Anthropic, the AI developer, is shifting its policy from keeping its most powerful model under wraps due to safety concerns to making it available to the general public.
IT specialist outlet Testing Catalog reported on the 23rd (local time) that signs of a product name, “Mythos 1,” and preparations for release have been repeatedly confirmed inside and around Anthropic.
Mythos has not previously been made available to the public. That is because its ability to detect software security weaknesses is considered extremely powerful. This policy reversal is being seen as an example of how tech companies decide whether to disclose AI systems that can exceed human capabilities in certain areas.
Anthropic’s shift from “private” to “preparing for public release”
The background to the policy change is “Project Glasswing,” launched last month. It is a collaboration initiative created by Anthropic to use its unreleased top model, “Claude Mythos Preview,” to identify security flaws in critical software.
Mythos specializes in finding vulnerabilities. A vulnerability refers to a weak point that hackers exploit to break into systems or steal information.
Mythos identifies these weaknesses faster and more accurately than humans. But the ability to find flaws can be used equally well to defend against attacks or, conversely, to carry them out. That is why Anthropic limited distribution of Mythos Preview to about 50 vetted partners instead of releasing it to the public.
The atmosphere has changed. In a midterm update on Glasswing released on the 22nd, Anthropic said the model is being used to protect a wider range of organizations, including open-source projects.
The company also said it would “soon explore a path to publicly releasing Mythos-class models once much stronger safeguards are in place.” That wording clearly marks a step back from its original stance that it would not release the model.
10,000 vulnerabilities found in just one month
Anthropic’s confidence in considering public release is backed by Glasswing’s results. The company said that together with partners, it found more than 10,000 vulnerabilities rated “critical” or “severe” in core software within just one month using Mythos Preview.
Long-standing flaws were also uncovered. Mythos found a bug in OpenBSD that had gone undiscovered for 27 years, and a 16-year-old bug in the video processing program FFmpeg.
Cloudflare, a cloud services company, found about 2,000 bugs in its own review, 400 of which were rated severe or critical. Mozilla, which develops the Firefox browser, found and fixed 271 vulnerabilities.
The outline of the new product is also becoming clearer. According to Testing Catalog, some users briefly saw the “Mythos 1” model on screen, and Anthropic’s source code has added wording indicating that the model can be used in the development tool “Claude Code” and the security product “Claude Security.”
The product name carries the label “preview,” indicating a pre-release stage. The same outlet reported that Claude Security is also building a new enterprise dashboard showing discovered vulnerabilities and 7-day and 30-day trends.
Ability to handle the “after discovery” phase becomes the new variable
Anthropic has also highlighted a new challenge. In its Glasswing update, the company said, “The bottleneck is no longer finding vulnerabilities, but the amount of human labor required to verify the discovered issues and work with developers to fix them.”
The key issue is the speed gap between discovery and patching. Discovery has become more than ten times faster with AI adoption, but fixing a single bug still takes an average of two weeks.
That creates a structure in which unresolved vulnerabilities accumulate. Concerns are also reinforced by reports that some under-resourced open-source maintainers are struggling under the flood of vulnerability reports.
There are warnings that if the list of weaknesses compiled by powerful AI is left unpatched, that list itself could become a map for attackers.
Preparations for companies and institutions
The public release of Mythos-class AI is expected to bring changes soon for Korean companies and institutions as well. The common point emphasized by experts is the need to prepare systems that can handle what comes after AI finds the flaws.
First, organizations are advised to identify and list the software they rely on most. By preclassifying high-impact areas such as payment systems, customer information databases, and externally connected servers, they can establish a basis for prioritizing responses when a flood of vulnerabilities appears.
Reviewing procedures for verifying and fixing discovered vulnerabilities is also identified as a key task. Only if an organization has a process in place for determining whether AI-flagged weaknesses are truly dangerous and then addressing them one by one can those issues avoid becoming unresolved burdens.
Reassigning security personnel is another variable. If AI takes over the task of finding vulnerabilities, human work will shift toward verification, judgment, coordination, and applying patches.
Anthropic’s condition that Mythos-class model release requires “safeguards” suggests that even the most powerful tools must be supported by preparation. Since the final step of actually closing the gaps found by AI rests with the companies and institutions using the software, the moves surrounding Mythos 1 are being read as a signal to strengthen security systems.