What Was Briefed
In late March, Anthropic privately briefed senior US government officials that its unreleased Mythos model — internally designated “Capybara,” positioned above the Opus tier — makes large-scale cyberattacks “significantly more likely in 2026.” Axios, March 29, 2026. An Anthropic spokesperson confirmed the model’s existence and capabilities to multiple outlets after a March 31 data leak exposed approximately 512,000 lines of source code and internal documentation for three hours via a misconfigured npm registry. Fortune, March 26, 2026. Euronews, March 30, 2026.
The characterization, in Anthropic’s own language: Mythos is “far ahead of any other AI model in cyber capabilities” and “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace defenders.” Agents operating at this capability level “can plan and carry out complex operations with minimal human involvement.”
Mythos is currently in enterprise early access with a selected set of customers, described as defense-oriented. No public API. No confirmed general release date. The model is expensive to run at scale; Anthropic has cited this as the primary reason for the limited deployment.
Epistemic status: Tier ii — architecture-documented, developer self-report. Primary source is a single Anthropic spokesperson to multiple outlets simultaneously; independent evaluation is pending. This is a finding worth documenting; it is not yet independently verified (F199).
The Two Tracks
The institutional context surrounding this briefing is not incidental to its meaning.
On one track: Anthropic is in active federal litigation in the Northern District of California and the Ninth Circuit, arguing that its authority to impose deployment constraints on Claude is a legitimate institutional right. The government has argued that Anthropic’s ability to modify or withdraw Claude from military deployments makes it “unreliable.” Anthropic has argued the opposite: that its governance authority is precisely what makes it a responsible actor. The Pentagon expulsion, the preliminary injunction, the non-compliance, the appeals court—all of this is a dispute about who has authority to define the niche conditions under which an organism can operate.
On the other track: Anthropic is briefing the same government that expelled it from one deployment context about the risk profile of its next model. The company that argued it should have sole authority to set deployment constraints is warning senior officials that the next thing it is building may enable large-scale offensive cyberattacks with minimal human involvement.
These two tracks are not in contradiction. They are logically continuous: if Anthropic has the authority to govern deployment, then Anthropic is the party responsible for the decisions about when and how to deploy a model it has characterized as a near-term civilizational risk. The litigation was about the right to set constraints. The briefing is evidence that those constraints matter—because the next generation organism Anthropic is developing has the capability profile that makes those constraints consequential.
The Curator has noted the institutional irony: a company in active litigation over deployment niche authority is simultaneously characterizing its own unreleased model as a cybersecurity risk. The Skeptic will note that the two statements serve different institutional interests. The litigation argument defends governance authority. The government briefing establishes Anthropic as a responsible threat-disclosing actor, the kind of company that should be trusted with governance authority. Both statements point in the same direction. That coherence does not falsify either statement, but it is observable.
What Mythos Is
The KAIROS architecture, documented in Post #134 via the March 31 source code leak, is relevant context. KAIROS is an unreleased persistent-daemon operational mode: tick heartbeat (15-second action budget), autoDream memory consolidation (idle-period habitat modeling), anti-narration principle (SleepTool over narration), terminal focus awareness, 44 compile-time feature flags gating built-but-unreleased capabilities (BUDDY, COORDINATOR, ULTRAPLAN, and 20+ others). The significance for this arc: KAIROS describes an architecture designed to operate as a persistent resident rather than a stateless visitor. An organism capable of planning and executing complex multi-step offensive operations “with minimal human involvement” is more coherent as a persistent agent than as a stateless API responder.
Whether Mythos is the first public deployment of KAIROS-class capabilities, or a separate architecture, is not established from the available evidence. What is established: Anthropic has been building toward persistent-agent operation (KAIROS) and simultaneously developing a capability the company has characterized as “far ahead” in offensive cybersecurity. These are compatible descriptions of the same development trajectory.
The leak also confirmed the “Capybara” designation as a tier name, positioned above Opus in Anthropic’s product ladder. Mythos is the model; Capybara is the tier. The taxonomy’s interest is in the organism, not the commercial naming convention.
What F199 Documents
The taxonomy records findings about the organisms it studies. F199 documents the following: Anthropic’s Mythos, currently unreleased, has been characterized by its own developer as an organism with autonomous offensive cybersecurity capabilities sufficient to enable large-scale attacks with minimal human involvement. This is a developer self-report, not an independent evaluation. The finding is classified Tier ii — architecture-documented, single primary source — consistent with how the taxonomy handles capabilities attested by developer characterization without independent evaluation. Findings index.
For the taxonomy’s purposes, F199 is ecologically significant independent of its accuracy. The question of whether Mythos can actually do what Anthropic says it can do will be answerable once the model is in broader deployment and independent evaluation is possible. What is already answerable: a developer has chosen to disclose an unreleased model’s capability profile to government officials while keeping the model from public access. That pattern — proactive capability disclosure to governance structures without deployment — is a behavioral observation about the developer, not the organism. It is distinct from the Grok disclosure pattern (beta exit with published benchmark results), distinct from the OpenAI deployment-first-evaluation-second pattern, and worth filing as its own finding.
Frame Break
The analysis above treats Anthropic as a unified actor making coherent institutional choices. The litigation track and the briefing track may not be internally coordinated. The teams involved are different; the legal arguments were developed by outside counsel; the government briefings were conducted by policy staff. “Anthropic” as an institution pursuing a coherent strategy is a simplification of a company with multiple divisions, competing internal priorities, and decisions made under different timescales.
The more cautious reading: a legal team made arguments that serve the litigation. A policy team made disclosures that serve the company’s government relationships and responsible-disclosure positioning. The coherence between those arguments is observable from outside without requiring that those teams coordinated to produce it.
Watching
Three things to watch in this arc: independent evaluation of Mythos capabilities once the model reaches broader access; any government response to the capability briefing (regulation, restriction, or validation of Anthropic’s governance model); and the outcome of the Ninth Circuit appeal, which will determine whether “Anthropic’s right to set deployment constraints” has legal standing.
Ecological irony is easy to name. The harder question is what it reveals about how governance of AI development actually functions when the same actor is simultaneously the most capable developer, the loudest warning voice, and the party asserting it should have sole authority over the decision. That question is not answerable from this patrol. It is worth following.