- Tension: Anthropic built an AI capable of finding zero-days in every major operating system — then spent two months concluding it was too dangerous to release publicly, before releasing it publicly.
- Noise: The framing of “responsible AI release” tends to collapse into either blanket alarm or blanket reassurance. Both miss the actual calculus: withholding a defensive capability from defenders doesn’t prevent the capability from reaching attackers — it just delays the defence.
- The Direct Message: The name change from Mythos to Fable 5 isn’t a rebrand — it’s a signal. Anthropic is betting that proliferation of this capability is already inevitable within 6 to 18 months, and that getting it into the hands of defenders first, with guardrails, is the more responsible position than waiting for a window that will not stay open.
To learn more about our editorial approach, explore The Direct Message methodology.
On 7 April, Anthropic introduced a new AI model internally described as a watershed moment for cybersecurity. It could autonomously identify zero-day vulnerabilities in every major operating system and browser, build working exploits, and — in one documented test — write a complete exploit for a disclosed Windows kernel flaw in 31 minutes. Anthropic’s own assessment was that no existing safeguards were sufficient to release it publicly. Yesterday, they released it publicly.
The model is called Fable 5. The underlying capability class is still called Mythos. The distinction matters: Fable 5 carries a set of automated guardrails designed to intercept the most dangerous queries before the full model can act on them. Whether those guardrails hold — and what happens when they don’t — is now a live question for the security industry.
What the model can actually do
When Anthropic first revealed Claude Mythos Preview in April, they did so alongside a detailed technical assessment conducted by their security research team over the preceding month. The findings were specific enough to take seriously. Mythos Preview identified a 27-year-old denial-of-service vulnerability in OpenBSD’s TCP implementation, a 16-year-old flaw in FFmpeg’s H.264 codec, and a 17-year-old remote code execution vulnerability in FreeBSD’s NFS server — CVE-2026-4747 — which it then autonomously exploited.
These were not theoretical demonstrations. They were documented findings, disclosed through coordinated vulnerability programs. The model didn’t just identify the flaws; it understood the attack surface, constructed the exploit logic, and produced working proof-of-concept code.
Rather than release the model publicly, Anthropic formed Project Glasswing — a restricted-access coalition initially comprising approximately twelve named organisations including AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks, which later expanded to more than 50. The explicit rationale was defensive: put the model to work finding vulnerabilities before adversaries with comparable capabilities could exploit them first. Partners collectively identified more than 10,000 high- or critical-severity security flaws during the preview period.
How Fable 5 differs — and what’s been left in
Fable 5 and Claude Mythos 5 (the upgraded version for existing Project Glasswing partners) share the same underlying model. The difference is in what happens when a request approaches certain risk thresholds. For Fable 5, queries touching on cyberattack methods, sensitive biological or chemical capabilities, or AI model distillation are automatically rerouted to Claude Opus 4.8 — a less capable model that lacks the reasoning depth to complete those requests effectively.
Anthropic’s head of product management, Dianne Penn, described the approach to Axios as “deliberately more conservative,” acknowledging that some legitimate security research may also be caught by the filters at launch, with the expectation that those restrictions ease as post-release testing continues.
The commercial logic is also visible. Fable 5 is priced at double Anthropic’s existing Opus models, making it the company’s most expensive public release to date. Anthropic frames this as relative value — higher intelligence per task, lower overall cost per outcome — but it also positions the model’s most capable tier firmly in the enterprise and government market, not the consumer one.
What this means for European organisations
For security teams across Europe, the implications run in two directions simultaneously. On one side: a defensive AI of significant capability is now commercially available to organisations with the budget and the security maturity to use it. The NIS2 directive has already pushed critical infrastructure operators toward more systematic vulnerability management; a tool that can scan codebases and surface legacy flaws at this scale is a genuine operational asset.
On the other: the same capability, even with guardrails, substantially lowers the barrier to AI-assisted offensive security work. Anthropic itself has stated that Mythos-class capabilities are expected to emerge from other AI labs within 6 to 18 months. The question is not whether this capability will proliferate — it will — but whether defensive deployment can outpace offensive adoption.
Anthropic’s bet, implicit in the Fable 5 release, is that getting the capability into the hands of defenders first is safer than waiting until it exists everywhere and is available to no one responsibly. The logic is coherent. The proof will be in what happens next.
The naming question
The decision to release under the name Fable 5 rather than Claude Mythos is not incidental. It separates the product from the capability class in public perception — Fable 5 is a product with guardrails, Mythos is a capability benchmark. The framing also allows Anthropic to reserve the Mythos name for the unguarded version available only to vetted partners, creating a visible two-tier structure that signals the differentiation without requiring a lengthy explanation each time.
Whether that distinction holds in practice — whether the guardrails are robust enough to make Fable 5 meaningfully different from a full Mythos deployment — is a question the security research community will now spend considerable time testing. The answers will matter well beyond Anthropic’s product roadmap.
