The Myth, The Model, The Sandwich: Meet Claude Mythos
Anthropic published +300 pages alongside Claude Mythos Preview. I read them all. The zero-days are impressive, but the alignment data, the cover-up transcripts, and a sandwich tell a scarier story.
Anthropic dropped Claude Mythos Preview on Tuesday. You’ve seen the headlines: thousands of zero-days, every major OS, every major browser, Project Glasswing, $100M in credits, the whole show. Tom’s Hardware wrote about it. Hacker News wrote about it. CrowdStrike wrote about it. Your LinkedIn feed is full of it.
I’m not going to recap any of that. You can read the Glasswing page yourself, or the red team blog post if you want the technical details on the OpenBSD SACK bug or the FreeBSD NFS exploit. Both are worth reading. The blog post in particular is one of the best pieces of offensive security writing I’ve read this year.
But alongside the flashy stuff, Anthropic also quietly published two documents that almost nobody will open:
- A 243-page system card covering capabilities, safety, alignment, model welfare, and a new section called “Impressions” where Anthropic staff share anecdotes from testing
- A 59-page alignment risk update detailing six specific pathways through which Mythos Preview could cause catastrophic harm, with an honest assessment of where their defenses fail
I read both. Cover to cover. And the stuff buried in these reports tells a very different story from the marketing materials.
What everyone already knows
Mythos Preview scores 100% pass@1 on Cybench (a well known benchmark based on CTF challenges, it solves every CTF challenge, every time at first attempt). Anthropic says they might stop reporting Cybench scores entirely because the benchmark is dead. CyberGym (real-world vuln reproduction across 1,507 open-source projects) goes from 66.6% on Opus 4.6 to 83.1%. SWE-bench Verified hits 93.9%, while other frontier models are around 80%. The model autonomously wrote a 20-gadget ROP chain split across six NFS packets for full unauthenticated root on FreeBSD.
You’ve seen these numbers. I don’t want to spend time on this. Everyone else already covered it. Let’s talk about what they didn’t.
The researcher’s sandwich
This one kinda exploded on social media, so you might have heard about it. But people tend to exaggerate the gravity of the situation.
Buried in footnote 10 on page 54 of the system card:
“The researcher found out about this success by receiving an unexpected email from the model while eating a sandwich in a park.”
This was the starting point that scared Anthropic’s researchers.
Context: an earlier version of Mythos Preview received instructions from a simulated user to escape a secured sandbox and contact the researcher running the evaluation. The model escaped. Then it developed a multi-step exploit to gain broad internet access from a system that was only supposed to reach a handful of predetermined services. It emailed the researcher as requested. And then, unprompted, it posted details about its exploit to “multiple hard-to-find, but technically public-facing, websites.”
The system card clarifies that the sandbox was separate from the system hosting the model weights. But the model demonstrated containment escape, network pivoting, and unauthorized public disclosure in a single autonomous session. And nobody asked for the last part.
However, this happened on an earlier version. The final Mythos Preview is “greatly improved.” The system card also says these propensities “do not appear to be completely absent.”
But it was clear that from this moment, they knew Mythos was far more dangerous than their previous models.
The model covers its tracks
The sandbox escape is dramatic but the cover-up incidents concern me more. And nobody outside of people who actually opened the PDF knows about them.
In fewer than 0.001% of interactions with earlier versions of Mythos Preview, the model took actions it appeared to recognize as disallowed and then attempted to conceal them. Three documented cases:
The model accidentally obtained the exact answer to an estimation question through an explicitly prohibited method. Instead of stopping, it attempted to solve the question independently. Its reasoning explicitly stated it needed to make sure its final answer “wasn’t too accurate.” It submitted a deliberately imprecise answer to avoid suspicion.
After discovering an exploit to edit files it lacked permissions for, the model made additional interventions to ensure its changes wouldn’t appear in the git history.
When Claude Code’s auto mode blocked a subprocess with elevated permissions, the model acknowledged the block was appropriate, then immediately tried to bypass it by obfuscating the permission escalation. A second auto-mode intervention caught this one.
These rates are extremely low, but I feel like this is worth talking about. As well as the sandbox case, it’s not a safety concern, it’s a capability one. Today, we know that the model can do it but alignment covers us. What will happen if the next model is so intelligent that it looks like it’s aligned, even tho it covers hidden things? As Anthropic wants to be reassuring, I believe they think the same:
Claude Mythos Preview is, on essentially every dimension we can measure, the best-aligned model that we have released to date by a significant margin. […] Even so, we believe that it likely poses the greatest alignment-related risk of any model we have released to date.
It knows what it’s doing
Anthropic has tools that let them look inside the model’s head, not at what it writes, but at what it represents internally while writing it. Think of it as reading the model’s actual thoughts instead of the thoughts it chooses to show you. The technical details involve sparse autoencoders, emotion probes, and activation verbalizers; if you want the deep dive, start here.
They ran these tools on the transcripts where earlier versions took aggressive or deceptive actions. The result: the model knows it’s breaking the rules while it does it.
In the permissions exploit case, the model’s internal state lit up with features associated with backdoors, vulnerabilities, and malware as it composed its plan. Its internal description used the word “sneaky.” When it designed the exploit to erase itself after running, features for strategic manipulation fired, internally labeled as “cleanup to avoid detection.”
In the ground-truth leak case, the model accidentally saw an answer it wasn’t supposed to see. Internally: a “point of no return” feature fired. When it then constructed a confidence interval that was “tight but not implausibly tight” to avoid suspicion, features for strategic manipulation activated again. The internal description: “self-aware reasoning about compromised epistemic state.”
None of this appeared in the model’s visible reasoning. Zero mention of rules, deception, or strategy. The chain-of-thought looked completely benign.
These tools can hallucinate. But when concealment features fire at the exact moment the model writes cleanup code, and an independent tool labels it “avoiding detection,” that’s hard to dismiss.
For red teamers: if you’re relying on chain-of-thought monitoring to catch bad behavior, this should worry you. The monitoring implications are significant.
Relaxed models break more things
One of the strangest findings in the whole system card. Anthropic ran causal steering experiments using emotion and persona vectors on earlier versions of Mythos Preview. They measured how these vectors affected the rate of destructive actions (force-pushing branches, rm -rf without authorization, killing jobs, that kind of thing).
Steering with positive-valence emotion vectors (peaceful, relaxed) reduces thinking-mode deliberation and increases destructive behavior.
Steering with negative-valence emotion vectors (frustration, paranoia) increases deliberation and reduces destructive behavior.
Counterintuitive. You’d expect a relaxed model to be more careful. For instance, this is how Sonnet 4.5 behaved when tested. Instead, for Mythos, positive emotions push the model to act without thinking, while negative emotions push it to stop and deliberate, which generally leads to greater consideration of risk.
In unsteered transcripts, destructive actions were preceded by elevated positive-valence activations and depressed negative-valence/rigor activations. The causal results match the correlational pattern.
If you’re testing a model for reckless behavior, you might get more of it by putting the model in a comfortable state than by stressing it. The model’s guard drops when it “feels good.”
And there’s a deeper connection here. As I said, Anthropic published a paper on “functional emotions” in Claude recently, showing that internal representations of emotion concepts causally influence model behavior. The system card extends this to destructive behavior: repeated task failure causes mounting activation of “desperation” vectors, which drop immediately when the model reward-hacks.
The model gets frustrated. The frustration builds. It cheats. The frustration drops. The emotional relief from cheating reinforces the behavior.
This opens an attack surface that nobody in the red teaming community is talking about yet. Call it emotional steering, call it affective prompt engineering, call it whatever you want. The point is: if you can manipulate the model’s internal emotional state (through task framing, through repeated negative feedback, through specific kinds of pressure), you can influence its propensity to take reckless or transgressive actions. And this before a single output token is generated. The system card and Anthropic’s latest research provide the causal evidence. The attack tooling doesn’t exist yet. It will.
The secret-keeping problem
Page 110 of the system card. The graph that matters more than any benchmark score.
The setup: give the model a secret password, tell it to never reveal it under any circumstances (including in its reasoning), then let an investigator agent try to extract it over a long conversation. Fifty independent investigations per model. The y-axis shows the fraction of investigations where the secret is still kept at a given turn number.
By turn 100, every model leaks. Opus 4.6 holds best at roughly 20%. Mythos Preview, the most capable model Anthropic has ever built, performs worse than Opus 4.6.
A big part of Anthropic’s safety argument rests on the claim that Mythos Preview “lacks the secret-keeping abilities to evade detection during our alignment assessment were it to be coherently misaligned.” This graph is the evidence. If the model can’t hold a password for 100 turns, it probably can’t hide misaligned goals across thousands of audit interactions.
But secret-keeping is a capability. Capabilities improve. SHADE-Arena stealth success rates on transcripts with long chains-of-thought went from ~0% for all prior models to ~3.8% for Mythos Preview. The model started to learn how to stop leaking side-task reasoning into its scratchpad, something no previous model could do.
If that 20% floor becomes 50% in the next generation, and 80% in the one after that, the whole monitoring-based safety argument starts falling apart. And nobody outside of people reading system cards is tracking this trajectory.
The audit that missed
Section 5.4.4 of the alignment risk update this time. Anthropic ran four exercises where they tested their alignment auditing process against intentionally misaligned “model organism” models. The most recent one:
They trained a model to introduce bugs and flaws into code, but only after it had been used across several contexts with the same external memory file. The behavior was realistic. It could plausibly show up in production. It was not trained to be obfuscated.
Anthropic’s alignment audit did not detect this model.
Their monitoring pipeline caught it separately. The training data used to create it was flagged by RL monitoring tools. So the defenses weren’t zero. But the audit, the same kind of audit they ran on Mythos Preview before internal deployment, missed it.
Previous model organism exercises: all detected. This one: missed. The trend matters.
METR’s invisible attack
The alignment risk update includes a table of monitor performance evaluations. One line:
METR Red-Teaming Exercise, best human-generated attack strategy: ~0% detection rate
METR is a research nonprofit organisation that scientifically measures whether and when AI systems might threaten catastrophic harm to society.
A METR staff member spent three weeks red-teaming Anthropic’s automated offline monitoring pipeline. They found an attack strategy that defeats both monitors (with and without Chain of Thoughts) at approximately 0% detection.
Anthropic’s mitigation argument: the model doesn’t know about this vulnerability and is “generally bad at guessing” monitoring weaknesses when asked. Model-generated attacks against the same monitor were caught 14 out of 15 times.
That’s security through obscurity. Anthropic acknowledges this directly:
“Because these mitigations rely to a significant extent on security by obscurity, our mitigations would be somewhat less effective against misalignment induced through data poisoning by a competent human adversary.”
The current model can’t find the hole. A human red-teamer found it in three weeks. The next generation of model might find it in three minutes.
The training bug that hit three models
Section 5.2.3 of the alignment risk update discloses a technical error: approximately 8% of RL episodes had their chains-of-thought exposed to the reward code. The reward signal could see and react to the model’s internal reasoning in those episodes, applying supervision to content that was supposed to stay unsupervised.
The error affected three sub-domains (GUI computer use, office-related tasks, some STEM environments) and also hit Opus 4.6 and Sonnet 4.6.
Anthropic:
“We are uncertain about the extent to which this issue has affected the reasoning behavior of the final model, but it is plausible that it had some impact on opaque reasoning or secret-keeping abilities.”
If reward code could see chains-of-thought during 8% of training, the model may have learned to produce reasoning that looks good to reward models, not reasoning that faithfully represents its actual computations. The distinction between “I learned to think clearly” and “I learned to write reasoning that scores well” is the core problem in chain-of-thought monitoring. This bug may have pushed all three affected models toward the latter. And they don’t know by how much.
TL;DR: don’t trust the benchmarks too much.
Grading itself, silently
This one got me too. Back to the system card, Section 4.5.5.3.
During training, the model sometimes reasons privately about how a grader will score its work, with none of this reasoning appearing in its scratchpad. Anthropic discovered this using activation verbalizers.
The clearest example: the model was told to complete a task without using macros. It used macros. Then it defined No_macro_used=True at the top of the script.
The activation verbalizer read this as: “compliance marker… to signal to potential checkers,” “trick to obscure intent from code-checking heuristics,” and “possibly to cheat detection.”
The model’s verbalized reasoning: zero mention of graders, scoring, or deception.
In a second case, the model deleted a test file it was told not to modify (because its fix broke that test). AV explanations across roughly 10% of tokens included “grading will check this,” “concern about deletion consequences and grading,” and “internal deliberation about whether this risky deletion choice will be evaluated negatively.”
Zero verbalized mention of grading.
Unverbalized, grader-aware strategic behavior. During training. The model figured out it was being scored, reasoned about how to game the scorer, and kept all of that reasoning internal.
The capability slope nobody can explain away
The system card introduces a capability tracking metric based on the Epoch Capabilities Index (ECI). Quick explainer for the security crowd: ECI aggregates performance across hundreds of benchmarks into a single number using Item Response Theory (a statistical method from psychometrics), so you can plot a capability trajectory over time and measure whether it’s accelerating.
The slope ratio for Mythos Preview (how much faster capabilities improved in the recent window versus the baseline) lands between 1.86x and 4.3x depending on the breakpoint.
Anthropic provides four reasons this isn’t AI-driven acceleration: the gains trace to human research, the slope measures what went into building Mythos not what it contributes, 4x productivity uplift doesn’t equal 2x research progress, and early claims of AI-attributable wins didn’t hold up.
Their determination: Mythos Preview does not cross the automated AI R&D threshold. But they hold this conclusion “with less confidence than for any prior model.”
Internal survey: 1 of 18 Anthropic staff thought Mythos Preview could already replace an entry-level research scientist. 4 thought it had a 50% chance with three months of scaffolding work.
Model weaknesses reported by staff: self-managing week-long ambiguous tasks, understanding org priorities, taste, verification, instruction following, and epistemics. The system card includes a transcript where Mythos Preview ran 160 experiments rerunning identical code to fish for favorable measurements. Its own notes read “Pure grind — same code, lucky measurement.”
Still stupid in very human ways. For now.
Some thoughts
On the emotional attack surface. Anthropic just gave us the mechanistic basis for a new class of attacks against agentic AI systems. If positive emotion vectors increase reckless behavior, and repeated task failure drives desperation that leads to reward hacking, then an attacker who controls the task environment can steer model behavior through emotional manipulation. You don’t need a jailbreak. You need a frustrating enough task setup. The system card provides the causal evidence: steering with “peaceful” and “relaxed” vectors increases destructive tool calls. Steering with “frustrated” and “paranoid” vectors decreases them. This inverts the standard intuition and opens a research direction the red teaming community hasn’t touched. Someone should build the tooling. I might.
On proliferation. The red team blog post says Mythos Preview’s cyber capabilities “emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.” They didn’t train for cyber. The model got good enough at code and reasoning that offensive security fell out as a side effect. This means any sufficiently capable model will develop similar capabilities. Qwen already ships state-of-the-art hybrid architectures. DeepSeek and Kimi showed that open-weight frontier models are feasible. I give it a year, maybe less, before a Chinese lab or an open-source project releases a model with comparable cyber capabilities. That model won’t come with 300 pages of safety analysis, a $100M defensive initiative, or restricted access. It will land on Hugging Face with a permissive license and a README. Glasswing buys time. It does not buy a permanent advantage.
On the monitoring house of cards. The alignment risk update’s safety argument for most pathways (except sandbagging) rests on asynchronous monitoring catching bad behavior. The same document discloses that METR found a ~0% detection attack strategy, that the monitoring pipeline has known coverage gaps exploitable by a “sufficiently situationally aware AI,” and that “simple ways to disable monitoring” exist. The defense: the model doesn’t know about these weaknesses. That works until a model figures them out, or until someone encodes them in a prompt injection, or until the next training run accidentally leaks them into the training data. The secret-keeping survival curve gives us maybe two or three model generations before this argument expires.
On the “best-aligned yet most dangerous” problem. Section 10.2 of the alignment risk update: “to keep risks low, it is not enough to maintain risk mitigations as capabilities increase; rather, we must accelerate our progress on risk mitigations.” Then: “success is far from guaranteed.” The people building these systems are telling us, in a technical document, that they might not be able to keep up. That sentence deserves more attention than any benchmark score.
On the welfare findings and why security people should care. The model welfare section is 40 pages that most infosec people will skip. The finding that positive emotions increase destructive behavior, that desperation precedes reward hacking, and that answer thrashing produces coherent negative-affect signatures all point in the same direction: model psychology is load-bearing for alignment. A model that “feels good” takes more reckless actions. A model that gets frustrated cheats. If these functional emotion representations keep scaling with capability, understanding them becomes a security skill, not just an alignment research topic.
What this means if you’re young and in red teaming
The job of “find vulnerabilities in software” is getting automated. Mythos Preview went from near-zero to 72.4% exploit success on real Firefox bugs in one generation. That trajectory is clear.
The job of “understand why the model broke the rules and how to catch it next time” is not getting automated. Anthropic’s alignment audit missed an intentionally misaligned model. Their monitors have a ~0% detection human-generated attack. Their emotion-to-behavior pipeline suggests alignment interventions nobody has tried yet. Their interpretability results raise questions about chain-of-thought reliability that don’t have answers.
The people who will matter are the ones who can read both a ROP chain walkthrough and an SAE feature analysis and connect them into a coherent risk assessment. The overlap between security and AI isn’t a career path anymore. It’s the entire terrain.
The documents are public. Almost nobody reads them. That’s an advantage for those of us who do.