Project Glasswing & the Fable 5 episode

In June 2026, three distinct but related developments converged at Anthropic: a major expansion of Project Glasswing, a cyber-defense program that gives vetted partners private access to a specialized frontier model; the public release on June 9 of Claude Fable 5 alongside a restricted sibling, Claude Mythos 5; and a June 12 U.S. government export-control directive that prompted Anthropic to disable both new models worldwide three days after launch. This page summarizes what is established, what is reported but not officially confirmed, and what remains contested, drawing only on the gathered reporting and primary statements.

Throughout, a distinction is maintained between established facts (corroborated across multiple outlets or stated in primary documents such as Anthropic's own posts), reporting (well-sourced but resting on named or unnamed sources rather than a published government record), and allegation, speculation, or opinion (inferences, predictions, and value judgments). Where claims favor one party, the strongest honest opposing view is presented alongside them. As of June 14, 2026, the suspension and the foreign-national restriction remained in effect, with no reported reversal of the directive itself (The New Stack).

Project Glasswing is an Anthropic initiative aimed at securing critical software using a Mythos-class model specialized in finding and fixing software vulnerabilities. At its April 7, 2026 launch, it comprised 12 named consortium members — AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — plus more than 40 additional organizations. Anthropic committed $100 million in usage credits and $4 million in donations to open-source security groups, with participant pricing reported at $25 and $125 per million input and output tokens (Anthropic).

On June 2, 2026, Anthropic announced it was expanding the program by roughly 150 new organizations across more than 15 countries — about a threefold increase — deliberately broadening sector coverage into critical-infrastructure areas it said were underrepresented at launch: power, water, healthcare, communications, and hardware, plus software vendors and nonprofits maintaining widely used codebases. Anthropic said most partners are entities where a successful attack "could be catastrophic" and could affect more than 100 million people, and that each new organization must meet its security requirements before gaining access (Anthropic). The tooling spans vulnerability scanning, patch writing, penetration testing, threat detection, and legacy-code modernization. Outlets reported expansion participants Anthropic did not itself fully list — including Okta, Samsung, SK Hynix, SK Telecom, Netskope, and Rubrik, plus NATO and the EU cybersecurity agency ENISA (TechCrunch). Hitachi was separately reported on June 8 to have agreed to join, via its Cyber Center of Excellence, building on a May 19 partnership integrating Claude into its Lumada 3.0 platform (Reuters/TradingView).

A central, agreed-upon finding of the program is that discovery now far outpaces remediation. Per Anthropic's status report, the model scanned more than 1,000 open-source projects and identified 23,019 issues, of which 6,202 were high- or critical-severity (Anthropic). Of 1,596 vulnerabilities disclosed to maintainers, only 97 were reported fixed — fewer than 1% of found flaws patched — with Anthropic framing the bottleneck as "human capacity to triage, report, and design and deploy patches" (CSO Online). A related May 19 policy change loosened confidentiality rules so partners could publicly disclose found vulnerabilities directly to affected companies, governments, the public, and media "for maximum defensive impact" (IT Pro).

Anthropic's defensive case frames Glasswing as "fighting fire with fire": it points to a reported first large-scale, largely autonomous cyberattack as evidence that defenders need frontier AI now, and warns that the window between zero-day discovery and exploitation is shrinking, putting health care, finance, and core internet infrastructure at risk if these capabilities are not used defensively (National Law Review). Anthropic also says it cannot publicly release the unrestricted Mythos model because it has not finished building safeguards against misuse of offensive cyber capabilities, and it warns that rival labs may field comparable "Mythos-class" models within 6–12 months, possibly without such safeguards (CNBC).

Critics counter that the program's defensive payoff is unproven while its offensive surface is real. Security researcher Bruce Schneier called it "weird" that of roughly 23,000 vulnerabilities found, "almost none" were patched, argued that claims of the model beating rivals are unproven, and characterized Anthropic's refusal to release details as effectively a "trust us" posture that "is a big problem," adding "there's something fishy about the data" (Schneier on Security). A joint Cloud Security Alliance, SANS Institute, and OWASP report warned that defenders are "likely to be overwhelmed" as AI accelerates flaw discovery beyond patching capacity (CyberScoop). Other critics frame a "paradox": the program surfaces offensive capability while burdening open-source maintainers (citing cURL closing a bug-bounty over AI-generated noise) and note the timing aligns with Anthropic's IPO preparation, suggesting marketing motives alongside genuine security goals (Picus Security). Some experts also read the expansion as a step toward an eventual public Mythos release — an inference Anthropic has not committed to (CNBC). Anthropic, for its part, acknowledges that robust safeguards against misuse of Mythos-class capabilities do not yet exist at any AI lab — a point on which it and its critics partly agree.

On June 9, 2026, Anthropic released Claude Fable 5 as the first publicly available model in its "Mythos-class" capability tier — a tier the company positions above Opus. Anthropic described Fable 5 as "a Mythos-class model that we've made safe for general use," and Mythos 5 as "the same underlying model as Fable 5, but with the safeguards lifted in some areas" (Anthropic). Both share a 1M-token context window, up to 128k output tokens, and pricing of $10 per million input and $50 per million output tokens — roughly double Opus 4.8 and, per Anthropic, less than half the price of Claude Mythos Preview (Claude API Docs). The difference between the two is the safeguards: Fable 5 carries classifier-based safeguards covering cybersecurity, biology/chemistry, and model distillation, with flagged requests falling back to Claude Opus 4.8; Mythos 5 has those classifiers lifted and is restricted to vetted partners via Project Glasswing.

Anthropic positioned Fable 5 as its most capable widely released model, calling it "state-of-the-art on nearly all tested benchmarks." Anthropic-reported figures — which should be treated as vendor claims rather than independently audited results — include SWE-bench Pro at 80.3% (versus Opus 4.8's 69.2%, GPT-5.5's 58.6%, and Gemini 3.1 Pro's 54.2%) and FrontierCode Diamond at 29.3% (Vellum). Third-party aggregators reported Fable 5 around 95% on SWE-bench Verified and leading SWE-bench Pro at 80.3% (Morph); independent results were mixed, with Andon Labs reporting Mythos 5 underperforming on Vending-Bench. Anthropic said it "prioritized safety," "deliberately tuned the safeguards to be cautious," reported "no universal jailbreaks in over 1,000 hours" of external red-teaming, and said fallbacks to Opus 4.8 occur in under 5% of sessions (Anthropic). Both models are "Covered Models" with mandatory 30-day data retention for safety monitoring; through June 22, Fable 5 was included at no extra cost in Pro, Max, Team, and seat-based Enterprise plans (TechCrunch).

Within a day, cybersecurity researchers pushed back on the guardrails as overly broad — reporting that code reviews, secure-coding requests, and even reading security blogs could trigger downgrades, making the model unusable for core defensive work — and criticized a distillation and national-security reroute that was initially silent ("hidden guardrails") (TechCrunch). On June 11, Anthropic apologized and moved to visible fallbacks; a spokesperson said "We made the wrong tradeoff, and we apologize for not getting the balance right," adding that API responses would return a reason when a request was rerouted (Fortune). Researchers at Prime Intellect and SemiAnalysis had protested the silent downgrade of requests flagged as "frontier LLM development," with Will Brown quoted as saying it "felt like Anthropic was saying to the public, we don't trust anybody else to do AI research" (The Next Web).

On June 12, 2026 — three days after launch — Anthropic disabled access to both Fable 5 and Mythos 5 for all customers worldwide. Anthropic said it received a U.S. government export-control directive that day at 5:21 p.m. ET, citing "national security authorities," and stated: "We are complying with the government's legal directive and are removing access to Fable 5 and Mythos 5 for all users" (Anthropic). The directive's defining feature was its scope: it ordered Anthropic to "suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees." Because Anthropic says it cannot reliably filter foreign nationals from U.S. users in real time — and would have had to block much of its own staff — it shut both models down entirely. All other Anthropic models, including Claude Opus 4.8, stayed online (Anthropic statement, quoted by Simon Willison).

As to cause, Anthropic's characterization is that the government "believes it has become aware of a method of 'jailbreaking' Fable 5." Anthropic described the technique as a "narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws," said it reviewed a demonstration that surfaced "a small number of previously known, minor vulnerabilities," and argued that comparable capability "is widely available from other models (including OpenAI's GPT-5.5)" (Anthropic). This account is Anthropic's own characterization, not an official government confirmation. Per reporting attributed to an administration official by Axios, Commerce acted after another company claimed it could jailbreak Mythos, and the administration had earlier unsuccessfully urged Anthropic to pause the release (Axios).

On the legal mechanism, multiple outlets reported that Commerce Secretary Howard Lutnick sent a letter to CEO Dario Amodei placing both models under federal export-control regulations — drafted with the Commerce Department's Bureau of Industry and Security (BIS) — requiring a license for export, re-export, or domestic transfer, with civil and financial penalties for non-compliance (Fortune). This is attributed to reporting rather than a published government notice. Press accounts described it as the first time the U.S. used export-control authority — a tool designed for chips and military technology — against a commercially distributed language model, and noted it followed an earlier Anthropic clash with the Department of Defense (CNBC). Anthropic said it believed the situation was a misunderstanding and was working to restore access.

The U.S. government rationale (strongest version, per reporting): Frontier models with strong agentic-hacking and bio/chem capabilities are now strategic national-security assets, and access should be restricted until the government's national-security apparatus is "adequately hardened." A conservative-outlet account quoted a senior official stressing that the administration "does not want to hurt the industry and wants innovation to continue" — framing a licensing approach rather than a broad ban (RedState). The China dimension is central: Anthropic itself had in February accused DeepSeek, Moonshot, and MiniMax of running roughly 16 million exchanges through about 24,000 fraudulent accounts to "distill" Claude, and cutting foreign access is framed as denying adversaries uplift (The Next Web).

Anthropic's position: It complied but publicly disagreed, calling the episode a "likely misunderstanding" and saying the government "should have the ability to block unsafe deployments, as part of a statutory process that is transparent, fair, clear, and grounded in technical facts" — a standard it said this action did not meet. It warned that treating "the finding of a narrow potential jailbreak" as cause to recall a model "deployed to hundreds of millions of people" would "essentially halt all new model deployments" (Anthropic; MarkTechPost).

Civil-liberties and open-source critics: Commentators argue the episode proves a government "kill switch" over API-gated AI is now real — "when your AI lives behind someone else's API, you do not control the kill switch" — and predict migration toward open models like Llama, Mistral, and Falcon that cannot be remotely disabled (vdf.ai). Gary Marcus called the action "wildly overdramatic and counterproductive," Claire Vo warned of "governance whiplash," and Timnit Gebru characterized it as "safety theater" backfiring; cybersecurity researcher Peter Girnus argued Anthropic invited the action — "If you describe your product as a munition in every press release, eventually a government takes you at your word" (AI Governance Lead; Fortune).

The China and foreign angle: Brookings' Kyle Chan said Chinese developers "might find it nearly impossible now to use Anthropic's latest model," though reporting notes grey-market workarounds persist via proxy "transfer stations" on Taobao and Telegram at a fraction of list price (The Next Web). On coherence, AI-policy expert and former Trump-administration official Dean Ball called the decision "simply cartoonish," questioning an administration that loosens AI-chip exports to China while banning foreign nationals from the best U.S. models; Marcus warned restricting Chinese-origin researchers could push them back to China. European commentators framed the shutdown as a "digital kill switch" exposing sovereignty risk, with Andreas K. Maier arguing it should spur Europe to build sovereign AI (AI Governance Lead).

Several load-bearing elements rest on reporting rather than published records. As of mid-June 2026, no public BIS Federal Register notice or the underlying Lutnick letter had been released, so the precise statutory citation and exact terms remained undisclosed (CNBC). The Lutnick authorship and BIS involvement are well-sourced (Fortune), and the "another company jailbroke Mythos" trigger comes from an unnamed administration official cited by Axios — but neither has a corresponding published government document in the gathered record.

Accounts also differ on how Anthropic framed the jailbreak. Fortune and MarkTechPost emphasize Anthropic minimizing it as narrow and non-universal, consistent with Anthropic's own statement. By contrast, a single Eastern Herald account attributes to Amodei an acknowledgment that Fable 5 "contains a previously-unidentified jailbreak path" found in internal red-teaming, and describes Mythos 5 capabilities "approaching the threshold at which the model could provide material uplift to a state-level adversary" — a more concessionary framing not mirrored in Anthropic's statement or other accounts, and best treated as a single, lower-confidence source (Eastern Herald).

Other open items include: whether the model's claimed capability advantage over rivals is real (Anthropic-reported and third-party benchmarks are not independently audited, and Schneier disputes the claim); whether comparable flaw-finding is genuinely "widely available" from public models such as GPT-5.5 as Anthropic asserts; and the enforcement timeline. One account describes a phased rollout with a full-enforcement deadline of June 28, 2026 and frames the action as a template for future model-specific controls, but specific implementation figures in that single account are less corroborated (The New Stack). The Glasswing data itself — the discovery-versus-patch ratio and the model's relative effectiveness — is also contested, with Anthropic publishing the figures and outside researchers questioning their interpretation.