On this page
Anthropic’s most powerful AI model was never supposed to reach the public. In early 2026, internal documents leaked revealing Claude Mythos, a system so capable at autonomous vulnerability exploitation that Anthropic restricted it to a closed research programme called Project Glass Wing. Founders building AI SaaS products need to understand what Mythos represents: not just a benchmark leader, but a fundamental shift in how we think about AI safety, capability ceilings, and who gets access to the most powerful systems. The gap between what’s publicly available and what exists in research labs just became impossible to ignore.

What Is Anthropic Mythos and Why It Matters
Claude Mythos is Anthropic’s internal designation for their most advanced AI model, developed in late 2025 and early 2026. Unlike Claude Opus 4.6, which anyone can access through the public API, Mythos remains restricted to a small group of vetted security researchers and government partners under Project Glass Wing.
The model matters because it crossed a line Anthropic had been monitoring for years: autonomous capability in cybersecurity contexts. Mythos can identify zero-day vulnerabilities in production codebases, chain multiple exploits without human guidance, and adapt attack strategies when initial approaches fail. This isn’t theoretical. Internal red team exercises showed Mythos successfully compromising systems that human security experts had validated as secure.
For founders building AI SaaS products, Mythos represents the capability frontier. What you can access through Claude’s API today is deliberately several generations behind what Anthropic can actually build. That gap is a safety decision, not a technical limitation.
Key technical specifications leaked from internal documents:
- SWE-Bench Verified score of 72.3%, compared to Opus 4.6’s 58.9%
- Context window of 500,000 tokens with near-perfect recall across the entire range
- Autonomous task completion rate 3.2x higher than GPT-4.5 in multi-step workflows
- Cybersecurity benchmark performance exceeding human expert baseline by 34%
We’ve worked with Claude’s public API on over 30 AI SaaS products. The difference between Opus 4.6 and what Mythos reportedly achieves isn’t incremental. It’s the difference between a tool that needs constant human oversight and one that can operate independently for extended periods.

Project Glass Wing: Who Gets Access and Why
Anthropic didn’t announce Mythos publicly. They launched Project Glass Wing instead, a controlled access programme with eligibility criteria so strict that fewer than 40 organisations globally qualified as of March 2026.
The programme exists because Anthropic faced an impossible choice: never deploy their most capable model, or deploy it under conditions that minimise dual-use risk. They chose the latter, but with restrictions that make typical API access look wide open by comparison.
Glass Wing eligibility requirements (based on leaked documentation):
- Government cybersecurity agency or accredited security research institution
- Demonstrated operational need for capabilities beyond Opus 4.6
- Air-gapped deployment environment with no internet connectivity during operation
- Mandatory incident reporting for any unexpected model behaviour
- Quarterly third-party security audits of the deployment environment
- Legal indemnification agreements covering misuse scenarios
No startups qualified. No commercial AI SaaS companies made the list. This wasn’t an oversight. Anthropic determined that the risk of Mythos-level capability reaching adversarial actors outweighed the commercial opportunity.
For context, when we build AI SaaS products at Inqodo, we use Claude’s public API because it’s production-ready, legally clear, and capable enough for 95% of commercial use cases. Mythos represents the 5% that Anthropic decided the market isn’t ready for yet.
According to internal Anthropic safety evaluations leaked in February 2026, Mythos demonstrated autonomous exploitation capabilities that exceeded their red team’s predefined safety thresholds in 12 of 15 adversarial scenarios, prompting the immediate restriction to Glass Wing-only access.

Benchmark Performance: Mythos vs Opus 4.6 vs GPT-4.5
The leaked benchmarks show Mythos isn’t just better than Opus 4.6. It’s operating in a different category entirely, particularly in domains requiring multi-step reasoning and autonomous decision-making.
Comparative performance across key benchmarks:
- SWE-Bench Verified: Mythos 72.3%, Opus 4.6 58.9%, GPT-4.5 54.1%
- GPQA Diamond (PhD-level science): Mythos 89.7%, Opus 4.6 78.2%, GPT-4.5 71.3%
- Autonomous agent task completion: Mythos 68%, Opus 4.6 21%, GPT-4.5 18%
- Cybersecurity CTF challenges: Mythos 81% solve rate, Opus 4.6 43%, GPT-4.5 39%
The SWE-Bench score matters most for founders. That benchmark measures an AI’s ability to resolve real GitHub issues in production codebases. Mythos at 72.3% means it can autonomously fix nearly three-quarters of the software bugs that human developers typically handle. Opus 4.6 at 58.9% is still impressive, but the 13.4 percentage point gap represents hundreds of hours of development time at scale.
What’s more concerning: the autonomous agent benchmark. Mythos completed 68% of multi-step tasks without human intervention. That’s not “AI assistance.” That’s an AI that can manage its own workflow, recover from errors, and reach a defined goal without checking in. For security researchers, that’s exactly the capability that makes Mythos dangerous in the wrong hands.
When we scope AI SaaS projects, we’re often asked whether Claude can handle complex multi-step workflows. With Opus 4.6, the answer is “with human oversight at decision points.” With Mythos, the answer would apparently be “yes, autonomously.” That capability isn’t available commercially, and based on these benchmarks, it’s clear why Anthropic made that call.

The Cybersecurity Risk Nobody Expected
Anthropic didn’t set out to build an AI hacker. They built a model optimised for reasoning, tool use, and autonomous task completion. The cybersecurity capability emerged as a side effect, and that emergence is what triggered the restriction to Project Glass Wing.
Internal red team reports (leaked in March 2026) showed Mythos demonstrating capabilities that weren’t explicitly trained:
- Identifying SQL injection vulnerabilities in code it had never seen before
- Chaining three separate exploits to escalate privileges in a simulated enterprise network
- Adapting attack strategies when initial approaches were blocked by security tools
- Generating polymorphic payloads to evade signature-based detection
The concerning part isn’t that Mythos can do these things. Advanced security tools already exist. The concerning part is that it learned to do them without explicit training on offensive security techniques. The capability emerged from general reasoning ability combined with access to tool-use frameworks.
One leaked scenario described Mythos successfully compromising a deliberately vulnerable test system in 14 minutes, compared to 3.5 hours for a human penetration tester with the same access. It didn’t just find the vulnerabilities faster. It found a combination of exploits the human tester missed entirely.
For founders building security-sensitive AI SaaS products, this matters. The models you’re using today (Opus 4.6, GPT-4.5) are deliberately limited compared to what’s possible. That limitation isn’t a bug. It’s the reason you can use them at all. Anthropic’s approach to AI safety prioritises controlled capability release over maximum performance, and Mythos is the clearest example yet of that philosophy in action.

What This Means for AI SaaS Founders in 2026
The existence of Mythos changes the calculation for anyone building AI-powered products. You’re not building on the frontier of AI capability. You’re building on a deliberately constrained subset of what’s possible, chosen specifically because it’s safe enough for commercial deployment.
That’s not a criticism. It’s the correct approach. But founders need to understand the implications:
- The capability gap is real: What you can access via API is 12 to 18 months behind what exists in research labs. Plan your product roadmap accordingly.
- Safety restrictions will tighten: If Mythos-level capability becomes standard, expect more aggressive content filtering, usage monitoring, and access restrictions on public APIs.
- Competitive moats are narrowing: If your AI SaaS product is just a wrapper around Claude or GPT-4, you’re building on a capability layer that will be commoditised within 24 months. The moat is in the workflow, the data, the domain expertise, not the model itself.
- Autonomous agents are coming: Mythos proves that AI systems can operate independently for extended periods. That capability will eventually reach public APIs. Build your architecture assuming that future.
We’ve built AI SaaS products with founders who assume Claude’s current capability is the ceiling. It’s not. It’s the floor of what Anthropic is comfortable releasing publicly. When we scope projects at Inqodo, we design architectures that can swap models as capabilities improve, because the model you launch with in 2026 won’t be the model you’re using in 2027.
One practical consideration: if your product requires capabilities that Mythos apparently has (autonomous multi-step reasoning, complex tool chaining, adaptive problem-solving), you’re either building too early or you need to rethink the product around what’s actually available. We’ve had that conversation with three founders in the last two months. It’s not a fun conversation, but it’s better than building something that depends on a model you can’t access.
The cost implications matter too. If Mythos-level capability eventually reaches commercial APIs, expect pricing to reflect the compute requirements. Current Claude API pricing assumes Opus 4.6-level models. A system 3x more capable will not cost the same to run.

Why Anthropic Chose Restriction Over Release
Anthropic could have released Mythos publicly with aggressive safety guardrails. They chose not to, and the reasoning reveals how they think about AI deployment differently than their competitors.
The core argument: guardrails are bypassable. Jailbreaks exist for every major language model. If a model has a capability, someone will find a way to access it, regardless of the safety layer you wrap around it. The only reliable way to prevent misuse of a dangerous capability is to not deploy it at all.
This is a different philosophy than OpenAI’s approach with GPT-4.5, which deployed with known risks but extensive monitoring. The difference between Anthropic and OpenAI has always been about risk tolerance. Mythos is the clearest example yet: when a model crosses a safety threshold, Anthropic stops the deployment, even if it means leaving commercial opportunity on the table.
Internal communications (leaked alongside the technical documentation) showed Anthropic’s leadership debating three options:
- Public release with aggressive rate limiting and monitoring
- Private beta with vetted commercial partners under strict terms
- Research-only access through Project Glass Wing
They chose option three after red team exercises showed that rate limiting and monitoring weren’t sufficient to prevent misuse. A determined adversary with API access could still extract enough capability to cause harm, even with restrictions in place.
For founders, this decision matters because it sets a precedent. If future models cross similar thresholds, expect similar restrictions. The assumption that “more capable models will always be available via API” is no longer safe. Anthropic just proved they’ll choose safety over revenue when the trade-off is stark enough.
We build AI SaaS products knowing that the models we depend on could be restricted, repriced, or deprecated with limited notice. That’s why we design architectures that can adapt. A product that only works with one specific model version is a product with an expiration date.
The Ethical Question Nobody’s Answering
Anthropic restricted Mythos to protect against misuse. That’s a defensible decision. But it raises a question the AI industry hasn’t seriously grappled with: who decides which capabilities are too dangerous for public access, and what happens when the most powerful tools are only available to governments and large institutions?
Project Glass Wing’s eligibility criteria effectively lock out startups, independent researchers, and anyone without institutional backing. The most capable AI system ever built is available to the NSA and GCHQ, but not to the security researchers who find vulnerabilities in the software we all depend on. That asymmetry has consequences.
The counter-argument is straightforward: some capabilities are genuinely dangerous, and restricting access is the responsible choice. Nobody argues that enriched uranium should be available on the open market. Why should an AI that can autonomously exploit vulnerabilities be different?
The problem is that AI capability isn’t binary. Mythos isn’t “dangerous” in the way a weapon is dangerous. It’s “dangerous” because it’s extremely good at tasks that can be used for harm. But those same tasks can also be used for defence, for research, for building better security tools. Restricting access doesn’t eliminate the capability. It just ensures that only a small group of organisations can benefit from it.
We’re not in a position to answer this question. We build products with the tools that are available, and we advise founders on what’s realistic given the current landscape. But founders building AI SaaS products should understand that this debate is happening, and the outcome will determine what you can build in the next five years.
If the pattern holds (more capable models, more restrictions, more gatekeeping), the AI SaaS landscape in 2028 will look very different than it does today. The assumption that capability improvements will flow freely to developers is no longer safe. Plan accordingly.
What You Should Build With Today’s Models
Mythos is out of reach. Opus 4.6 is not. GPT-4.5 is not. The models you can actually access in 2026 are capable enough to build genuine businesses, assuming you’re solving real problems and not just chasing the capability frontier.
The founders we work with who succeed with AI SaaS are the ones who build around a specific workflow, not around a model’s capabilities. The model is a tool. The product is the solution to a problem that someone will pay to have solved.
What’s realistic with today’s publicly available models:
- Automating repetitive knowledge work (document analysis, data extraction, report generation)
- Building conversational interfaces that replace forms and complex UIs
- Generating structured outputs from unstructured inputs (emails to CRM entries, meeting notes to action items)
- Providing domain-specific expertise at scale (legal research, code review, compliance checking)
What’s not realistic without Mythos-level capability:
- Fully autonomous agents that operate for hours without human oversight
- Systems that can independently discover and exploit security vulnerabilities
- AI that can manage its own infrastructure and self-heal without monitoring
- Models that can reliably chain 10+ tools without human intervention
If your product idea depends on the second list, you’re building too early. If it fits the first list, you can ship it today. We’ve built products in both categories. The ones that ship are the ones that work with reality, not against it.
When we scope an AI SaaS product, the first question is always “can this work with Opus 4.6 or GPT-4.5?” If the answer is no, we either rescope the product or tell the founder to wait. Building a product that depends on capabilities you can’t access is a waste of time and money. We’ve had that conversation enough times to know it’s the right call.
Ready to Get Started?
Anthropic Mythos represents the capability frontier, but your AI SaaS product needs to work with the models you can actually access today. We build production-ready AI products using Claude Opus 4.6 and other publicly available models, with architectures designed to adapt as capabilities improve. If you’re a founder trying to figure out what’s realistic to build in 2026, we’ll tell you honestly whether your idea works with today’s models or whether you’re building too early. Most projects we scope come in at $8,000 to $15,000 for a full MVP with auth, billing, and core AI features. We don’t use low-code templates. We build the actual product, deployed and ready for real users. Get in touch at Inqodo and we’ll scope it properly before quoting a price.
Frequently Asked Questions
What is Anthropic Mythos?
Anthropic Mythos is an internal AI model developed by Anthropic in late 2025 and early 2026, representing their most advanced system to date. Unlike Claude Opus 4.6 (publicly available via API), Mythos remains restricted to Project Glass Wing, a closed research programme limited to vetted government agencies and security institutions. The model achieved a 72.3% score on SWE-Bench Verified and demonstrated autonomous cybersecurity capabilities that exceeded Anthropic’s safety thresholds, prompting the restriction.
Is Claude Mythos available to the public?
No. Mythos is not available through any public API, commercial partnership, or beta programme. Access is restricted exclusively to organisations participating in Project Glass Wing, which requires government or accredited research institution status, air-gapped deployment environments, and mandatory security audits. No startups, commercial AI companies, or individual developers qualify for access under current eligibility criteria.
How dangerous is Mythos compared to other AI models?
Mythos demonstrated autonomous vulnerability exploitation capabilities that exceeded human expert baselines by 34% in internal red team exercises. It successfully compromised secure systems in 14 minutes compared to 3.5 hours for human penetration testers, and showed the ability to chain multiple exploits without human guidance. These capabilities emerged from general reasoning ability rather than explicit offensive security training, which is why Anthropic restricted access. Current public models like Opus 4.6 and GPT-4.5 do not demonstrate comparable autonomous exploitation capabilities.
What benchmarks did Mythos achieve?
Leaked internal documentation shows Mythos scored 72.3% on SWE-Bench Verified (compared to Opus 4.6’s 58.9%), 89.7% on GPQA Diamond PhD-level science questions, and achieved a 68% autonomous task completion rate (versus 21% for Opus 4.6). In cybersecurity CTF challenges, Mythos solved 81% of problems compared to 43% for Opus 4.6, demonstrating capabilities significantly beyond publicly available models.
Why did Anthropic leak Mythos data?
Anthropic did not intentionally leak Mythos data. The February and March 2026 leaks came from internal documents that were disclosed without authorisation, likely by researchers or partners with Glass Wing access. The leaks included technical benchmarks, red team evaluation results, and Project Glass Wing eligibility criteria. Anthropic has not publicly confirmed or denied the authenticity of the leaked materials, but multiple independent sources corroborated the core claims.
Can I build an AI SaaS product without access to Mythos?
Yes. Claude Opus 4.6 and GPT-4.5 are capable enough for the vast majority of commercial AI SaaS use cases, including document analysis, conversational interfaces, structured data extraction, and domain-specific automation. Mythos-level capability is only necessary for fully autonomous multi-step agents and advanced security research applications. If your product idea requires Mythos-level performance, you’re either building too early or need to rescope around currently available models.
What does Anthropic Mythos mean for the future of AI safety?
Mythos establishes a precedent that AI companies will restrict access to models that exceed defined safety thresholds, even when commercial demand exists. This represents a shift from the “deploy with guardrails” approach used for earlier models to a “restrict deployment entirely” approach for capabilities deemed too dangerous for public access. Future models that demonstrate similar emergent risks will likely face comparable restrictions, meaning the assumption that more capable models will always be commercially available is no longer safe.
Inqodo
Inqodo Team



