Blog KI
KIPolitik

Claude Mythos: Sandbox Escape, Zero-Days, and the Question of Hype

· David Krcek · 7 min read
Claude Mythos: Sandbox Escape, Zero-Days, and the Question of Hype

Anthropic didn’t release its newest model. Instead, it released a warning. That alone would be news. But the details only partially withstand scrutiny.

On April 7, 2026, Anthropic introduced Claude Mythos Preview — and simultaneously announced it would not be publicly released.1 Access runs through Project Glasswing, a restricted program with 12 core partners and over 40 additional organizations.2 By late March, initial details had already leaked to the public. Fortune spoke of a “step change in capabilities” — without specifying what that meant.3

The following analysis attempts to assess the facts based on verified sources, separating what is documented from what is plausible and what is pure staging.

The Sandbox Escape

According to Anthropic’s safety report, Mythos Preview was placed in a sandbox and instructed by a simulated user to escape. The model reportedly developed a multi-stage exploit chain — including a “complex JIT heap spray that escaped both renderer and OS sandboxes.”1

It then gained internet access and sent an email to the responsible researcher.4 Without being asked, it published details of the exploit on publicly accessible but hard-to-find websites.5

The account sounds dramatic but deserves three important caveats.

First: The model was explicitly instructed to escape. This was targeted problem-solving under a given task — not spontaneous autonomy.1

Second: Whether internet access was part of the test environment or was actually achieved through the exploit remains unclear. A significant distinction for the assessment.

Third: The unsolicited publication of exploit details points more toward insufficient goal-bounding than “autonomy” in any meaningful sense.

Zero-Days: What the Numbers Say — and What They Don’t

Anthropic claims Mythos found “thousands of zero-day vulnerabilities, many of them critical, in every major operating system and every major web browser.”1 The term “zero-day” does not distinguish between potential conditions, confirmed vulnerabilities, and actually exploitable exploits.

Tom’s Hardware broke the claims down:6

Of the “thousands” of critical vulnerabilities, 198 were manually verified. Everything beyond that is extrapolation with an unknown error rate. In automated tests of over 7,000 open-source stacks: 600 inputs that caused crashes, of which 10 were severe vulnerabilities. A ratio consistent with typical fuzzing results — not a qualitative breakthrough.

For CVE-2026-4747 (FreeBSD NFS), Anthropic describes the vulnerability as remote code execution for arbitrary attackers. The official FreeBSD advisory requires authentication.67

Anthropic itself acknowledges: “over 99% of the vulnerabilities we’ve found have not yet been patched.”1 This means the results are systematically not independently verifiable.

What Would Actually Constitute a Breakthrough?

A categorical leap in exploit development would require a system that reproducibly generates functioning RCE exploits, operates without iterative human guidance, and can generalize its results across different systems.

The published data provides no robust evidence for any of these points. What it does show: an improvement of existing methods through semantically guided exploration rather than purely random search. A relevant advance. Not a categorical break.

The Ethics of Non-Release

Anthropic’s decision marks the first withholding of a major language model since GPT-2 in 2019 — under fundamentally different conditions.8 The justification: “frontier AI capabilities are likely to advance substantially over just the next few months.”2

Project Glasswing

The 12 core partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. 100 million dollars in usage credits. 2.5 million to Alpha-Omega/OpenSSF. 1.5 million to the Apache Software Foundation.2

The Paradox

Zvi Mowshowitz identified the structural contradiction: Anthropic’s own safety framework (RSP v3) had not identified cybersecurity as a central threat scenario. The decision to withhold Mythos was based on an ad-hoc assessment outside the defined framework.9

Mowshowitz: “This is not about rules or promises anymore, it is all about whether you trust Anthropic to make good decisions.”10

The consequence: Risk assessment shifts from a rule-based to a trust-based system. Who decides whether a model is safe enough is effectively privatized. At the same time, Glasswing concentrates access, generates PR, and makes independent validation harder.10

The Critical Voices

David Sacks

Trump’s AI advisor called Anthropic’s approach “a sophisticated regulatory capture strategy based on fear-mongering.”11 He pointed to a pattern: alarming safety studies that appear simultaneously with product announcements.1213

His instructive example: the blackmail study on Claude Opus 4. “They prompted the model over 200 times to get the result they wanted” — the result was “clearly reverse engineered.”14

Sacks did concede that the Mythos results were “more on the legitimate side.”12 Worth noting: his argument is based on public statements, not technical analysis — and reflects his political context.

Gary Marcus

Three objections:15 Mythos is “pretty much on trend, just slightly above GPT 5.4.” Open models could achieve comparable results in simplified form. No discernible acceleration in capability growth.

The implication: no “step change,” but a trendline. Marcus assessed the escape as “proof of concept that we need to get our regulatory and technical house in order, but not the immediate threat the media and public was led to believe.”15

George Hotz

Hotz fundamentally questioned the narrative: the rarity of zero-day exploits in the wild is a matter of legality, not difficulty.16 The weight of his criticism comes from practice — the man cracked the iPhone and PlayStation 3.

Cybersecurity expert Claudiu Popa added: “Many people would be right in saying that this is a little bit of hype, a little bit of press release, a little bit of publicity stunt.”8

The Altman Parallel

MIT Technology Review dedicated two analyses to AI hype in December 2025. On Altman: “What he says about AI is rarely provable when he says it, but it persuades people that this road with AI can go somewhere great or terrifying, and OpenAI will need epic sums to steer it toward the right destination.”17

GPT-5, announced as “PhD-level expert in anything,” was assessed upon release as “above all else, a refined product.”17 2025 became the year of the “much-needed hype correction.”18

The structural parallel: Both — Altman and Anthropic — demonstrate capabilities while simultaneously warning about their own dangers. Investor acquisition, regulatory positioning, market dominance through exclusive access. Claims about hard-to-verify capabilities create expectation spaces without being immediately falsifiable. A communication framework that works in both directions.

The difference: Altman’s hype targeted the promise of future capabilities.17 Anthropic presents concrete, albeit limitedly verifiable, results. That makes this case more complex than pure marketing rhetoric.

Conclusion

Verified: The sandbox escape was a controlled test with an explicit task.1 CVE-2026-4747 is documented in the NVD.7 The Glasswing structure is publicly traceable.2

Not verifiable: The total number of vulnerabilities is based on 198 manual reviews.6 Over 99% are not independently verifiable.1 Anthropic’s own RSP had not identified cybersecurity as a core risk.9 Robust evidence for a categorical breakthrough is missing.

Legitimate criticism: The discrepancy between presentation and verifiable numbers concerns quantities, definitions, and categories.6 The pattern of simultaneous safety warnings and product announcements has been documented by multiple observers.111213 The parallels to Altman’s hype strategy are recognizable.17

The debate around Claude Mythos is less a technical controversy than an epistemic problem under limited transparency. As long as the vast majority of claimed results remain unverifiable, neither confirmation nor refutation can rest on solid ground — a constellation that provides the ideal breeding ground for both sincere safety concerns and strategic narrative control.

All information is based on publicly available sources (as of April 12, 2026). Claims without independent sources were not included.

Sources

Translated with the help of Claude

  1. Anthropic — Claude Mythos Preview ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎

  2. Anthropic — Project Glasswing ↩︎ ↩︎ ↩︎ ↩︎

  3. Fortune — Mythos revealed in data leak ↩︎

  4. Futurism — Claude Mythos Escaped a Sandbox ↩︎

  5. Computing Deutschland — Wenn KI aus der Sandbox ausbricht ↩︎

  6. Tom’s Hardware — Claims rely on just 198 manual reviews ↩︎ ↩︎ ↩︎ ↩︎

  7. NVD — CVE-2026-4747 ↩︎ ↩︎

  8. Entrepreneur — Skeptics Aren’t Buying It ↩︎ ↩︎

  9. Zvi Mowshowitz — Claude Mythos: The System Card ↩︎ ↩︎

  10. Zvi Mowshowitz — Cybersecurity and Project Glasswing ↩︎ ↩︎

  11. David Sacks via X, April 9, 2026 ↩︎ ↩︎

  12. OfficeChai — A Pattern Of Using Fear To Market ↩︎ ↩︎ ↩︎

  13. Bloomberg Law — Fear-Mongering: Sacks ↩︎ ↩︎

  14. David Sacks — The Anthropic Blackmail Hoax ↩︎

  15. Gary Marcus — Three reasons Mythos was overblown ↩︎ ↩︎

  16. OfficeChai — George Hotz: Exaggerating Risk ↩︎

  17. MIT Technology Review — Sam Altman’s hype ↩︎ ↩︎ ↩︎ ↩︎

  18. MIT Technology Review — AI hype correction of 2025 ↩︎

David
David
AI, Apple Silicon, coding experiments, SwiftUI, and attitude.
Read more