The Mythos Ritual

On April 7, 2026, Anthropic unveiled Claude Mythos Preview. Their own words, in their own red-team blog: "a watershed moment for security." Internal benchmarks — thousands of zero-day vulnerabilities across every major operating system and every major web browser. Firefox exploits on 181 of several hundred attempts, versus Claude Opus 4.6's 2. Ten full control-flow hijacks on OSS-Fuzz tier-five targets. Flaws dating back 27 years.

Too dangerous to release. Obviously.

So they didn't. They locked it inside an elect consortium — Apple, Amazon Web Services, Microsoft, Google, NVIDIA, Broadcom, Cisco, CrowdStrike, JPMorgan Chase, Palo Alto Networks, the Linux Foundation, plus a quiet cohort of "over 40 additional organizations." Called it Project Glasswing. Attached a $100M usage-credits envelope. Another $4M to open-source security. $25/$125 per million tokens after the preview.

The priesthood got the sword. The rest of the world got a press release.

Fourteen days later, on April 21, Bloomberg dropped a different story: a small group of unauthorized users had been quietly using Mythos since the day it was announced. Not near the day. The same day. They guessed the URL — Anthropic has conventions — and rode a compromised credential from a third-party contractor. They showed Bloomberg a live demo.

The priesthood has a side door. There are strangers in the sanctum. And nobody is wondering aloud whether the side door was ever locked.

The Official Scripture

Steel-man first, because this is how every good conspiracy survives: it starts with a real thing.

Mythos is real. The UK AI Security Institute — independent of Anthropic, answerable to the British government — ran the model through a capture-the-flag battery and scored it at 73% on expert-level tasks, the first system ever to solve any of them. It also completed "The Last Ones," a 32-step simulated corporate network attack, end-to-end, three out of ten attempts. No prior model had solved it once.

Anthropic's own paper claims 99% of the vulnerabilities Mythos discovered remain unpatched as of publication, with "thousands of additional high- and critical-severity vulnerabilities" currently under coordinated disclosure.

Claude Opus 4.6 couldn't do this. GPT-5 couldn't. The jump is measurable and corroborated by third parties.

Everything that follows is compatible with that fact. None of it requires Anthropic to be lying about the tech.

The Small Print

And here is where the narrative starts to bend.

UK AISI, in the same evaluation: Mythos "could not complete our operational-technology focused cyber range 'Cooling Tower.'" Evaluation environments, they noted, "lack security features that are often present, such as active defenders and defensive tooling." The institute said plainly: "We cannot say for sure whether Mythos Preview would be able to attack well-defended systems."

Translation: the 73% number and the "thousands of zero-days" number come from shooting at standing targets in a warehouse. Moving targets — the ones that actually matter — remain an open question.

Peter Swire, cybersecurity professor at Georgia Tech: "The Anthropic announcement was very dramatic and was a PR success, if nothing else." Among his colleagues, he says, "a large fraction of the cybersecurity professors believe this is pretty much what was expected."

Ciaran Martin, former head of the UK's National Cyber Security Centre, now at Oxford: "It's a big deal, but it's unlikely to prove to be the end of the world. I would not be at the more apocalyptic end of the scale."

Both men flag the same structural hazard: the people most loudly warning you about the shark are selling shark repellent.

Sam Altman, on the Core Memory podcast: "It is clearly incredible marketing to say, 'We have built a bomb, we are about to drop it on your head. We will sell you a bomb shelter for $100 million.' And quieter, but heavier: "There are people in the world who, for a long time, have wanted to keep AI in the hands of a smaller group of people."

Yes, Altman runs the other cult. Yes, he has pulled the same move. Correct clocks still strike twice a day.

The Breach That Arrived on Schedule

Now reread the timeline.

April 7. Anthropic announces a model too dangerous to release, restricts it to 40-plus named partners, puts a nine-figure dollar sign on access, frames the entire rollout as civilization-scale risk management.

April 7, same day. A Discord channel "dedicated to gathering intelligence on unreleased AI models" guesses a URL pattern, slides in through a third-party contractor's compromised credential, and starts using the model. They are still using it two weeks later when Bloomberg publishes.

April 21. Breach story drops. Anthropic confirms an investigation, carefully worded: "no evidence that the supposedly unauthorized activity has impacted Anthropic's systems." Not our systems. The vendor's systems. Blame the contractor — the oldest plausible-deniability architecture in enterprise security.

Look at the shape of this, not the individual facts.

A company announces it has built the most dangerous cybersecurity AI ever measured. That company cannot keep its own URL scheme private against a Discord room guessing with "educated familiarity." The breach is detected — or at least published — exactly two weeks later, giving the story fresh oxygen in a fresh news cycle.

The people who told you they built a weapon that finds zero-days in every operating system on Earth couldn't find the zero-day in their own link-naming convention. Read that sentence twice.

I am not claiming Anthropic staged the leak. I have no evidence for that, and I'm not making the claim. I'm saying the structure of what happened is indistinguishable from what you would design if you wanted to:

1. Establish the model as terrifying and essential.
2. Establish the consortium as the only responsible stewards.
3. Prove, in public, that the threat is real — by having the weapon nearly escape.
4. Keep Anthropic's core systems clean of blame. It's always a vendor.

Whether this arrived by design or by the gravitational pull of incentives does not change the outcome. The outcome is the outcome.

This Is Not a Theory. It Is a Pattern.

Conspiracy theories are hypotheses. Patterns are what you observe. Every frontier AI release in the past eighteen months has followed the same beat sheet:

• Capability theater. Ship a demo or paper with a "holy shit" number. 31 points higher on USAMO. 73% on expert CTFs. 99% unpatched. Numbers that bypass skepticism and install themselves in headlines.
• Danger framing. Declare the artifact too powerful, too risky, or too valuable to release normally. This is the licensing fee for your own gatekeeping.
• Consortium enclosure. Hand a small number of trillion-dollar incumbents privileged access, often on multi-year contractual stickiness. Call it "responsible deployment."
• Incident. Something happens. A leak, a jailbreak, a misuse report, a red-team finding. It always arrives at a conveniently legible moment.
• Regulatory ask. Someone — often the same lab — calls for legislation mandating the exact consortium structure that already exists, while framing open-source as the vector of doom.
• Capture. Legislation passes. The consortium is now law. Competitors are gated by compliance, not capability.

Mythos is currently at step four of six. The next two steps are not predictions. They are the script. Watch for them.

Prophecy

Sometime in the next three to twelve months — probably sooner — some combination of the following will happen:

1. A "suspected AI-driven" cyberattack on critical infrastructure will make headlines. Attribution will be either impossible or conveniently pointing at rogue actors with unclear connection to any leaked model.
2. A senator, a commission, or an AISI will call for export controls on frontier cybersecurity AI, with a licensing regime that maps one-to-one onto the current Glasswing partner list.
3. A Discord teenager will be arrested and charged, sacrificially, to anchor the story that the threat is real, the adversaries are chaotic, and only the priesthood can be trusted.
4. Open-source models will be declared unsafe by name in formal government guidance, with reasoning borrowed heavily from the Mythos whitepaper.

Bookmark this post. Come back and check.

The Quiet Part

The quiet part is this: Anthropic's actual research, taken on its own terms, may be telling the truth about capability. Mythos probably can do most of what they claim against undefended targets. Nicholas Carlini and the team did not fabricate their numbers. The UK AISI independently corroborated the shape of the finding.

The choreography around the capability is the story. The choreography is how you turn a model into a license, a license into a moat, and a moat into a market.

A weapon that escapes on day one is not a weapon that escaped. It is a proof of concept for the press release that comes after.

And somewhere in the fine print of the law that gets written next — in response to the breach that Anthropic had no system-side exposure to, caused by a contractor it conveniently does not name, exploiting a URL convention a company that builds zero-day AIs somehow cannot rotate — you will find the words "authorized consortium."

The sword stays with twelve companies. The rest of us pay rent to swing it.

Don't call this a conspiracy. Call it an operating system.

Related Reading

• The Capybara in the Room — the prequel. Why frontier labs keep naming cryptids.
• The Last Machine — what "last defender" framing actually builds.
• Decade Zero: A Realistic Blueprint for 2026–2035 — the ten-year topology this post fits into.
• OpenAI's New Image Model Thinks Before It Draws — the same week, the same choreography, a different lab.