In April 2026 an AI found and weaponised software vulnerabilities faster than any human team in history — and its maker decided it was too dangerous to release. Here's what Mythos is, why it should worry every small business, and what happens this July.
On 7 April 2026, Anthropic announced Claude Mythos Preview — its most capable model to date — and, in the same breath, said it would not release it. During testing, Mythos discovered and built working exploits for software vulnerabilities at a scale and speed never seen before.
According to Anthropic's disclosure and subsequent reporting, Mythos found hundreds of flaws in a single web browser — 271 in Mozilla Firefox, with working exploits for 181 of them — and thousands of previously-unknown "zero-day" vulnerabilities across major operating systems, browsers and applications. Relatively junior engineers were able to take an attack from discovery to working exploit overnight — work that takes human experts weeks.
"We do not plan to make Mythos Preview generally available." — Anthropic
That decision is the headline. A frontier-AI lab built something, looked at what it could do to the world's software, and locked it in a drawer. Cybersecurity researchers were quick to add the important caveat: the techniques Mythos used aren't magic — much of it is achievable with older models, and the real shift is speed and scale, not a new class of attack. But that shift is the whole story.
The danger isn't that you can buy Mythos. You can't. The danger is the asymmetry it proves. A capability that exists once, exists — and security researchers estimate equivalent power will reach the broader market, including adversarial hands, within 6 to 24 months.
When it does, the economics of attacking a 30-person company collapse. An attacker no longer needs a skilled human to find a way in; a model does the finding, the exploiting and the chaining, overnight, at near-zero marginal cost. The small businesses that were "too small to bother with" stop being too small.
Meanwhile the defensive gap hasn't moved. Most organisations still take days or weeks to patch a known flaw, and most SMBs rely on signature-based antivirus and a single IT provider. Machine-speed offence against human-speed defence is precisely the problem IronCastle was built for.
Rather than release the model, Anthropic created Project Glasswing — a defensive program giving scoped Mythos access to a limited group of critical-infrastructure partners and open-source maintainers (reported to include AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike and the Linux Foundation) to find and fix vulnerabilities in the world's most important software before the capability proliferates.
Findings follow a responsible-disclosure clock — public no sooner than 90 + 45 days after a vendor is notified. The practical effect: the first large public wave of AI-discovered CVEs is expected from early July 2026. As of early June, only one CVE has been publicly attributed to the program — CVE-2026-4747, a FreeBSD flaw.
No firm public date has been set. It could come anytime — and once it lands, the patch window is the same for everyone.
That's the point of the countdown on our homepage: not a doomsday clock, a preparation deadline. The businesses that come through it are the ones that can detect and contain at machine speed today — not the ones still planning to patch faster tomorrow. Now is the time to make sure you're protected.
You cannot out-patch a machine. The answer to machine-speed offence is machine-speed containment with humans on top for judgment — which is the architecture IronCastle ships today.
We detect on patterns of action — process trees, API sequences, lateral movement — so a brand-new exploit with a brand-new hash still fires. The SHA256 that protected you yesterday isn't the defence.
Claude reads every incident in seconds, writes the verdict in plain English with MITRE technique IDs, and recommends action before a human opens the ticket.
Kill the process, quarantine the file, blocklist the hash fleet-wide, isolate the host — queued automatically on critical detections, in seconds, not days.
A signed Rust agent that respawns within seconds if killed and raises a critical incident on any tamper attempt — so the telemetry can't be quietly switched off.
No firm date has been set — it could be anytime. Leave your email and we'll send one short alert the moment the first public wave of AI-discovered vulnerabilities is disclosed, plus what to check first.
Book a 30-minute walkthrough with a real engineer — not a sales lead. We'll show the live SOC, the auto-containment cascade, and exactly how IronCastle holds up in the world Mythos is bringing.
Book a walkthrough →