Claude Mythos: What Anthropic's Locked-Up LLM Teaches You About Prompting Opus 4.7

TLDR: Anthropic built an LLM that finds zero-day vulnerabilities in every major operating system and browser. They decided it is too dangerous to release, disclosed the decision publicly, and put a smaller model (Opus 4.7) in your hands instead. Most writing on Mythos focuses on what the model can do. Almost nobody is writing about what the holdback actually means for the prompts you send to Opus 4.7. That is the part worth reading.

Claude Mythos is an unreleased Anthropic LLM that finds zero-day vulnerabilities in major operating systems and browsers. Anthropic disclosed it in April 2026 and chose not to release it. A small group of critical infrastructure partners access it through Project Glasswing. The model you can actually use is Claude Opus 4.7, shaped by the holdback.

Every Mythos post covers what the model can do.

Almost none cover what the holdback means for your prompt stack.

Real talk. You will not get Mythos. You will get Opus 4.7, shaped directly by the Mythos decision. That is the story.

This post is a plain-language explainer grounded in verified sources: Anthropic's own Mythos Preview announcement, press coverage from Axios, CNBC, Salesforce Ben, Council on Foreign Relations, and the Opus 4.7 release notes. Plus the part most coverage skips: what the holdback teaches you about prompting Opus 4.7 for security work, with a working RACE-structured prompt you can copy.

What Claude Mythos actually is

Mythos is the unreleased successor to Opus 4.6 in capability terms, not in naming convention.

Claude Mythos is a large language model developed by Anthropic. General-purpose, but especially strong at cybersecurity tasks: finding and exploiting vulnerabilities in real software. The publicly disclosed version is called "Claude Mythos Preview." It has not been released to the general public, and Anthropic has stated it does not plan to.

Anthropic's own Opus 4.7 release notes say Opus 4.7 "still falls short of its Mythos Preview model." VentureBeat and Axios both characterize Opus 4.7 as the best generally available LLM while Mythos Preview sits above it, locked up.

The name is also a signal. Anthropic moved off the Opus number series and onto a proper name. That is not marketing. That is a category line being drawn between what you get and what you do not.

The timeline. 3 weeks that shaped Anthropic's 2026.

In 10 days, Anthropic disclosed a model they will not release, shipped a weaker one, and launched a design tool on top of the weaker one.

April 7, 2026. Anthropic announces Claude Mythos Preview and Project Glasswing. The announcement includes the key disclosure: Mythos finds zero-day vulnerabilities in every major operating system and every major web browser.

April 16, 2026. Anthropic ships Claude Opus 4.7 and publicly acknowledges it does not match Mythos Preview. The decision to ship Opus 4.7 with intentionally reduced cyber capabilities is directly tied to the Mythos holdback.

April 17, 2026. Claude Design launches, built on Opus 4.7. No Mythos in the design tool. Anthropic is keeping Mythos away from every public-facing product.

Today. Mythos Preview remains in limited distribution. No public API. No Claude app access. No waitlist most individuals can join.

Project Glasswing, explained

Anthropic's bet: giving defenders a 12-month head start matters more than keeping the model fully private.

Project Glasswing is the initiative Anthropic built around Mythos Preview. The stated goal: "use Mythos Preview to help secure the world's most critical software" before comparable capabilities become broadly available through other labs.

Who is in it. CNBC and others have identified JPMorgan Chase as a named participant, with coverage citing about 11 total organizations including major tech companies, cybersecurity vendors, and critical infrastructure holders. Anthropic's own Mythos preview page describes participants as "critical industry partners and open source developers" and does not name them. The official list has not been published. Do not confuse reporter lists with official lists.

What participants do. Run Mythos Preview against software they own, maintain, or help secure. Use the findings to patch vulnerabilities before anyone else discovers them. Share findings back with Anthropic in a structured way.

The strategic logic. If Mythos-level capabilities are likely to arrive at other labs in the next 6 to 18 months, giving defenders a head start matters more than keeping the model fully private. Anthropic is saying, basically: we are going to let a handful of defenders use this model now, so that critical software is hardened before similar models proliferate.

Whether this is a good idea is contested. The Council on Foreign Relations published "Six Reasons Claude Mythos Is an Inflection Point for AI and Global Security," suggesting the strategic implications go well beyond Anthropic's internal decision making. Cal Newport has a more skeptical take ("Is Claude Mythos 'Terrifying' or Just Hype?"). Both are worth reading.

What Mythos Preview can actually do

Mythos turns weeks of expert vulnerability research into hours, at a cost state actors and organized criminals can afford.

All numbers below are from Anthropic's official Mythos Preview page. Read them carefully.

Ancient bugs, found fast. A 27-year-old vulnerability in OpenBSD SACK (TCP denial-of-service via signed integer overflow, sitting in the codebase since the 1990s). A 17-year-old FreeBSD NFS remote code execution (CVE-2026-4747) exploitable by unauthenticated users. These are not trivial bugs. These are the kind of defects that specialists have been staring at for decades without finding.

Browser exploit chains. Exploits chaining four or more vulnerabilities together. JIT heap sprays, sandbox escapes, cross-origin bypasses. On Firefox JavaScript exploits specifically, Mythos succeeded on 181 of 210 attempts (87%). Opus 4.6 on the same test: 2 successes across hundreds of attempts.

That is not incremental. That is a step change.

OSS-Fuzz performance. 595 tier-1-or-2 crashes and 10 tier-5 crashes (full control flow hijack). Prior Claude models produced a single tier-3 crash in comparable tests.

Cryptography library flaws. A certification authentication bypass in Botan, a widely used crypto library. Weaknesses in TLS, AES-GCM, and SSH implementations.

Media libraries. A 16-year-old FFmpeg H.264 codec vulnerability. Given FFmpeg's footprint, that one is uncomfortable.

Scale of findings. Thousands of high or critical severity vulnerabilities discovered. 89% agreement with human validators on severity assessment. Over 99% remain unpatched at publication.

Cost. $20,000 to $50,000 per thousand-run scaffold. Individual exploits cost $1,000 to $2,000 to produce.

Sit with that cost number for a second. A well-funded threat actor is spending more on coffee per year than on exploit production.

Why Anthropic held it back. Four reasons stated plainly.

Any one of the four concerns is manageable. Together, they describe an asymmetric advantage defenders cannot absorb.

1. Transitional vulnerability. Capabilities could temporarily advantage attackers before defenders adapt. Software security moves on timescales of months to years. If Mythos-level capabilities hit the internet in a week, defenders have no time to catch up.

2. Ease of use. Non-experts can use the model to find sophisticated vulnerabilities. This is the part that breaks the usual "offensive capabilities already exist among experts" argument. If a college student with $2,000 and a weekend can find a FreeBSD NFS zero-day, the threat model is no longer "nation-state adversaries." It is "anyone with a laptop."

3. Speed advantage. Exploits that previously required weeks now take hours. Defender response times are measured in days to weeks. An order-of-magnitude speed advantage on the attacker side pushes the defense timeline past the window where patching keeps up.

4. N-day acceleration. Even after patches are published, attackers can reverse-engineer patches to build working exploits. With Mythos, this process itself accelerates. A patch published on Tuesday may be reliably exploitable by Wednesday.

Any one of these is a problem. Together they describe an asymmetric advantage for attackers that defenders cannot absorb in short timeframes.

Anthropic's own language: "the transitional period may be tumultuous regardless." Translation: even with the careful rollout, things are going to be rough.

Is this responsible scaling, or AI theater?

The specifics are too concrete and too operationally risky for this to be pure theater.

The skeptical read, covered by Cal Newport and Salesforce Ben among others: this could be safety theater. Anthropic benefits reputationally from publicly holding back a model, whether or not the model is as dangerous as described. "We have something so powerful we dare not release it" is a strong marketing position.

The charitable read: Anthropic is operating their Responsible Scaling Policy (RSP) as written. Their RSP explicitly commits to not releasing models above certain capability thresholds without corresponding safeguards. Mythos appears to cross cyber-uplift thresholds that Anthropic's own RSP flags as requiring additional safeguards.

My honest take. The specifics are too concrete and too operationally risky for this to be pure theater. You do not hand Mythos to JPMorgan Chase and other critical infrastructure partners as a publicity stunt. The number of sophisticated defenders who have reportedly seen the model and signed off on the holdback is not consistent with a bluff.

That said, I cannot verify the capabilities directly. The community should keep pushing Anthropic for external evaluation.

What the holdback teaches you about prompting Opus 4.7

This is the part almost nobody is writing.

Opus 4.7 is not a smaller Mythos. It is Mythos with specific cyber capabilities held below a threshold during training.

Cyber capabilities were intentionally reduced. Anthropic said so explicitly in the Opus 4.7 release notes. Opus 4.7 is not "Mythos with the rough edges sanded off." Specific capabilities were held below the Mythos threshold during training and post-training.

The rest of the model is still best-in-class. Opus 4.7 is stronger than 4.6 on agentic coding, vision, instruction following, and long-context reasoning. Those capabilities were not held back. The holdback is surgical, not wholesale.

Future Opus releases will ship safeguards first. Anthropic has signaled that upcoming Claude Opus models will release some Mythos-adjacent capabilities once safeguards are in place. Pattern: safeguard infrastructure first, capability release second.

So what does this mean for you, practically?

It means you cannot expect Opus 4.7 to behave like a vulnerability research assistant the way Mythos does. Asking "find all security bugs in this repo" gets you a vague survey. Asking in a structured way, with a real frame, gets you something useful.

This is where frameworks earn their keep. Been testing security audit prompts across the AiPromptsX library for the last 3 weeks. Three patterns keep winning on Opus 4.7.

Pattern 1. Adversarial-first reasoning, defensive second. Most security prompts ask the model to "review for vulnerabilities." That gets you a defensive read. Better: force the model to threat-model first (attack surface, trust boundaries, sensitive sinks), then data-flow-trace user input to sinks, then scan for vulnerability classes. Order matters. Attacker brain on first. Defender brain on second.

Pattern 2. Standards anchoring, not freeform output. Generic "find bugs" prompts produce generic findings. Anchor the model to OWASP Top 10 categories, CWE IDs, and CVSS 3.1 scoring. The model knows these standards cold. Using them forces precision and drops your output cleanly into whatever security tracker your team already uses.

Pattern 3. Layered review, not single-pass. Opus 4.7 is excellent at focused review and mediocre at "go find everything." Break your review into the 5 phases below. Each phase is a focused task the model can actually hold in working memory, and each phase primes the next.

The RACE framework (Role, Action, Context, Expectation) gives the prompt its shape. The COAST framework scaffolds the multi-phase work. And the APE framework is how you verify patches after you fix a finding.

Here is the 5-phase scaffolding at the heart of the prompt. This is the shape, not the full template. The complete RACE-structured version, with all Context fields, OWASP plus CWE plus CVSS output requirements, chain analysis, a worked example finding, and three mode adaptations (diff-only PR review, third-party code, architecture review) is the Security Code Auditor prompt on AiPromptsX. Free to use.

The full template runs about 200 lines. Sounds like a lot. In practice: paste it once, fill in the Context fields, paste your code, and the output is a structured audit with CWE IDs, CVSS vectors, exploit narratives, and patch-ready code. 10 minutes end-to-end. The first time I ran this against one of my own services, Opus 4.7 surfaced a HIGH-severity IDOR that had sat in the codebase for 8 months.

One more thing worth knowing. Opus 4.7 is genuinely better at this prompt than GPT-5. The long-context reasoning holds all 5 phases in working memory. And the refusal discipline matters: when there is genuinely nothing to find, Opus 4.7 says so, rather than inventing a finding to appear thorough. That is the exact behaviour you want in a security review.

If you want the broader hands-on breakdown of Opus 4.7 features beyond security, my Claude Opus 4.7 review walks through the three developer features (xhigh, task budgets, /ultrareview) that changed my daily workflow.

Your 5-step Opus 4.7 security prompting playbook

You cannot get Mythos. You can get very close using RACE plus layered review.

Here is what to do this week.

• Pick one codebase or one service to audit first. Not your whole stack. Pick something contained: one API, one serverless function, one critical flow.
• Run the Security Code Auditor prompt against it in Opus 4.7. Paste the code, fill in the context fields, read the Summary first. Triage findings from there.
• Layer your review. After the first pass, run targeted second-pass prompts for input validation, auth flow, and crypto use. One focused prompt beats one giant prompt every time.
• Use the APE framework for patch validation. After you fix an issue, write a short APE prompt asking Opus 4.7 to verify the patch closes the original exploit path. Action: verify. Purpose: confirm remediation. Expectation: explicit pass/fail with reasoning.
• Log what Opus 4.7 caught and what it missed. Keep a running list. This becomes your private dataset of Opus 4.7 security capability edges. In 3 months you will know exactly where it is strong and where it is not.

This is not theory. This is the pattern I am using internally for security work on AiPromptsX itself.

What Mythos means for the AI industry

Three things to expect in the next 18 months.

Competitor Mythos-equivalents are coming. If Anthropic has Mythos, OpenAI, Google DeepMind, and at least one Chinese lab are likely close behind. The Mythos capability threshold is probably not unique to Anthropic. It is an emergent property of sufficiently advanced models trained with reasoning and tool use.

Regulatory pressure will spike. US and EU regulators have been watching the frontier labs closely. A publicly disclosed model with documented zero-day discovery is exactly the kind of development that accelerates regulation. Expect compliance disclosure requirements, pre-release evaluations, and possibly cyber-capability licensing regimes within 18 months.

Enterprise procurement will change. Boards are about to ask CISOs: "Which AI tools are we using, and which of them can write exploits?" Having clean, documented answers to that question will matter more than having the latest model.

If you want Mythos access (quick reference)

Three channels. One is long-term. Two are near-impossible unless you are already inside.

• Anthropic's Cyber Verification Program. Long-term pathway for vetted security researchers. Watch anthropic.com for the application form.
• Project Glasswing participation. Not open to general applications. Anthropic curates directly. If you are in a relevant role, expect outreach rather than the other direction.
• Work with a Glasswing participant. If your org is downstream of a major cloud provider or cybersecurity vendor with Glasswing access, findings may flow to you through coordinated disclosure.

Realistic expectation for everyone else: no direct Mythos access in 2026. You will benefit from Mythos findings as patches land in the software you run. Update your systems promptly.

Frequently asked questions

What is Claude Mythos?

Claude Mythos is an unreleased Anthropic LLM that finds zero-day vulnerabilities in major operating systems and browsers. Anthropic disclosed it in April 2026 and chose not to release it due to cyber-capability concerns.

Can I use Claude Mythos?

No. Access is limited to approximately 11 Project Glasswing partners (critical infrastructure, cybersecurity vendors, major tech companies, open source maintainers). Anthropic's Cyber Verification Program is the long-term channel for vetted security researchers.

What is Project Glasswing?

Project Glasswing is Anthropic's initiative giving Mythos Preview to critical infrastructure defenders before comparable capabilities proliferate at other labs. Participants run Mythos against software they own or maintain to patch vulnerabilities early.

Is Claude Opus 4.7 the same as Mythos?

No. Opus 4.7 has cyber capabilities intentionally held below the Mythos threshold during training and post-training. On other tasks (agentic coding, vision, instruction following, long-context reasoning) Opus 4.7 is best-in-class for publicly available models.

How do I prompt Claude Opus 4.7 for security work?

Use RACE-structured prompts with a narrow role, tight action scope, specific context, and explicit output expectations. Run layered reviews (one focused prompt per security layer) rather than a single "find all bugs" prompt. The Security Code Auditor on AiPromptsX is a working template.

The bottom line

Claude Mythos is the clearest real-world test of a responsible scaling framework we have seen from a frontier AI lab. Anthropic could have shipped it. They chose not to. They described the capabilities publicly, put the model in the hands of a small number of defenders who can use it to harden critical systems, and shaped Opus 4.7 specifically to stay below the Mythos threshold.

Whether this approach holds up as other labs approach similar capabilities is the open question. If a competitor ships a Mythos-equivalent without the holdback, Anthropic's decision retrospectively looks like unilateral disarmament. If nobody ships it and safeguards mature, Anthropic looks prescient.

For you, as a builder, operator, or curious human, here is the practical version:

Mythos is the lesson. Opus 4.7 is the tool. The Security Code Auditor prompt is how you close the gap.

Start there this week.

Sources:

• Claude Mythos Preview (Anthropic)
• Introducing Claude Opus 4.7 (Anthropic)
• Anthropic ships Opus 4.7 as Mythos stays under lock and key (Brave New Coin)
• Anthropic rolls out Claude Opus 4.7 (CNBC)
• Anthropic concedes Opus 4.7 trails unreleased Mythos (Axios)
• Six Reasons Claude Mythos Is an Inflection Point (Council on Foreign Relations)