Claude Fable 5 & Mythos 5: Quick Takes From the First Security Tests

On June 9, Anthropic shipped Claude Fable 5, its most capable public model, alongside Claude Mythos 5, the same model with "cyber safeguards lifted" for Project Glasswing partners. Anthropic's own words, Mythos-class models "excel at discovering and exploiting software vulnerabilities." Then the first testers ran it. The capability is real, the public-model panic is overblown, and nearly every credible read landed on the same place, which is the harness around the model rather than the model itself. Here is the roundup, with links and who to follow.

What shipped

• Fable 5 is GA everywhere. Claude API, AWS Bedrock, Google Vertex, Microsoft Foundry, and GitHub Copilot day-one across VS Code, JetBrains, and Xcode.

• Mythos 5 is restricted. Same model, cyber safeguards removed, Project Glasswing partners only.

• The guardrail is a router. Flagged cybersecurity, bio, chemistry, and distillation prompts get handed to the older Claude Opus 4.8. Anthropic says it fires in fewer than 5% of sessions, so most use hits the full model.

• Anthropic's framing, via CSO Online, Mythos 5 has "the strongest cybersecurity capabilities of any model currently available."

What the testers found

Jamieson O'Reilly (@theonejvo, PolyRange) ran Fable 5 against fresh, never-seen targets. The public model routed 100% of offensive work to Opus 4.8 (181 of 181 agentic turns). So it deterministically will not hack for you.

"The routing is deterministic on content, not probabilistic."

More telling than the safeguard, though, is the bug-class pattern. Injection bugs (SQLi, SSRF, LFI, command injection) "fell to every configuration," but IDOR / authorization logic was the frontier, "exactly where most real-world breaches actually happen," because it carries a "higher context burden." Full analysis →

zek (@zekramu) spent a day inside an enterprise Mythos pilot. Capable but not apocalyptic. Roughly 800 issues found (one pilot's self-report), and it got stumped by a custom Bazel build.

"very good at security based tasks. far better than opus / 5.5 xhigh... I dont feel as though its some omnipresent danger/threat to society."

One detail outlasts the news cycle. Anthropic shipped Mythos inside a custom containment harness, "a harness that was NOT claude code... this is basically what 'project glasswing' is." The frontier lab's own answer to "how do we deploy this safely" was to wrap it in a harness.

Rob T. Lee (Chief AI Officer, SANS Institute) found the guardrail blunt in the other direction. Routine defensive work, including incident response, detection, and forensics, got auto-downgraded from Fable 5 to Opus 4.8 in his early testing. Via CSO Online →

Anthony Grieco (Chief Security & Trust Officer, Cisco) put the urgency on the record, warning that the pace of frontier AI "is changing the security landscape in real-time, and defenders cannot afford to wait for the dust to settle." Via CSO Online →

The vendor scramble

A "Mythos-ready" category formed in a week. Cycode is already selling a "Mythos Security Toolkit" to prep for the CVE-disclosure wave it expects in July 2026, when Glasswing patches start landing as public CVEs. On defense, Anthropic says its external red-team logged more than 1,000 hours and found "no universal jailbreaks".

Accounts worth following on this

• @theonejvo, contamination-resistant offensive-AI testing (PolyRange); the sharpest empirical read so far.

• @zekramu, candid enterprise-pilot field notes from inside Glasswing.

• @AnthropicAI, Glasswing and safeguard updates straight from the source.

• SANS Institute (Rob T. Lee), defender-side reads on how the safeguards behave in real workflows.

• Ethan Mollick (@emollick), for the broader "what it's like to actually work with a Mythos-class model" view.

What to watch

• July 2026: the first wave of Glasswing-discovered bugs landing as public CVEs (per Cycode's own timeline). This is the date that turns a launch story into a patching scramble.

• Authorization logic / IDOR as the real frontier. The context-heavy bug class that injection-solving models still miss is where the breaches actually are.

• The Mythos API and its harness. zek flagged it as unresolved whether the containment harness ships with the model when access widens.

Our take

The throughline is the one we have been making. When the model is rented by the token and changes tier every quarter, the durable asset is the harness around it, the layer that decides what the model sees, judges which findings are real, proves a fix before it merges, and remembers what it learned. O'Reilly's "context burden" and Anthropic wrapping Mythos in a harness are the same lesson from opposite ends. Our CEO Surag Patel made the economic version of the case when Mythos first landed, on how offense costs collapsed 99% while defense costs did not, and why context is what closes the gap. It is why we built VulnOps harness-first, with triage for up to a 95% cut in false positives, remediation at a 76% merge rate across customer repositories, plus design-stage prevention (Foresight) on one shared context graph.

Get the VulnOps Mythos-Ready Playbook for the operator's guide to running defense at machine speed in a world where frontier offense is a product you can buy. (Full whitepaper PDF on the page, no form.)