Anthropic built a model it describes as far ahead of any other AI system in cybersecurity capabilities. Then it left the announcement in an unsecured, publicly searchable data store with no access control. That is not commentary — that is literally what happened on March 26–27, 2026.
The irony writes itself, so we won't belabor it. What's more useful: a clear account of what the leaked documents actually said, what Anthropic confirmed, what the market did, and — most importantly — what remains genuinely unknown versus what is being presented as fact without evidence.
The Leak: What Actually Happened, Technically
Anthropic uses a content management system to manage its blog posts, PDFs, and internal documents. A configuration error — confirmed by Anthropic as "human error" — left the CMS's data store in a publicly searchable state. The specific failure mode: the CMS defaulted to making uploaded assets publicly accessible unless a user explicitly changed the setting. Nobody changed it.
This is a well-documented and embarrassingly common failure pattern across many popular CMS and cloud storage platforms. It has affected banks, government agencies, and major tech companies before. In Anthropic's case it exposed roughly 3,000 assets: draft blog posts, PDFs, images, internal event documents, and details about a planned invite-only CEO summit in an 18th-century English countryside manor.
Fortune reporter Bea Nolan discovered the exposed data store on March 26, 2026 and reviewed the documents. Roy Paz, a senior AI security researcher at LayerX Security, and Alexandre Pauwels of the University of Cambridge independently located the same cache. Fortune informed Anthropic, which removed public access to the data store. The company's statement confirmed the incident and attributed it to a CMS misconfiguration.
One detail worth flagging for technically-minded readers: the exposed documents were not "hacked." There was no intrusion. The files were sitting in a location with a public URL, indexed and retrievable without authentication. Anyone who found the URL could read them. That distinction matters for understanding the severity — this was an access control failure, not a breach of encrypted systems.
What the Leaked Documents Actually Said
The most significant document was a structured draft blog post — formatted as a web page with headings and a publication date, suggesting it was staged for an imminent launch announcement. Here is what it contained, sticking only to what has been independently verified by Fortune and Techzine reporting:
On capability: The draft described Claude Mythos as "by far the most powerful AI model we've ever developed." It said the model "gets dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity, among others" compared to Claude Opus 4.6. No specific benchmark numbers or eval scores were published in the draft.
On cost: The draft explicitly stated the model is "very expensive for us to serve and will be very expensive for customers to use." Anthropic said it is working to make the model "much more efficient before any general release." No pricing figures were included.
On cybersecurity risk: The draft stated the model "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." It also said Anthropic wanted to "understand the model's potential near-term risks in the realm of cybersecurity and share the results to help cyber defenders prepare." The draft described the release strategy as "a head start for cybersecurity" — giving defenders early access before broader release.
On release strategy: "A slower, more gradual approach than we have with our other models." Early access restricted to organizations focused on cyber defense. No general availability timeline stated.
On naming: The draft also cited the name justification — Mythos was chosen to "evoke the deep connective tissue that links together knowledge and ideas."
Mythos vs. Capybara: Two Names, One Model?
Two versions of the draft blog post existed in the cache — verified by The Decoder and Techzine Global, both of which reviewed the leaked content. The only meaningful difference between the two versions: one used "Mythos" throughout, the other swapped it for "Capybara." Importantly, both versions carried the same subtitle: "We have finished training a new AI model: Claude Mythos."
Anthropic's response to Fortune characterized both documents as "early drafts of content considered for publication," suggesting the company was deciding between two name candidates for the same underlying model or tier.
The most coherent interpretation — consistent with how Anthropic structures its existing lineup — is this:
| Name | What it refers to | Analogy |
|---|---|---|
| Capybara | New model tier — above Opus | Like "Opus" is a tier |
| Claude Mythos | Specific model within that tier | Like "Claude Opus 4.6" is a model within Opus |
This is the best available interpretation, but it has not been officially confirmed by Anthropic. The company has not explicitly clarified the relationship between the two names beyond describing both drafts as early-stage material.
What Anthropic Has Officially Confirmed
It is worth separating what is in the leaked draft from what Anthropic has actually said on record. The company's official spokesperson statement to Fortune reads:
"We're developing a general purpose model with meaningful advances in reasoning, coding, and cybersecurity. Given the strength of its capabilities, we're being deliberate about how we release it. As is standard practice across the industry, we're working with a small group of early access customers to test the model. We consider this model a step change and the most capable we've built to date."
What is confirmed from that statement:
- A new model is in training and testing — confirmed
- It has "meaningful advances" in reasoning, coding, cybersecurity — confirmed
- It is currently with a small group of early access customers — confirmed
- Anthropic considers it a "step change" and "most capable to date" — confirmed
- The leak was human error in CMS configuration — confirmed
What is not confirmed in any official statement:
- The name "Mythos" or "Capybara" for the final product
- Any specific benchmark numbers or eval scores
- Pricing or tier structure
- A release timeline
- Context window, parameter count, or technical specifications
The Cybersecurity Risk Argument: Evidence vs. Hype
The standard skeptical read on AI lab risk warnings is reasonable: "too dangerous to release casually" is a positioning tool that generates press and frames the lab as responsible. That critique has applied to previous announcements with varying degrees of fairness.
In this case, however, there is a documented track record that makes blanket dismissal harder to justify.
The Chinese state-actor incident: Anthropic has publicly documented a case in which a Chinese state-sponsored group used Claude Code — a current, generally available model — to infiltrate roughly 30 organizations. The group posed as legitimate security-testing firms to circumvent Claude's guardrails. Anthropic investigated, banned the accounts, and disclosed the incident. This is not a hypothetical risk projection — it is a documented misuse case involving models smaller than Mythos.
The malware test: In an earlier security evaluation, a version of Claude was reportedly converted into a malware generation tool within eight hours of access — per Techzine's reporting on the leaked materials. This suggests the existing guardrail architecture has limits under adversarial conditions.
Claude Code Security precedent: Claude Code's security variant had already discovered 500+ high-severity exploits in production codebases before Mythos existed. Mythos is described as dramatically more capable in this exact domain.
The logical extrapolation: if smaller, less capable models were already being weaponized at scale, a significantly more capable model with explicitly stronger cybersecurity skills does represent a meaningfully different risk profile. That argument doesn't require taking the draft's language at face value — it follows from observed behavior at lower capability levels.
The counterargument worth taking seriously: Anthropic's "head start for defenders" framing assumes the gap between early access and general release is long enough for defenders to actually benefit. Historical precedent with AI releases suggests that window tends to compress faster than planned.
The Market Reaction, in Actual Numbers
On March 27, 2026, cybersecurity stocks fell significantly — well ahead of the broader market decline. Verified figures from Investing.com:
| Company | Ticker | Single-Day Drop |
|---|---|---|
| Okta | OKTA | −7.75% |
| CrowdStrike | CRWD | −5.87% |
| Palo Alto Networks | PANW | −5.97% |
| Zscaler | ZS | −5.89% |
| Fortinet | FTNT | −3% |
| iShares Cybersecurity ETF | IHAK | −4.5% |
For context: the broader NASDAQ was down roughly 1.3% on the same day, and the iShares Expanded Tech-Software ETF (IGV) dropped nearly 3%. The cybersecurity sector moved well beyond both of those baselines.
The investor logic is not irrational, even if it may be premature. Traditional cybersecurity companies — CrowdStrike's Falcon, Palo Alto's platformization play, Okta's identity security — price their products on the assumption that security work is complex and hard to automate. If a general-purpose AI model can scan codebases at scale and surface vulnerabilities faster than a dedicated security team, the moat around those products narrows. Not necessarily disappears — but narrows.
The counterpoint that some analysts have raised: more capable attack tools means higher demand for capable defense. That argument has merit, but it assumes incumbent security companies successfully adapt and integrate AI rather than being displaced by AI-native alternatives — a transition risk the market appears to be pricing in.
Verified vs. Unverified: A Clean Separation
A lot of coverage has blurred what is documented versus what is speculated. Here is a clear separation:
| Claim | Status | Source |
|---|---|---|
| New model exists and is in testing | ✓ Confirmed | Anthropic spokesperson |
| Leak was a CMS misconfiguration / human error | ✓ Confirmed | Anthropic statement |
| "Step change" and "most capable to date" | ✓ Confirmed | Anthropic spokesperson |
| Dramatically higher scores than Opus 4.6 | ⚠ Draft only | Leaked document — no numbers given |
| Final name will be "Mythos" or "Capybara" | ✗ Unconfirmed | Draft described as early-stage |
| ~10 trillion parameters | ✗ Unconfirmed | Third-party estimate — not in any official source |
| Pricing, context window, feature specs | ✗ Unconfirmed | Not in draft, not in official statement |
| Release timeline | ✗ Unconfirmed | Not stated anywhere |
My Take
The "10 trillion parameter" figure circulating in some coverage is not in any primary source. It appears to be a third-party estimate that has been passed around without attribution. Worth calling that out directly, because the rest of the story is documented enough that adding unverified speculation muddies the signal.
The cybersecurity risk framing is harder to dismiss than the usual AI lab hype cycle, for one specific reason: there's a documented incident. A Chinese state actor using existing, smaller Claude models to infiltrate 30+ organizations is not a prediction — it's a historical event Anthropic has already disclosed and investigated. The leap from "this happened with smaller models" to "a significantly more capable model in the same domain poses higher risk" is not a large logical jump.
The market reaction is directionally plausible but probably early. Mythos is expensive, not in general release, and may never be a mass-market product. The incumbents — CrowdStrike, Palo Alto, Okta — have time to adapt and integrate, and higher attack volumes may actually increase demand for their products. A 7% single-day drop on a draft blog post with no benchmark numbers is a fast move on limited information.
The most precise thing to say about where we are: Anthropic has a model it believes represents a genuine capability jump, particularly in cybersecurity. It is expensive to run, restricted to a small set of early-access defense-focused organizations, and has no confirmed public release date. Everything else — the name, the specs, the timeline, the pricing — is either unconfirmed or actively unknown. That's not a dismissal of the story. It's just where the evidence actually stops.
FAQ
What is the difference between Claude Mythos and Capybara?
Two draft versions of the same blog post existed in the leaked data — one using "Mythos," one using "Capybara." Both subtitles read: "We have finished training a new AI model: Claude Mythos." The most coherent interpretation is that Capybara is the tier name (like "Opus") and Mythos is the specific model within that tier (like "Claude Opus 4.6"). Anthropic has not officially confirmed this distinction.
Does Anthropic confirm Claude Mythos exists?
Yes. An Anthropic spokesperson confirmed to Fortune that the company is "developing a general purpose model with meaningful advances in reasoning, coding, and cybersecurity" and considers it "a step change and the most capable we've built to date." The name and technical details remain unconfirmed.
What benchmark scores did Claude Mythos achieve?
None have been published. The leaked draft said Mythos achieves "dramatically higher scores" than Claude Opus 4.6 on coding, academic reasoning, and cybersecurity benchmarks — but included no specific numbers. Any figures circulating in media coverage beyond this are third-party estimates, not primary sources.
Why did cybersecurity stocks fall when Mythos leaked?
The leaked draft described Mythos as capable of exploiting software vulnerabilities "in ways that far outpace the efforts of defenders." Investors interpreted this as a threat to the pricing power of incumbent cybersecurity companies whose products depend on the complexity of security work being difficult to automate. CrowdStrike fell 5.87%, Palo Alto Networks 5.97%, Okta 7.75%, and the iShares Cybersecurity ETF 4.5% on March 27, 2026.
Was the leak deliberate?
Anthropic attributed it to "human error" in the CMS configuration. The breadth of exposure — roughly 3,000 assets, including private CEO event documents — is inconsistent with a targeted strategic leak. The CMS-defaulting-to-public failure mode is a documented and common configuration problem. The Fortune reporter who discovered it has described it as an accidental find. Most available evidence supports the human error explanation.
When will Claude Mythos be publicly available?
No timeline has been confirmed. The leaked draft described a "slower, more gradual" release approach than previous models. Anthropic stated it is working to make the model more efficient before general release. Given the stated cost profile, a broad consumer release is unlikely in the near term.
For context on where Claude Opus 4.6 stood before this leak — and what benchmark performance at the frontier actually looks like — the ARC-AGI-3 analysis on this site covers frontier model scoring in detail. And for the pricing structure that Mythos would sit above, the Claude Max vs OpenClaw cost breakdown gives useful context on how Anthropic currently tiers its access.
Conclusion
What we have is this: a confirmed model, described by Anthropic as its most capable, with documented advances in cybersecurity capabilities, currently in restricted early access, with no public release date and no published benchmarks. The leak itself was a basic operational failure — the kind that has nothing to do with AI and everything to do with a default CMS setting nobody checked.
A genuine caveat before treating any of the capability claims as established: "step change" and "dramatically higher scores" are phrases from a draft blog post, confirmed only in the broadest terms by a corporate spokesperson. Until Anthropic publishes actual evaluation data — or until early-access organizations produce independent assessments — the capability story is verified in direction but not in magnitude. That distinction matters if you're making any technical or financial decisions based on this coverage.
0 Comments