In April 2026 we published a defender-focused read of Anthropic's Project Glasswing and the Claude Mythos Preview cybersecurity disclosures — When discovery outpaces patching. It closed with three signals worth watching. The first was capability proliferation: whether a Mythos-class model would become broadly available, whether other labs would match it, and — Anthropic's own framing — that this was a question of when, not if.
On 9 June 2026, the first of those signals arrived, and earlier than the late-August window we flagged. Anthropic released Claude Fable 5, which it describes as "a Mythos-class model that we've made safe for general use" — its most capable generally available model to date. Alongside it came Claude Mythos 5, the same underlying model with safeguards lifted in some domains, restricted to a small set of cyberdefenders and infrastructure providers through Project Glasswing.
This is not a vendor pitch and it recommends no product. It is a read of the primary source for CISOs, compliance leads, TPRM teams, and boards who have to decide whether anything changes on Monday.
What was announced
| Fable 5 | Mythos 5 | |
|---|---|---|
| Availability | Generally available (API) from 9 June 2026 | Restricted — a small group of cyberdefenders / infrastructure providers, via Project Glasswing (US-government collaboration) |
| Relationship | Mythos-class model "made safe for general use" | Same underlying model, safeguards lifted in some domains |
| Positioning | Most capable GA model Anthropic has shipped | "The strongest cybersecurity capabilities of any model in the world" |
| Price | $10 / 1M input, $50 / 1M output — under half the price of Mythos Preview | Same pricing tier |
The capability claims, per Anthropic, are concrete: Stripe reported Fable 5 completed a 50-million-line Ruby migration in a day that would have taken a team two months by hand; internal teams accelerated protein design ~10×; and novel molecular-biology hypotheses from the model were preferred by scientists ~80% of the time over Opus-class output.
The part defenders should read most carefully is the safeguard mechanism. Fable 5 ships with classifiers — separate AI systems that detect potential misuse across three domains: cybersecurity (blocking exploitation and offensive cyber tasks), biology/chemistry, and distillation (capability extraction). When a classifier triggers, the request is "automatically handled by Claude Opus 4.8 instead." Anthropic states this fallback fires, on average, in less than 5% of sessions — meaning more than 95% of Fable sessions run on the full Mythos-class model with no fallback — and reports no universal jailbreaks in over 1,000 hours of red-teaming.
What changed since our April read — and what didn't
In April, the structural comfort was a kind of air gap: Anthropic's stated position was that Mythos Preview would not be made generally available. The capability was documented; the access was withheld. Our analysis leaned on that fact explicitly.
That comfort has now partly moved. The control surface has shifted from "we won't release it" to "we'll release a Mythos-class model gated by a probabilistic classifier." Three observations follow, none of which is cause for panic and all of which belong in a threat model:
1. The safeguard is a filter, not an air gap. A Mythos-class model is now generally available, with offensive-cyber tasks blocked by a classifier that defers under 5% of sessions to Opus 4.8. That is a serious, tested control — 1,000+ red-team hours, no universal jailbreak — but it is probabilistic and domain-scoped, not an absence of capability. The honest defender question is no longer "is the capability released?" (it is) but "what is the residual, and how robust is the filter over time?"
2. The offense/defense allocation is deliberately defence-favouring — and that is the good news. Anthropic put the strongest cyber capability (Mythos 5) in the hands of defenders and infrastructure providers via Glasswing, not on the open market. The GA model has offensive-cyber tasks filtered. The intent is clearly to keep the sharpest edge pointed at defence. That is a meaningfully better posture than an unrestricted release — and worth saying plainly.
3. The cost-collapse we described in April now has a price tag. Our April piece argued the real shift was economic: AI had collapsed the cost of vulnerability discovery, not just raised the ceiling. A Mythos-class model is now a line item at $10 / $50 per million tokens. The proliferation argument — technique is public, other labs and open-weight models will close the gap — is unchanged, but it is no longer abstract. Frontier-class code reasoning is now something a competent adversary can rent cheaply.
What did not change: the defensive playbook. Nothing in this release alters what you should do. It tightens the timeline on the work April already implied.
What this is not
The same honest qualifications we made in April still apply, and two new ones:
- This is not "the AI hacks itself." Mythos 5's offensive edge is access-restricted, and Fable 5's cybersecurity classifier blocks direct exploitation and offensive-cyber tasks. Capability is not an autonomous attacker; target selection, infrastructure, evasion, exfiltration, and monetisation are still human-or-agent work.
- Fable 5 is not Mythos 5. Do not conflate the GA model with the government-and-defender-only one. Postures that assume the public model has Mythos 5's unfiltered cyber capability are mis-scoped — in the other direction from April's warning.
- The classifier is a real control, not theatre. Treat the residual seriously; do not catastrophise it. "Tested filter that defers under 5% of sessions" and "air-tight guarantee" are different claims, and so are "tested filter" and "marketing."
- This is not an argument to slow AI adoption. As in April: AI-assisted defence is the only credible answer to AI-assisted offence. The defender-favouring allocation of Mythos 5 is, if anything, an argument to lean in to defensive AI.
What to do — the April plan, on a shorter clock
Our April analysis laid out six defender actions: re-baseline patch SLAs against compressed exploitation windows; stop using CVSS as a standalone prioritisation primitive (model chains, exploitability, reachability); architect for assume-breach and assume-RCE; inventory non-human identities; build a defensive-AI capability; and update TPRM and procurement. All six still hold. This release does not add to the list — it shortens the runway. Three points sharpen:
- Model the economics explicitly. With a Mythos-class model at $10 / $50, your threat model should assume an adversary can rent frontier code-reasoning for the cost of a coffee budget. Prioritisation that still assumes nation-state-only access to this capability is out of date.
- Add a safeguard question to vendor due diligence. For any AI platform in your supply chain: what is the safeguard — a tested classifier, or nothing — and what is the residual/fallback behaviour? "Safe for general use" is a claim to test, not accept. This belongs next to the disclosure-SLA and non-human-identity questions from April.
- Treat defensive AI as procurement, not research. Glasswing's defender-favouring allocation is a signal about where the capability frontier is heading. The April argument — pick one defensive-AI capability and pilot it against a measured baseline — now has a concrete capability tier behind it.
What we are still watching
Updating the three signals from April:
- The 135-day disclosure window. By late August / early September 2026, full details of the vulnerabilities held under cryptographic commitment from the Mythos Preview work should publish. The proportion patched versus unpatched at release remains the cleanest measure of whether coordinated disclosure is keeping pace at AI speed. Still pending.
- Proliferation. Signal one has now half-fired: a Mythos-class model is GA — from Anthropic. The open questions are whether other frontier labs publish comparable capability, and how quickly open-weight models close the gap. "When, not if" stands.
- Regulatory response. This now plays out with a frontier model commercially available. Watch the EU AI Act's general-purpose-AI and systemic-risk obligations, ENISA guidance, the DORA supervisory trio (EBA/ESMA/EIOPA), and CRA Article 14 reporting, live from 11 September 2026 — all operating in an environment where exploitation timelines have compressed below most current remediation and reporting assumptions.
The April conclusion is unchanged and worth repeating: none of the defensive work requires Mythos-class capability on your side. It is hard, boring infrastructure work that AI-assisted attackers are making consequential faster than the patch cycle was built to handle.
Sources
Primary
- Anthropic, Claude Fable 5 and Claude Mythos 5, 9 June 2026.
Reporting
- TechCrunch, Anthropic released Claude Fable 5, its most powerful model, publicly, 9 June 2026.
- VentureBeat, Anthropic brings Mythos to the masses with Claude Fable 5, 9 June 2026.
Context (our prior analysis)
- Orizon, When discovery outpaces patching: reading the Anthropic Mythos disclosures honestly, 24 April 2026.