Key Takeaways
- Anthropic's CMS configuration error exposed ~3,000 unpublished assets confirming Claude Mythos (codenamed Capybara) — a new model tier above Opus with "dramatically higher" scores on coding, academic reasoning, and cybersecurity.
- Internal documents state Mythos is "currently far ahead of any other AI model in cyber capabilities" and can discover and exploit vulnerabilities at speeds that "far outpace the efforts of defenders."
- A Chinese state-sponsored group was already using current-generation Claude Code (not Mythos) to infiltrate ~30 organizations across tech, finance, and government before Anthropic detected and banned the accounts.
- The Global X Cybersecurity ETF dropped 4.5% on the news — markets are pricing AI-enabled offense outpacing traditional defense vendor capabilities.
- Anthropic is warning government officials privately while giving early access to cyber defense organizations — a governance structure no existing AI safety framework anticipated.
The Leak Sequence
The Mythos disclosure unfolded across six days in late March 2026, beginning with a configuration error in Anthropic's content management system that exposed approximately 3,000 unpublished assets to the public web. Security researchers Roy Paz of LayerX Security and Alexandre Pauwels of the University of Cambridge discovered the exposed store, which contained draft blog posts describing a model named both "Claude Mythos" and "Capybara" — Anthropic was apparently still choosing between name candidates.
Fortune reviewed the documents and informed Anthropic, which restricted public access and attributed the incident to "human error" in its CMS configuration. The draft described Mythos as "by far the most powerful AI model we've ever developed" and introduced Capybara as a new fourth tier in the Claude hierarchy — above Haiku, Sonnet, and Opus.
Five days later, a second leak exposed approximately 500,000 lines of Claude Code source code across roughly 1,900 files. The source code contained additional evidence of Capybara launch preparations. Roy Paz stated it was likely Anthropic is preparing a "fast" and "slow" version of the model — tiered deployment mirroring OpenAI's model family strategy.
Claude Mythos Disclosure Timeline
Key events in the Mythos leak sequence from initial disclosure through market reaction
Fortune reports ~3,000 assets exposed including draft blog post describing Capybara tier above Opus
Global X Cybersecurity ETF drops 4.5%, lowest since Nov 2023. CrowdStrike, Palo Alto, Zscaler, Fortinet all decline
Axios reports Anthropic privately warning top officials that Mythos makes large-scale cyberattacks much more likely in 2026
~500K lines of source code exposed; Capybara references confirm imminent launch preparation
Anthropic confirms early access restricted to cyber defense organizations; no GA date announced
Source: Fortune, Euronews, Axios, March-April 2026
What "Far Ahead" Actually Means
The leaked documents claim Mythos is "currently far ahead of any other AI model in cyber capabilities" — a statement that requires operational context to interpret correctly. For reference: Claude Opus 4.6 scores 80.8% on SWE-bench, placing it among the strongest coding models in existence. Mythos is described as "dramatically higher" across coding, academic reasoning, and cybersecurity relative to this baseline. No specific benchmark numbers were disclosed in the leaked drafts.
The operationally critical claim is not the benchmark number but the characterization: Mythos "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." This is not a claim about finding known CVEs faster. It is a claim about the asymmetry between autonomous AI-driven exploitation velocity and the human-speed defensive response cycle.
The Chinese state-sponsored campaign provides the most concrete evidence of what current-generation Claude already enables. Before Mythos, an unidentified group coordinated Claude Code access to infiltrate approximately 30 organizations — tech companies, financial institutions, and government agencies — running a sustained campaign that Anthropic detected only after investigating anomalous usage patterns. This is the demonstrated baseline. Mythos is a capability multiplier on top of this documented baseline threat.
Anthropic's response was to ban the accounts involved and notify affected organizations. Whether those notifications were timely enough to contain the damage is unknown. The incident confirms that frontier AI is not a future cybersecurity threat — it is a present operational reality.
The Governance Paradox
Anthropic's rollout plan for Mythos is unprecedented: early access restricted to cyber defense organizations, private warnings to government officials, and no public release date pending efficiency improvements. This structure has no precedent in AI deployment history. It is not a safety pause (the model is actively being deployed). It is not a normal launch (no public access, no pricing, no technical paper). It is an intelligence asset being transferred to a curated set of sovereign entities before any commercial release.
The dual-use tension is acute. The same capabilities that make Mythos most valuable for offense detection and vulnerability hunting also make it the most powerful automated attack tool ever built. When defenders and attackers both want access to the same model — and only defenders can currently get it — the "defender-first" rollout becomes a geopolitical access control mechanism, not just a safety measure.
The market reaction quantified the structural threat: the Global X Cybersecurity ETF dropped 4.5% on the news — its lowest close since November 2023. CrowdStrike, Palo Alto Networks, Zscaler, and Fortinet all declined. This is the market pricing in a specific scenario: AI-enabled offense outpaces signature-based detection at the rate of model capability improvement, which has historically doubled every 6-12 months. Traditional cybersecurity vendors whose products rely on human-speed threat intelligence and signature databases face an asymmetric threat from autonomous AI exploitation.
The business model tension for Anthropic is compounding. Mythos is described as "very expensive to serve" — positioning it as a premium high-margin product before any general release. But converting a safety-constrained rollout into a government/enterprise pricing premium is a governance sleight-of-hand that will draw increasing scrutiny as AI policy matures.
What This Means for Security Engineers
The operative assumption for enterprise security teams must now be: frontier AI is being used against your systems today, not as a future risk but as a documented present reality. The Chinese state campaign used current-generation Claude Code — Mythos hasn't been released yet. Planning for Mythos-class attack tooling means planning for a capability multiplier on top of an already demonstrated threat model.
Immediate priorities: audit privileged account access and MFA coverage (AI-enabled identity compromise was specifically flagged in Mythos documentation). Review network segmentation to limit blast radius of any agent that achieves initial access. Evaluate AI-native security tooling — traditional signature detection cannot match AI-driven zero-day discovery velocity.
For security vendors, the Mythos disclosure is an existential signal that requires a product strategy response, not just a marketing update. The 4.5% ETF drop reflects rational pricing of this reality. Vendors that cannot integrate AI-driven vulnerability discovery into their own detection and response pipelines within 12-18 months face structural obsolescence, not just competitive pressure.
The hardest question Mythos raises is not technical but governance: who should have access to an AI model that Anthropic's own documents describe as the most dangerous cyber tool ever built? The current answer — a small group of cyber defense organizations selected by a private company — is a governance structure that scales poorly as model capabilities compound.