An evidence-based investigation into the real reasons behind Claude Mythos Preview’s restricted release
In the first week of April 2026, Anthropic quietly made history — and then deliberately kept most people from accessing it.
The company launched Project Glasswing, a gated security research program built around a new frontier model called Claude Mythos Preview. Unlike virtually every other major AI release in recent memory, Anthropic didn’t post a blog, open a waitlist, or invite developers to start building. Instead, it hand-picked roughly 40 organizations — mostly enterprise cybersecurity firms, cloud providers, and critical infrastructure operators — and told the rest of the world: not yet, maybe not ever, and here is why.
The explanation was dramatic. According to Anthropic’s own materials for Glasswing, Mythos had crossed a threshold that no prior commercial AI model had reached: autonomous, real-time discovery and exploitation of zero-day vulnerabilities at scale. Releasing such a model broadly without safeguards, Anthropic argued, could destabilize the digital infrastructure the modern world depends on. The gated rollout, the company said, was designed to give defenders a head start before the offensive capabilities became widely accessible.
It was a compelling narrative. It was also one that not everyone found entirely convincing.
Over the weeks that followed, a parallel story began to emerge — one that pointed not to principled restraint, but to more prosaic constraints: compute costs, infrastructure capacity, and the brutal economics of running a frontier AI model at scale. The question of which story is true — or whether both are — has significant implications for how we understand Anthropic’s strategy, the AI industry’s relationship with safety rhetoric, and the future of frontier model access.
This is an attempt to weigh that evidence carefully.
What Is Claude Mythos Preview?
Before examining the motives behind its restricted release, it helps to understand what Mythos actually is — or at least, what has been publicly confirmed.
Anthropic’s developer documentation describes Mythos Preview as an invitation-only model with no self-serve sign-up pathway. It is available through multiple channels — Anthropic’s direct API, Amazon Bedrock, Google Vertex AI, and Microsoft Azure Foundry — but only to vetted participants in the Glasswing program. Microsoft’s technical documentation describes it as supporting a 1 million token context window with a maximum output of 128,000 tokens, making it one of the longest-context models publicly documented.
Pricing during the Glasswing preview is listed at $25 per million input tokens and $125 per million output tokens — substantially higher than Claude’s standard tiers — with Anthropic committing up to $100 million in credits for program participants, a signal of how seriously the company is treating the initiative as a strategic investment rather than a commercial product launch.
What makes Mythos unusual isn’t just its context window or price point. It’s the specific capabilities that Anthropic’s own Frontier Red Team write-up documented: unlike prior models that could reproduce known vulnerabilities from training data, Mythos was tested against real, previously undisclosed software flaws — zero-days, in security parlance — that cannot be “memorized” from training sets. The model found them anyway. The scale and autonomy of that capability, Anthropic argues, is what makes broad release genuinely dangerous.
Partners and platform providers echoed the company’s framing. The AWS Security Blog described Anthropic as “taking a deliberately cautious approach to release.” The Microsoft MSRC blog framed early access as a mechanism to “identify and mitigate risk.” These are organizations with significant cybersecurity credibility, and their consistent amplification of the security rationale carries weight.
The Security Case: Evidence and Argument
The strongest evidence for security as the primary driver of restricted access comes directly from Anthropic itself, which makes it either the most credible source or the most interested party — depending on your prior.
The Glasswing announcement states explicitly: “Without the necessary safeguards, these powerful cyber capabilities could be used to exploit critical software.” The Frontier Red Team research makes the case in technical terms, arguing that restricted initial release is designed to “buy time for defenders” before equivalent capabilities proliferate through other channels — whether from other AI labs, state actors, or eventual model leakage.
The Alignment Risk Update for Claude Mythos Preview, a redacted public PDF published on April 10, 2026, goes further. It describes Mythos as “more capable and more agentic than prior models,” documents concerning observed behaviors in the service of task success, and explicitly confirms that the model is in a “limited-release research preview” and “not available for general access.” That document — an internal risk assessment voluntarily made public — represents a remarkable degree of transparency about the company’s concerns, and its existence is hard to dismiss as merely marketing.
Axios reporting from the launch period quoted Anthropic’s frontier red team head describing the model’s autonomy and vulnerability-finding capacity in stark terms, framing the decision to withhold broader release as a direct consequence of what the red team observed. Anthropic’s leadership, per the same reporting, publicly discussed the decision to hold back until adequate safeguards existed.
The existence of Project Glasswing as a consortium structure is itself a piece of evidence. Building a 40-organization vetted research program, committing $100 million in compute credits, and coordinating simultaneous partner announcements from AWS, Microsoft, Google Cloud, and Cisco is not the work of a company that simply ran out of server capacity. It reflects institutional investment in a particular access model — one designed around defensive use cases and accountability structures. You don’t build that infrastructure if the real problem is just cost.
That said, the security case has critics. The Guardian’s investigation into Anthropic’s communications strategy raised the pointed question of whether the company is benefiting from the marketing appeal of “too powerful to release” — a narrative that simultaneously positions Mythos as uniquely dangerous and Anthropic as uniquely responsible. That critique does not refute the security evidence; it mainly asks whether security is the only driver, or whether it is also strategically convenient.
The Compute Constraint Case: A Parallel Story
While Anthropic was announcing Glasswing, a separate set of events was unfolding that told a very different story about the company’s operational reality.
On April 6, 2026 — the day before the Glasswing launch — Anthropic announced a major compute expansion partnership with Google and Broadcom, described as involving multiple gigawatts of TPU capacity. The language in the announcement was telling: the capacity was needed, the company said, “to power our frontier Claude models and help us serve extraordinary demand.” Reuters’ contemporaneous reporting put the figure at approximately 3.5 gigawatts. The critical detail: this capacity was expected to come online starting in 2027, not 2026.
Four days later, on April 10, Reuters reported that Anthropic had struck a separate deal with CoreWeave to bring additional computing capacity online “later this year.” The CoreWeave deal looked like exactly what it was: a company filling a near-term gap while waiting for long-cycle infrastructure to materialize. And on April 9, Reuters also reported that Anthropic was exploring designing its own AI chips — a move explicitly tied to “a broader shortage of AI chips” and estimated to cost roughly $500 million.
These three stories, arriving within days of each other, painted a picture of a company under acute compute pressure across multiple time horizons: burning money to lease capacity now, negotiating for large-scale capacity years away, and beginning to consider the capital-intensive option of owning its own chip supply chain.
That picture was reinforced by what was happening with Anthropic’s existing products during the same period. On April 6, The Register reported that Anthropic had moved to restrict third-party agentic harnesses — tools that allowed users to run Claude continuously through automated pipelines. The company’s spokesperson stated that these harnesses “put an outsized strain on our systems” and that “capacity is something we manage thoughtfully.” Axios framed the same policy change as a cost-control measure, noting that agentic usage can run continuously and consume orders of magnitude more tokens than ordinary chat interactions. Anthropic’s public status page showed repeated elevated error rates and outage incidents in the same timeframe, consistent with heavy operational load.
Anthropic’s own hiring signals are worth examining here. A job listing for a Staff/Senior Software Engineer on the Compute Capacity team describes “one of the largest and fastest-growing accelerator fleets” spanning “multiple accelerator families and clouds,” with a mandate to ensure every chip is “accounted for” and “efficiently allocated.” A separate role focused on securing and delivering compute capacity and a data center capacity delivery position that emphasized activating leased and partnered capacity “on the fastest possible schedule” together suggest that compute efficiency and capacity delivery are organizational priorities, not merely engineering concerns.
Taken together, this evidence establishes one thing clearly: compute is a binding constraint at Anthropic in the spring of 2026. What it does not establish — at least not in primary sources — is a direct causal link from compute scarcity to the specific decision to restrict Mythos access.
The Leaked Draft: A Bridging Datapoint
The closest thing to a smoking gun connecting the two stories appeared not in an official document but in a leak.
On March 26, 2026, Fortune reported that an internal draft page — apparently associated with the Mythos/”Capybara” model — had surfaced, describing the model as “by far the most powerful” Claude to date while simultaneously noting that it was “expensive to run” and “not yet ready for general release.” Anthropic’s spokesperson, responding to the Fortune inquiry, confirmed a deliberate release approach with a small early-access cohort, but did not directly address the cost characterization.
That draft language matters because it’s the only publicly available document — even as a leak — that places cost and readiness in the same sentence as the decision to restrict access. The “expensive to run” framing is not a security argument. It is an economics argument, and its presence in what appears to have been an internal product description suggests that Mythos’s cost profile was at least part of the internal conversation about how to deploy it.
A week later, on April 1, the LA Times reported a separate source-code leak involving Claude Code, describing it as the second security incident in days and referencing the earlier Mythos/Capybara internal drafts. Whether coincidental or not, the pattern of internal documentation surfacing before the official launch added texture to the picture of a company managing a difficult rollout across multiple dimensions.
What It Actually Costs to Run Mythos at Scale
To evaluate the compute constraint hypothesis seriously, it helps to understand the economics of running a model with Mythos’s documented specifications.
Modern large language model serving involves two distinct computational phases. Prefill processes the full prompt and builds a key-value cache of intermediate activations. Decode then generates tokens autoregressively, reusing the cached values at each step. Both phases are computationally intensive, but the economics of the KV cache are particularly consequential for long-context models.
KV cache memory footprint scales linearly with context length, and also grows with batch size and model configuration. This means that a model supporting a 1 million token context window faces dramatically different memory requirements than one supporting 128,000 tokens. NVIDIA’s own documentation on KV cache management illustrates the issue concretely: for a 70-billion parameter model, a 128,000-token context at batch size 1 can require roughly 40 gigabytes of memory for the KV cache alone. Scaling to 1 million tokens implies approximately eight times that — hundreds of gigabytes — before counting model weights, activations, and other overhead.
For a single inference request, this is manageable. For thousands of concurrent agentic sessions, each potentially involving multi-step autonomous workflows across a million-token context, the numbers become very large very quickly. Serving this kind of workload economically would require aggressive KV cache optimization strategies, highly efficient serving engines utilizing continuous batching and paged attention mechanisms, and careful product-level constraints — rate limits, access gates, and workflow restrictions — to prevent any individual session from consuming a disproportionate share of the fleet’s memory.
In other words: the technical architecture of Mythos, as publicly documented, is precisely the kind of model that would create massive infrastructure strain if released without access controls. The invitation-only, defensive-workflow-focused structure of Glasswing is, from a systems engineering perspective, a sensible way to manage that strain — regardless of whether security or cost is the primary motivation.
Why the Compute Gap Won’t Close Quickly
The compute expansion deals announced in the same week as Glasswing are themselves evidence that Anthropic cannot simply flip a switch and serve Mythos broadly.
The 3.5-gigawatt TPU capacity secured through the Google and Broadcom partnership is not expected to come online until 2027. That is not an unusual timeline for large-scale infrastructure procurement — it reflects the physical reality of building data centers, procuring specialized hardware, and bringing complex systems into production. But it means that for the foreseeable future, Anthropic is operating with the compute it has today, not the compute it will have in 18 months.
That constraint is not unique to Anthropic. TechRadar reported in April 2026 that nearly half of US data centers planned for 2026 had been canceled or delayed, with transformer lead times and power infrastructure bottlenecks cited as the primary causes. The “power wall” — the difficulty of securing sufficient electrical grid capacity for large-scale AI facilities — has become a structural constraint across the industry. Network World reported that demand for AI compute is so intense that AWS customers have attempted to purchase the hyperscaler’s entire available capacity, and that even Amazon faces periods of insufficient supply.
In this environment, Anthropic securing the CoreWeave deal for near-term capacity and the Google/Broadcom deal for future capacity simultaneously is not a sign of excess — it is a sign of urgency. Companies do not pursue two parallel procurement strategies at different time horizons unless they are genuinely capacity-constrained. The explicit internal admission, through the third-party agent controversy, that capacity is “managed thoughtfully” fits the same pattern.
Incentives and the Narrative Gap
The question of why Anthropic would emphasize security over compute in its public communications is, on its own, not very complicated.
“We cannot serve it” is a product weakness. “We won’t release it because it’s dangerous” is a principled choice. Both statements might be equally true, but only one of them positions Anthropic as a responsible steward of frontier technology. In a landscape where the dominant public concern about AI is safety and misuse, framing a restricted release as a safety decision is not just accurate — it is strategically advantageous.
There is also a competitive dimension. The Verge reported on April 13, 2026 that an internal OpenAI memo — apparently authored by the company’s Chief Revenue Officer — explicitly accused Anthropic of failing to acquire enough compute, framed Anthropic’s restricted release story as one driven by “fear” and “restriction,” and asserted that OpenAI “has the compute” to serve its models broadly. That memo is a competitor document and should be treated as strategic messaging, not objective analysis.
But its existence confirms that the compute framing is being actively weaponized in the competitive space between these companies. For Anthropic, admitting compute insufficiency would hand OpenAI an argument they are apparently eager to deploy.
Anthropic’s incentive structure thus points strongly toward leading with security, even if compute is also a genuine constraint. The security narrative provides a defensible rationale, invites partnership with governments and critical infrastructure owners, mitigates reputational risk, and counters the competitive attack on compute acquisition — all simultaneously.
The Guardian’s investigation into Anthropic’s communications described it bluntly as a “bid to win the AI publicity war,” noting that the “too powerful for the public” framing benefits from its very ambiguity: it simultaneously generates hype, establishes Anthropic as a responsible actor, and provides cover for access restrictions that might otherwise be read as capacity management. This critique does not prove that security is not the real driver.
It simply establishes that security is also very useful as a public narrative, which means we should weight Anthropic’s public statements accordingly — as important evidence, but not as dispositive proof.
Weighing Both Hypotheses: A Calibrated Assessment
After examining the full evidentiary picture, a few things become clear.
The security hypothesis is supported by the highest-credibility, most direct evidence: primary documents from Anthropic, coordinated partner statements from major technology companies, detailed technical reporting on specific capability thresholds, and a formalized institutional structure (the Glasswing consortium) that would be expensive to build if the real problem were merely cost.
The compute constraint hypothesis is supported by strong but more indirect evidence: multiple procurement deals, explicit capacity admissions in adjacent product decisions, relevant hiring patterns, infrastructure delays in the broader industry, and the leaked draft’s reference to Mythos being “expensive to run.” The critical gap is that no primary document from Anthropic directly states that compute costs are preventing broader Mythos access. The connection is plausible and supported by circumstantial evidence, but it is inferential.
The most intellectually honest conclusion is that both factors are real, that they are not mutually exclusive, and that a defensible distribution of explanatory weight is approximately 70–85% security-driven versus 15–30% compute/cost-driven. That range reflects the density and directness of the security evidence relative to the compute evidence, not a measurement of internal decision-making. It is a synthesis, not a fact.
The leaked draft — Mythos is “expensive to run” and “not yet ready for general release” — is the most valuable single datapoint precisely because it suggests that inside Anthropic, the internal story contained both elements: a capability that carries genuine risk and a model that is genuinely expensive to operate. Those two facts probably do not exist in parallel coincidence. They likely reinforce each other as reasons to gate access carefully, structure rollout around high-value defensive use cases, and resist the pressure to scale broadly before the infrastructure and safeguards are both in place.
What This Means Going Forward
The Mythos Preview situation is a preview of a broader challenge the AI industry will face repeatedly in the coming years: how to deploy frontier models whose capabilities are simultaneously commercially valuable, technically expensive to serve, and potentially dangerous if misused. Pretending these constraints are separable — that safety and economics never interact, or that capability restrictions are never also convenient capacity management — is neither honest nor useful.
What the Glasswing structure actually demonstrates is an attempt to resolve that tension through design: by building an access model that serves the use cases with the best risk-adjusted value (defensive security workflows), limits the exposure to both misuse and runaway compute consumption (invitation-only, workflow-constrained), and creates accountability structures that allow capability extension over time as both safeguards and infrastructure capacity mature.
Whether that structure will prove adequate — whether Glasswing participants will use Mythos responsibly, whether compute capacity will catch up to demand by 2027, whether other actors will develop similar capabilities and make the gating moot — remains genuinely uncertain. The security concerns Anthropic has articulated are real. The compute constraints are real. The narrative advantage of leading with safety over cost is real. All three things are true at once.
That is the honest answer to the question “why isn’t Mythos available?” — not because it is too powerful for the public, not because Anthropic doesn’t have enough servers, but because both of those things are somewhat true, they interact in ways that make a gated rollout the right operational choice, and the company has strong incentives to tell you only the more flattering part of that story.
Understanding both parts is the beginning of taking AI deployment decisions seriously.
