Trust Us, It's Dangerous
Anthropic built an AI model that can find zero-day vulnerabilities. Thousands of them. In operating systems, browsers, critical infrastructure. Some of these bugs had been hiding for 27 years.
They say it’s too dangerous to release.
Convenient.
What They’re Claiming
On April 7, 2026, Anthropic announced Claude Mythos Preview alongside something called Project Glasswing. A frontier model that, during internal testing, autonomously discovered and exploited thousands of high-severity vulnerabilities across FreeBSD, OpenBSD, and major web browsers. Its flagship result: a 17-year-old remote code execution bug in FreeBSD’s NFS implementation that nobody had caught. Mythos found it, built a working exploit, and gained root access. No human guidance after the initial prompt.
Sounds terrifying. Also sounds like one hell of a sales pitch.
Anthropic’s solution? Don’t release it publicly. Instead, give restricted access to twelve launch partners and about 40 other organizations. Commit $100 million in usage credits. Let the big boys patch their stuff first.
Noble. Until you look closer.
The Problem Nobody Wants to Say Out Loud
Nobody outside the Glasswing club can verify any of this.
Anthropic says “thousands of zero-days.” The partner organizations haven’t publicly confirmed specific findings. No independent researcher has access to the model. No false-positive rates published. No detailed methodology beyond Anthropic’s own 244-page system card and a curated technical writeup on their own red team blog.
We’re supposed to reorganize the entire security industry around a threat that one company described in a press release and verified with its own internal team.
Bruce Schneier called it a “PR play.” His words, on his blog. He said: “You don’t need Mythos to find the vulnerabilities they found.”
And he’s right. Because someone already proved it.
Smaller Models Can Do This Too
Researchers at AISLE (AI Security Lab Europe) took the exact vulnerabilities Anthropic showcased and tested them against smaller, cheaper, open-weights models.
Eight out of eight small models detected the FreeBSD NFS vulnerability. The flagship exploit. The one Anthropic used to justify keeping Mythos locked away. A model with 3.6 billion parameters found it. That’s a model you can run on a laptop.
A 5.1-billion-parameter open model recovered the core exploit chain for the 27-year-old OpenBSD bug.
AISLE’s conclusion: the moat isn’t the model. It’s the system around it. The security engineering, the scaffolding, the triage pipeline. AI vulnerability detection is “jagged.” It doesn’t scale linearly with model size. Small models, pointed at the right code with the right context, find the same bugs.
So what exactly is “too dangerous to release” here?
The Leak That Started It All
Anthropic didn’t even plan to announce Mythos when they did. In late March 2026, a misconfigured CMS left nearly 3,000 internal documents in a publicly accessible cache. Security researchers Roy Paz (LayerX Security) and Alexandre Pauwels (University of Cambridge) found draft marketing materials describing an unreleased model codenamed “Capybara” with capabilities that were “far ahead of any other AI model.”
Fortune broke the story. Cybersecurity stocks dropped across the board. CrowdStrike, Palo Alto Networks, Zscaler, all hammered.
Twelve days later, Anthropic turned the leak into a launch. Project Glasswing. $100 million in credits. The whole production.
If the model is genuinely dangerous, the leak was a catastrophic security failure. If it’s a marketing strategy, the leak was the best thing that ever happened to them.
Follow the Money
Anthropic is in early talks with Goldman Sachs, JPMorgan, and Morgan Stanley about an IPO. Target: Q4 2026. Estimated raise: over $60 billion. Their February 2026 funding round valued them at $380 billion. Recent non-binding offers valued the company as high as $800 billion.
“Too dangerous to release” is the most valuable sentence in AI right now. It says: we’re so far ahead that our own technology scares us. That’s not a safety disclosure. That’s a pitch deck.
And the $100 million in “usage credits”? That’s not charity. It’s not a grant to an independent research institution. It’s credits on Anthropic’s own platform. They’re paying partners to use their product and calling it a safety initiative.
The Regulatory Capture Play
Project Glasswing creates a two-tier security world. Twelve launch partners plus roughly 40 approved organizations get the best vulnerability scanner ever built. Everyone else gets nothing.
Independent security researchers. Academics. Startups. Small companies running critical infrastructure. All locked out. The message: only approved organizations should have access to frontier AI capabilities. For safety.
That’s not safety. That’s a moat. If you control who gets to find the vulnerabilities, you control who gets to fix them. And if you control the fixing, you control the narrative about how dangerous the finding was in the first place.
What Actually Happened Here
Anthropic built a good vulnerability scanner. Probably a very good one. It found real bugs. Some of them were serious and old.
But “thousands of zero-days” without independent verification is a press release, not a research finding. And when smaller models can reproduce the showcase results, the “uniquely dangerous” argument collapses.
What’s left is a company that accidentally leaked its own marketing materials, turned the leak into a launch event, claimed its model is too dangerous to release, gave access only to trillion-dollar partners, committed “$100 million” in credits to its own platform, and is preparing for an $800 billion IPO.
That’s not a safety strategy. That’s a go-to-market strategy with a safety label on it.
Show the receipts. Publish the methodology. Let independent researchers verify the claims. Until then, “trust us, it’s dangerous” is just marketing.