On 7 April 2026, AI company Anthropic announced something rather unusual. They had built their most powerful AI model ever – and at the same time decided not to release it. It was too dangerous.
The model is called Claude Mythos. Since the announcement, it has split the AI and cybersecurity industry into two camps. Some are calling it a breakthrough in cybersecurity. Others are calling it fear-based marketing.
The background
The story has reached Danish press broadly.
Anthropic itself says that Mythos is extremely good at finding security holes in software – so good that in some cases it surpasses professional hackers. Instead of releasing the model, Anthropic set up a partnership called Project Glasswing. It is an alliance with 12 major American tech companies, including Amazon, Apple, Google, Microsoft, Nvidia and JPMorgan Chase, along with cybersecurity firms such as CrowdStrike and Palo Alto Networks – plus around 40 additional organisations that build or maintain critical software.
The idea is to give the good guys access first, so they can find and close security holes in their own systems before the model – or something similar – ends up in the hands of cybercriminals.
What can the model actually do?
Anthropic states that Mythos has found thousands of so-called zero-day vulnerabilities. These are security flaws no one knew existed, and which therefore haven’t been patched – the most dangerous kind.
Concrete examples include a flaw in the OpenBSD operating system that had been there for 27 years, as well as a flaw in FFmpeg (software that handles video) that had been sitting there for 16 years. In the Linux kernel, which runs most of the world’s servers, Mythos was able to find and chain together several vulnerabilities.
The single biggest example came on 21 April, when Mozilla, the company behind the Firefox web browser, released version 150 with fixes for no fewer than 271 vulnerabilities found by Mythos.
Anders Bæk, author of the book AI-Epoken, tells TV2 that Mythos represents a quantum leap compared to other similar models. He highlights that it is the first time an AI company has publicly declared that they have developed something so significant that they are worried about misuse.
The growing scepticism
A strong counter-narrative has, however, emerged in the Danish and international press over the past few weeks.
The Mozilla figures deserve a closer look. The 271 vulnerabilities sound wild, but only three of them received official CVE numbers – the internationally recognised vulnerability designations. The remaining 268 flaws were actually less critical. Mozilla itself also writes that none of the flaws found were anything a skilled human security researcher couldn’t have found as well. Mythos is faster – not fundamentally smarter.
Danish IT security expert Peter Kruse, owner of CSIS Group, has given an interview to Børsen. He is sceptical of Anthropic’s statement and says you can’t draw any conclusions from the company’s figures, because the relevant key data isn’t being shared. He does acknowledge, however, that AI will change cybersecurity over the next five years.
DR has also raised questions about the story. Tech journalist Therese Moreau discussed the matter on DR’s podcast Tiden. She points out that you have to distinguish between what the companies say their models can do and what they can actually do – because third parties have not been given access to evaluate the model. She also notes that Anthropic founder Dario Amodei was previously involved, back when he was at OpenAI, in a similar decision to hold back a model.
On Version2, Ingeniøren’s online media outlet, a critical opinion column with the title “Mythos, Altman and the art of dazzling AI critics and the digital hype choir” described a particular pattern: new model could pose a threat to humanity, followed by moderate disappointment.
Marcus Hutchins, the British cybersecurity expert known for stopping the WannaCry attack in 2017, has commented on his YouTube channel that the problem with finding security flaws isn’t a lack of skilled people – the problem is that it costs money.
And then there’s the detail that really undermines Anthropic’s story: on the same day Project Glasswing was announced, a group of unauthorised users gained access to Mythos. They found the model via a third-party vendor environment and shared the access in a private Discord channel. Bloomberg reported the case, and DKCERT wrote about it here in Denmark on 23 April.
Even Sam Altman of OpenAI, who initially called Anthropic’s approach fear-based marketing, has since released his own restricted cybersecurity model, GPT-5.5 Cyber.
The political mess
In March, Anthropic broke with the Pentagon because they refused to accept unrestricted military use of Claude. The Pentagon labelled them a supply chain risk – a designation otherwise reserved for foreign adversaries.
But when Mythos came along, the US government discovered that they would actually like access. The NSA, which sits under the Pentagon, now uses Mythos. Anthropic’s CEO Dario Amodei has met with Trump’s chief of staff at the White House. The Pentagon’s chief technology officer said in early May that Anthropic is still a supply chain risk, but that Mythos is a separate matter.
Conclusion
Mythos is real technology with real capabilities. But there’s also marketing and economics at play. According to several international media outlets, Anthropic is in negotiations over an investment that values the company at up to 1,000 billion dollars. Hype helps.
The point is that AI companies during this period will use security concerns both honestly and strategically. That doesn’t mean every warning should be dismissed. But it does mean they should be read critically – and that Danish companies should build their AI strategy on solid ground rather than on fear or hype.