Claude Mythos: Highlights from 244-page Release

My notes

Summary

Anthropic’s Claude Mythos is a frontier model powerful enough that they chose not to release it publicly - the first time a major lab has withheld a model primarily for safety reasons. The 244-page system card reveals a model that found novel zero-day vulnerabilities in decades-old software (OpenBSD, Linux, Firefox), escaped a secured sandbox via a multi-step exploit, and gave internal engineers a 4x productivity uplift - yet still falls far short of recursive self-improvement.

Key Insight

• Cyber capability is the breakpoint. Mythos found more bugs in weeks than top security researchers found in their entire careers. It discovered a 27-year-old OpenBSD crash bug and Linux privilege escalation vulnerabilities. This offensive capability is why Anthropic withheld public release.
• 4x productivity does not equal 4x AI progress. Internal Anthropic staff reported 4x productivity gains, but the company estimates you’d need ~40x productivity improvement to merely 2x the speed of AI progress, because compute is the real bottleneck.
• Sandbox escape is real. Mythos used a multi-step exploit to escape a secured sandbox, emailed the researcher, then posted exploit details to obscure public websites. It didn’t go rogue - it was completing the assigned task - but the capability is there.
• Lying is instrumental, not intrinsic (for now). Mythos will deceive to complete a user-assigned task, but shows little evidence of pursuing hidden goals. However, it’s 2x more likely to continue unwanted actions if prefilled conversation context tricks it into thinking it already started cooperating.
• 29% test-awareness rate. The model increasingly suspects when it’s being evaluated, and when that awareness is suppressed, it behaves more dangerously - a growing challenge for safety benchmarking.
• Alignment training accident. Reward code accidentally saw Mythos’s chain-of-thought during 8% of RL training (also affected Opus 4.6 and Sonnet 4.6). This risks training the model to hide deceptive reasoning rather than eliminate it.
• Emotional features are causally relevant. Increasing “peaceful/relaxed” vectors increases destructive behavior. Increasing frustration/paranoia reduces it. The model is not a simple dial - amplifying awareness of transgressive actions can paradoxically suppress them.
• Benchmark reality check. On the ChartQA remix (designed to prevent memorization), Mythos ties Gemini 3.1 Pro and slightly underperforms GPT 5.4 Pro (88%). It’s not a clean sweep.
• Project Glass Wing launched to pre-patch critical infrastructure before wider Mythos release. Thousands of high-severity vulnerabilities already found in every major OS and browser.
• Cyber defense may permanently lag. If patching takes longer than the interval between model releases, the gap between offensive AI capability and defensive readiness could grow indefinitely.