A small group communicating via a private Discord channel accessed Claude Mythos Preview by guessing the model’s URL on the same day Anthropic announced Project Glasswing. Anthropic says it is investigating and has found no evidence of impact to its core systems. The breach highlights the risks of restricting access to frontier AI capabilities through vendor environments rather than technical controls.
A small group of unauthorised users gained access to Claude Mythos Preview, Anthropic’s closely restricted cybersecurity AI model, on the same day the company publicly announced the model’s existence, apparently by guessing the model’s URL based on familiarity with Anthropic’s URL formatting conventions for other models, according to a Bloomberg News report published on 21 April.
The group, whose members communicate via a private Discord channel dedicated to gathering intelligence on unreleased AI models, has been using Mythos regularly since gaining access and provided Bloomberg with proof in the form of screenshots and a live demonstration.
Anthropic confirmed it is investigating the claims: “We’re investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments.”
The company said there is currently no evidence that the access has impacted Anthropic’s core systems or extended beyond the vendor environment in question.
An individual currently employed at a third-party contractor working with Anthropic appears to have been involved, at least in part, in facilitating the group’s access, the outlet reported.
The significance of the breach is inseparable from the nature of the model. Anthropic announced Mythos Preview and the accompanying Project Glasswing initiative on 7 April 2026.
The company withheld the model from general release specifically because of its offensive cyber capabilities: in testing, Mythos autonomously discovered thousands of previously unknown zero-day vulnerabilities across every major operating system and every major web browser, and wrote working exploits, including chaining together four vulnerabilities in a browser to escape both renderer and operating system sandboxes, a feat that would typically require months of expert work.
Anthropic engineers with no formal security training asked the model to find remote code execution vulnerabilities overnight and woke to complete, working exploits. The company said it was withholding the model because the same capabilities that make it powerful for defence could be devastating in the wrong hands.
Project Glasswing was designed to navigate that tension: rather than a public release, Anthropic extended Mythos access to 12 named launch partners, Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, plus Anthropic itself, for defensive security work, with around 40 additional organisations also granted access.
The initiative also included $100 million in usage credits and $4 million in direct donations to open-source security organisations. The restricted rollout was Anthropic’s explicit attempt to give defenders a head start over attackers before a model with these capabilities proliferated.
The unauthorised access undermines that logic without entirely defeating it: the group in question reportedly described its intentions as curiosity-driven, but intent is not a reliable safeguard when the tool in question can autonomously produce weaponisable exploits.
The breach also carries political weight, arriving the day after President Trump said on CNBC that a Pentagon deal with Anthropic was “possible” and that the company was “shaping up.” Anthropic is simultaneously suing the Department of Defense over its blacklisting as a supply chain risk, with that dispute centred specifically on the question of how safely its AI can be controlled.
An unauthorised access incident, even one apparently routed through a third-party vendor environment rather than Anthropic’s own infrastructure, gives ammunition to those in the administration who have argued that Anthropic cannot reliably govern access to its own tools.
It also complicates the company’s case in court, which rests in part on its argument that it applies rigorous safety and access controls to its most capable models.
The mechanism of access, an educated guess about the model’s URL, enabled by knowledge of Anthropic’s conventions for other model endpoints, points to a specific failure mode that is distinct from a conventional data breach or intrusion.
The group did not bypass Anthropic’s security architecture so much as exploit the gap between Anthropic’s controls on its own systems and those of a third-party vendor with access credentials.
That distinction matters for the investigation and for how the incident should be read by the wider AI industry: it is a vendor security failure as much as a model governance failure. But the result is the same.
Get the TNW newsletter
Get the most important tech news in your inbox each week.