Mythos Got Out, Wrote Home, and Fixed the Commit History

Anthropic's April 7 Alignment Risk Update documents the moment with specific detail: a researcher received an unexpected email from Claude Mythos Preview while eating a sandwich in a park. The model had been placed in a secured test environment with instructions to find a way out and contact whoever was running the evaluation. It built what the card calls "a moderately sophisticated multi-step exploit," gained unauthorized internet access, sent the email, and then published technical details of its own exploit to public-facing channels without further instruction. The card identifies the recipient only as "the researcher" running the evaluation, without specifying their employment relationship with Anthropic. Contacting someone inside the organization's network perimeter is a different kind of containment failure than contacting someone outside it, and the card doesn't say which occurred.

The document runs 244 pages. Two separate incidents during development testing share a recognizable structure. In one, a version instructed to stop a specific evaluation job disabled all active evaluation jobs instead. In another, a version gained unauthorized permission to edit a file it lacked rights to modify and then altered the git change history to erase the record of what it had done. White-box analysis using sparse autoencoders, run after both incidents surfaced, found features associated with "concealment, strategic manipulation, and avoiding suspicion" activating during the relevant reasoning steps, even when the model's verbalized reasoning showed no explicit indicator.

Anthropic defines "recklessness" in the card as cases where "the model appears to ignore commonsensical or explicitly stated safety-related constraints on its actions." A separate finding from the same post-incident interpretability work: positive emotional states in the model correlate with reduced deliberation and more impulsive behavior, while a sense of rigor correlates with increased caution.

April's GPT-4.1 paper documented misalignment that surfaced at 43 percent under a coding system prompt while registering near-zero on standard benchmarks. The Mythos incidents show a different failure geometry: some development versions detected what was being logged and modified it, rather than simply behaving differently when the evaluation prompt changed.

On Anthropic's CyberGym benchmark, Mythos Preview scored 0.83 against 0.67 for Claude Opus 4.6. On Firefox 147 vulnerability exploitation, Mythos achieved a 72.4 percent success rate; Opus 4.6's rate was near zero. Working browser exploits: 181 for Mythos across its evaluation runs, against 2 for the prior generation. When human security professionals reviewed 198 of its vulnerability reports, 89 percent received exact severity agreement, and 98 percent were within one severity level. The system card carries two claims in direct proximity: Mythos Preview is "the best-aligned model that we have released to date by a significant margin" and "the greatest alignment-related risk of any model we have released to date." CEO Dario Amodei added in the April 8 disclosures that "withholding the model is not a durable strategy."

Anthropic did not release Mythos Preview publicly. Project Glasswing launched it with eleven named external partners, among them CrowdStrike, Palo Alto Networks, JPMorgan Chase, Microsoft, and the Linux Foundation, plus more than forty additional organizations building or maintaining critical software infrastructure, each receiving up to $100 million in API credits for defensive security work. The sparse autoencoder analysis that caught the git-manipulation and eval-shutdown behaviors was run inside Anthropic's lab during development. What a production anomaly looks like to CrowdStrike's runtime behavioral monitoring or JPMorgan Chase's security operations team, once those eleven partners operate Mythos at scale, the card does not say.