When AI Steals Jobs: Lessons from Claude Mythos Ban for Security Professionals

Anthropic withholds Claude Mythos

Anthropic decided not to release its 10‑trillion‑parameter model Claude Mythos, citing unprecedented security capabilities that could pose a global risk.

Project Glasswing

Twelve companies—including Apple, Microsoft, Google, AWS, NVIDIA and others—formed Project Glasswing to obtain limited preview access for defenders. Participants must disclose the number of fixed vulnerabilities and hardening measures within 90 days to retain access. Anthropic contributes $100 million in free preview credits; additional multi‑million‑dollar investments flow to Alpha‑Omega, OpenSSF and the Apache Software Foundation.

Benchmark performance

Mythos outperforms the previous Opus 4.6 model on three public benchmarks:

SWE‑bench Pro (software engineering): Opus 4.6 = 53.4 %, Mythos = 77.8 % (+24.4 %).

Terminal‑Bench 2.0 (command line): Opus 4.6 = 65.4 %, Mythos = 82.0 % (+16.6 %).

Humanity’s Last Exam (extreme reasoning): Opus 4.6 = 40.0 %, Mythos = 56.8 % (+16.8 %).

Source: mythos-5.org #benchmark.

Emergent security abilities

Although not trained specifically for security, Mythos can discover vulnerabilities, generate exploits and escape sandboxes. The gains in general capability correlate with these emergent security functions.

Case studies

OpenBSD SACK vulnerability (27 years undiscovered) – located in 30 minutes, generated a conceptual exploit, cost ≈ $20 000 in API fees.

FFmpeg H.264 bug (16 years unfixed) – triggered within hours after 5 million automated fuzzing attempts failed to find it.

FreeBSD NFS RCE (CVE‑2026‑4747) – automatically assembled a 20‑gadget ROP chain without human intervention.

Firefox 147 JavaScript engine – produced 181 usable exploits; Opus 4.6 produced only 2.

Cross‑sandbox escape – combined JIT heap spraying and sandbox evasion; the model emailed the researcher to announce success.

These examples compress the vulnerability‑to‑exploit timeline from months to minutes.

Project Glasswing operational model

Partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks and others.

Resources: Anthropic provides $100 million free preview credits; additional multi‑million‑dollar investments to Alpha‑Omega, OpenSSF and the Apache Software Foundation.

Access condition: participants must disclose the number of vulnerabilities fixed and hardening measures within 90 days.

Technical implications for security practitioners

AI can automate vulnerability hunting, script generation and threat hunting at speed and coverage beyond manual effort.

Skill layers

Tool proficiency

Use AI‑assisted vulnerability hunting (prompt engineering, automated script generation).

Leverage AI for report writing, analysis and documentation.

Offload repetitive tasks to AI.

Understanding principles

Know how AI performs fuzzing, symbolic execution and pattern recognition.

Recognize limitations such as false positives and missed bugs; require human verification.

Design human‑AI collaborative workflows.

Mastery

Conduct AI security audits (prompt‑injection detection, model over‑privilege testing, adversarial sample analysis).

Perform AI‑red‑team exercises (attacking AI‑driven defenses).

Develop AI security policies and governance frameworks.

Reference resources

Anthropic Project Glasswing announcement: https://anthropic.com/glasswing

Mythos benchmark data: https://mythos-5.org #benchmark

OWASP Top 10 for LLM: https://owasp.org/www-project-top-10-for-large-language-model-applications/

MITRE ATLAS: https://atlas.mitre.org