mythos points to a different stage in software security. Now, AI not only helps build applications faster but also begins to break them before others do. When used properly, this capacity can greatly improve defense. When poorly governed, it can increase pressure on an ecosystem already burdened with too many unresolved vulnerabilities.
Anthropic seems to be aiming for that middle ground: turning a powerful technology into a product while keeping in mind its dual-use nature. Claude Code and Claude Security might be the first environments where this transition is tested.
Frequently Asked Questions
What is Claude Mythos?
Claude Mythos is an Anthropic model focused on cybersecurity, with advanced capabilities to find vulnerabilities, analyze code, and help validate flaws in controlled environments.
Can Mythos be used in Claude Code now?
There’s no official confirmation of general access. Internal references and signals under the label claude-mythos-1-preview have appeared, but public deployment has not been announced.
Why doesn’t Anthropic release it without restrictions?
Because it’s a dual-use tool. It can assist defenders in finding and fixing bugs but also enable offensive tasks if not properly controlled.
What impact could it have on development teams?
It could bring security review closer to the daily coding workflow, helping to detect vulnerabilities before deployment, though it will require improved triage and patching processes.