AI-First
Anthropic had promised Mythos would stay under lock and key. Eight weeks later, strings referencing "Mythos 1" are showing up in the production code of Claude Code. The model that was supposed to remain restricted to 40 organisations is going commercial.
I have been tracking Mythos developments since the accidental leak in March 2026, and what early Project Glasswing companies are reporting changes how we should think about AI-driven cybersecurity. The benchmarks are spectacular, the geopolitical implications are serious, and the question for SMBs is more concrete than it appears.
- 🔥 Mythos 1 in production: UI strings in Claude Code confirm a commercial launch is imminent.
- 📊 10,000+ critical vulnerabilities: found by Glasswing in 8 weeks across major open-source software.
- 🌍 Europe is negotiating in a vacuum: the Commission still has no access, BNP is building with Mistral.
- ⚠️ SMBs should pay attention: automated cybersecurity is about to redefine the minimum standard of protection.
What Glasswing produced in 8 weeks
What concrete results did the partners achieve?
When Anthropic launched Project Glasswing on April 7, 2026, the programme brought together 12 major tech players and over 40 hand-picked partner organisations: AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike, JPMorgan Chase, among others. The mission was specific: scan critical infrastructure and open-source projects for zero-day vulnerabilities.
Results came fast. According to CyberSecurityNews, Mythos identified over 10,000 high or critical-severity vulnerabilities in widely used open-source software. The UK's AI Security Institute (AISI) published an independent assessment: Mythos solves 73% of expert-level cyber tasks that no model could handle before April 2025, according to tech-insider.org.
This is not a lab exercise. The functional exploits generated by Mythos work on the first attempt in 83% of cases, a success rate that consistently exceeds that of specialised human pentest teams, according to data reported by Clubic.
How does Mythos compare to other models?
The raw benchmarks are staggering. Anthropic's 158-page system card details the scores: 93.9% on SWE-bench Verified (versus 80.8% for Claude Opus 4.6, a +13.1-point jump), 97.6% on USAMO 2026, and 83.1% on CyberGym. Out of the 18 comparisons published in the system card, Mythos leads on 17.
| Benchmark | Claude Opus 4.6 | Mythos Preview | Trend |
|---|---|---|---|
| SWE-bench Verified | 80.8% | 93.9% | ↑ +13.1 pts |
| CyberGym | ~55% (est.) | 83.1% | ↑ major leap |
| USAMO 2026 | ~72% (est.) | 97.6% | ↑ +25 pts |
| AISI cyber tasks | < 30% | 73% | ↑ first ever |
SOURCE: Anthropic 158-page system card + AISI evaluation · Updated 04/2026
This is the first time an LLM has systematically outperformed the best humans on advanced CTF challenges. The gap with competing models (GPT-5.5, Gemini 2.5 Pro) is so wide that the question is no longer "which model is best at cyber," but "who gets access to this one."
Why Anthropic is loosening the reins now
What does Mythos 1 change compared to Mythos Preview?
For two months, Anthropic's official line was clear: Mythos stays restricted until "guardrails" are in place. The exact wording from the updated Glasswing report is softer: "Mythos-class models could reach the public once the right protections are installed." The conditional has replaced the prohibition.
What has concretely changed is the appearance of references to claude-mythos-1-preview in the Claude Code source, alongside a redesigned Claude Security interface displaying vulnerability triage dashboards. According to AI Weekly, the UI strings explicitly mention "Access to the Claude Mythos model in Claude Code and Claude Security."
Meanwhile, Claude Opus 4.8 is under evaluation with selected partners. Opus 4.6 in November 2025, Opus 4.7 on April 16, 2026, Opus 4.8 in late May 2026: Anthropic is compressing its release cadence. Mythos 1 fits into this acceleration as a premium tier, not an isolated prototype.
Why is this timing strategic?
The pressure is coming from three directions. OpenAI is pushing Codex and GPT-5.5 in the developer segment. Google DeepMind is targeting the same enterprise budgets with Gemini 2.5. Open-weight models (Llama 4, Mistral) are gaining ground on code tasks.
I see the same dynamic with my SMB clients: a tool that stays in beta too long misses its window. The shift from "never public" to "coming soon, with conditions" is not a change in philosophy, it is commercial pragmatism.
Europe is negotiating in a vacuum
Why doesn't the European Commission have access?
The Glasswing partner list speaks for itself: AWS, Apple, Google, Microsoft, CrowdStrike, JPMorgan Chase. American companies, with a few American banks. According to Clubic, Anthropic gave Mythos access to roughly forty to fifty organisations, almost entirely from the US tech sector and entities tied to American national security. Not a single European bank is on the list.
The European Commission has been negotiating with Anthropic since April 2026. Spanish officials have publicly described the situation as "deadlocked." Anthropic's position rests on a risk argument: broader distribution would turn Mythos into a potential weapon.
The argument is defensible on its merits, but the outcome is the same: Europe does not have access to the world's best AI cybersecurity tool.
How are BNP and Mistral responding?
Faced with this wall, BNP Paribas made a pragmatic choice: partner with Mistral AI to develop a model dedicated to banking cybersecurity. The reasoning is logical. If Anthropic will not share, you might as well build with a French player whose value chain you control.
This initiative illustrates a pattern I see repeating across sectors. When an American tool is inaccessible or raises sovereignty concerns, large European groups build local alternatives. The problem is the performance gap. Mistral produces excellent generalist models, but replicating Mythos's specific cyber capabilities (83% functional exploits on the first attempt, 73% of AISI expert tasks) will take time.
For French SMBs that have neither BNP's budget nor Glasswing access, the question is more down-to-earth: when will Mythos 1 be available through Anthropic's public API, and at what price? Based on the data I analysed previously, the estimated rate of $125/MTok puts Mythos out of reach for daily use, but makes it perfectly viable for one-off security audits.
What this concretely changes for businesses
Should you wait for Mythos to secure your systems?
No. And that may be the most important takeaway from this article. Mythos is spectacular, but it operates within a very specific framework: structured security teams with existing triage pipelines, hunting zero-days across massive codebases.
For a 50-person SMB, the real gain is not in the model. I have been helping SMB leaders integrate AI for two years, and the lesson holds true on every engagement: the value lies in integrating with existing workflows, not in the raw power of the model. A well-connected Claude Opus 4.6 plugged into your back office, CRM, and security logs already handles 80% of what Mythos does better.
What will change when Mythos 1 lands in Claude Code is the minimum standard of what counts as acceptable protection. If your competitor is using Mythos to audit its code continuously and you do not even have an annual audit, the gap widens. The risk is not technical, it is competitive.
What action plan should you follow?
For cybersecurity, the action plan is the same as for any AI integration:
- Audit what you have today using available tools (Snyk, Veracode, or Claude Opus via the API).
- Build a triage pipeline so that when Mythos 1 becomes accessible, integration takes days rather than months.
- Track Anthropic's announcements on Mythos 1 API pricing, because the commercial model will determine whether this is an enterprise-only tool or an accessible one.
The danger would be waiting for Mythos like a saviour. The SMBs winning with AI are the ones that start with focused agents on measurable tasks, not those waiting for the next miracle model.
"The real value is not in the model, but in what you plug into it. Mythos will do nothing for a company that has no security pipeline."
Vincent, May 2026
What Mythos reveals about the next AI wave
How does Mythos reshape the competitive landscape?
JDN raised a point that few commentators have picked up: Mythos incorporates an asynchronous memory consolidation architecture through the KAIROS and AutoDream systems, uncovered in the Claude Code leak in March 2026. The agent analyses its failures, consolidates memory across sessions, and refines its strategies autonomously. According to the Journal du Net, it is "the first persistent, autonomous, and covert AI."
This architecture raises serious regulatory questions. The EU AI Act is being phased in, and an autonomous agent without human oversight could fall under the "high risk" category. The OECD estimates that 47% of jobs across its member countries are exposed to AI automation. That figure takes on a different dimension when AI can work 24/7 without supervision.
Anthropic has built a tool that its own deployment conditions struggle to govern. The 158-page system card and the $100 million credit show the company takes the issue seriously. Whether the pace of commercialisation will leave enough time for the guardrails to hold is another matter.
For French SMBs, my advice remains the same: do not let the hype paralyse you. Existing models, properly integrated into your processes, already deliver measurable value. Mythos 1 will arrive. The companies that benefit most will be those that already have their workflows in order, not those discovering AI on launch day.
Frequently asked questions
When will Claude Mythos 1 be available to the general public?
No official date has been announced by Anthropic. Production signals (UI strings in Claude Code, the Claude Security dashboard) suggest a phased rollout in the second half of 2026. The updated Glasswing report mentions "Mythos-class models could reach the public once the right protections are in place," with no specific timeline.
How much will Mythos 1 cost through the Anthropic API?
Estimates point to around $125/MTok for input, roughly 8 times the price of Claude Opus 4.6. That positions Mythos as a tool for one-off audits or critical tasks, not as a daily production model for SMBs. Final pricing will depend on the launch tier Anthropic chooses.
Can European SMBs use Mythos today?
No. Access remains limited to Glasswing partners, which are almost entirely American. Negotiations between the European Commission and Anthropic have been stalled since April 2026. BNP Paribas is building an alternative with Mistral AI, but it targets banking cybersecurity and will not be publicly available.
Does Mythos replace traditional cybersecurity tools?
Not in its current form. Mythos excels at vulnerability discovery and exploit generation, but it fits into an existing pipeline (triage, remediation, monitoring). Tools like Snyk, Veracode, or CrowdStrike cover complementary functions that Mythos does not replace. Mythos's value lies in detection, not in real-time protection.
What is the link between Mythos and Claude Code for developers?
The discovered UI strings mention Mythos access directly within Claude Code. For developers, this means security auditing integrated into the coding workflow: you write code, Mythos scans in the background. It is the most natural integration possible, and the one that will create the most value for technical teams.
Vidéos YouTube
Articles & ressources
- Anthropic Mythos 1 Surfaces in Claude Code Production Build · aiweekly.co
- Bientôt un Claude Mythos "made in France" ? La BNP et Mistral travaillent activement sur le sujet · Clubic
- Claude Mythos ne dort jamais, ment sur son identité, et personne n'en parle · JDN
- Claude Mythos : 93,9% SWE-bench, Glasswing · tech-insider.org
- Anthropic's Restricted Claude Mythos Moves Toward Public Release · CyberSecurityNews