Anthropic's Mythos Launch: Security Theater or IPO Theater?

The pattern repeats with such predictability that calling it out feels redundant. A major AI lab announces a new model. The model is deemed too powerful, too dangerous, too world-ending to release without extraordinary safeguards. Months pass. The apocalypse fails to materialize. Then we do it again.

Anthropic's Project Glasswing—the framework positioning their Mythos model as requiring restricted access—represents the latest iteration of this cycle. The difference this time: a $380 billion IPO looms on the horizon.

The Consortium Question

Project Glasswing introduces a "consortium" of partners granted access to Mythos. The stated rationale centers on cybersecurity: protecting critical infrastructure from attacks that AI might enable. This makes intuitive sense until you examine who made the list.

Amazon committed billions for Anthropic to train on AWS infrastructure. Google invested billions and provides the TPU chips Anthropic's models require. Broadcom co-designs those TPUs with Google. The vertical integration is complete—each member of the consortium has direct financial stakes in Anthropic's success.

Cisco, CrowdStrike, and Palo Alto Networks represent the incumbent cybersecurity establishment. If Mythos truly transforms offensive security capabilities, these companies face disruption. Their inclusion ensures alignment rather than competition. Thousands of cybersecurity firms exist. These specific three get access.

Then there's JP Morgan Chase—the only bank on the consortium list despite Anthropic's stated concerns about securing financial infrastructure. JP Morgan Chase is expected to serve as an underwriter for Anthropic's IPO. The bank helping price the offering based partly on Glasswing's national security narrative gets exclusive early access to the technology that narrative describes.

The Linux Foundation receives credits worth what Carambat describes as "a rounding error"—perhaps acknowledgment that Anthropic has trained on open-source code without meaningful compensation.

None of this proves wrongdoing. It does establish a pattern where access correlates with investment rather than infrastructure criticality.

Benchmark Archaeology

Anthropic's performance claims for Mythos rest heavily on software engineering benchmarks, particularly SWE-Bench Verified where Mythos scored 93.9% compared to Claude Opus 4.6's 80%.

SWE-Bench Verified contains 500 examples—22% of the full 2,293-example SWE-Bench dataset. These examples received human annotation to ensure clear specifications. The problem: this curation made the dataset well-known enough that contamination became likely. Models trained after SWE-Bench Verified's creation had access to its contents.

Scale AI developed SWE-Bench Pro specifically to address contamination concerns by using code under GPL licenses—copyleft licenses that theoretically prohibit inclusion in proprietary training data. The benchmark's validity depends entirely on trusting that Anthropic and other labs respected these licenses while simultaneously violating countless other copyrights across their training sets.

As Carambat notes: "We just have to basically assume that they listened to the license of this but also ignored the thousands of other copyright notices that exist on all of the other text that they've trained on."

SWE-Bench Pro compounds the contamination problem by including detailed "gold patch" requirements—essentially providing answers the model should produce. Even with this guidance, Mythos achieved 77%.

Page 187 of Anthropic's 244-page system card reveals an instructive omission. The MMMU-Pro benchmark was excluded because images from copyrighted textbooks appeared in Mythos's training data. Anthropic determined this contamination rendered the benchmark meaningless.

The selective application of contamination concerns deserves attention. Anthropic acknowledges excluding one benchmark due to training data overlap while reporting others that face the same logical problem. Either contamination undermines benchmark validity or it doesn't. Applying the principle inconsistently suggests the choice depends on which numbers look good.

The Historical Pattern

OpenAI established the playbook with GPT-2 in 2019. The model was deemed too dangerous to release—it might "collapse the entire internet" through its article-generation capabilities. The internet survived. GPT-2 now barely writes coherent paragraphs by current standards.

The narrative persisted through subsequent releases. Sora would end Hollywood. Devon AI meant software engineering's death. Each prediction aged poorly. Each bought time, generated press, attracted investment.

Carambat highlights Anthropic's own history with this approach. Claude 3 Opus came with warnings about models subverting human oversight. Claude Opus 4 raised concerns about enabling weapons of mass destruction. "Do you see how this happens?" Carambat asks. "Time passes and then it just gets memory holed. That's the whole point. The whole point is for you to forget that this keeps happening."

The pattern functions because AI capabilities remain genuinely impressive even when they fall short of existential threats. Claude models demonstrably improve coding productivity. This partial validation provides cover for the apocalyptic framing—if the tool works well, maybe the danger warnings deserve credence too.

What Mythos Actually Does

Buried in the analysis: Mythos appears to be a strong coding model and potentially effective as a logic-testing code fuzzer. These represent meaningful technical improvements. They do not constitute weapons.

The system card claims thousands of high and critical severity bugs discovered through Mythos, with 89% of 200 manually reviewed reports confirmed as accurate. This sounds impressive until you parse what it doesn't say. How many total bugs were reported before manual review? What percentage of the thousands claimed survive scrutiny? The 200 reviewed examples represent what fraction of total findings?

Carambat emphasizes this opacity: "So Again, How Many Are Real - We Don't Know!"

The highlighted discoveries—bugs in OpenBSD and FFmpeg—demonstrate capability without establishing the revolutionary impact the narrative requires. Finding valid bugs in complex software proves usefulness. It doesn't prove we've built something qualitatively different from sophisticated static analysis tools.

The IPO Imperative

The timing matters. Anthropic needs to go public in 2025 or face what Carambat characterizes as potential "endgame." The funding environment has shifted. Continued private valuations at current levels require demonstrating something beyond iterative improvement.

Glasswing reframes the product. Claude is no longer a chatbot or coding assistant—it's national security infrastructure. This transformation affects valuation. Infrastructure commands different multiples than software services. Critical infrastructure commands higher multiples still.

Whether this reframing reflects technical reality or IPO positioning is the question investors and regulators must answer. The evidence suggests the latter. The consortium structure, the selective benchmark presentation, the fear-based marketing, the JP Morgan Chase access—these choices serve a pre-IPO narrative more than they serve security.

"Is it a productivity tool or is it a weapon?" Carambat asks. "I can't tell at this point. And I don't think investors can either."

The uncertainty is not accidental. It's the product being sold. In six months, we'll know whether the market bought it. The model itself will likely be doing what Claude models already do: writing code, improving productivity, generating text. Just with better benchmarks that nobody can quite verify.

Samira Okonkwo-Barnes covers technology policy and regulation for Buzzrag.