I use Claude every day. I write code with it. I build engineered systems with it. I brainstorm with it. I built half this blog with it. I’m a fan.
So when I say that Anthropic just had one of the funniest self-owns in AI history, I’m saying it with genuine affection.
What Happened
On March 26, 2026, security researchers Roy Paz of LayerX Security and Alexandre Pauwels of the University of Cambridge found nearly 3,000 unpublished Anthropic documents sitting in a publicly accessible, unencrypted data store. Draft blog posts. Internal documents. Details about an unreleased model that the company hadn’t announced yet.
The root cause? Anthropic’s content management system was configured to make all uploaded assets public by default. Unless someone manually toggled a setting to “private,” everything was searchable by anyone with basic technical knowledge.
Fortune broke the story. Anthropic locked it down. But by then, everyone had already seen the surprise party decorations.
Among the exposed drafts was a blog post describing a new model called Claude Mythos. Anthropic has since confirmed the model is real, telling Fortune it represents “a step change” in performance and is “the most capable we’ve built to date.” A small group of early access customers is already testing it.
Meet Mythos
The leaked documents describe Mythos (internal codename “Capybara”) as a new tier of model above Opus.
Compared to Claude Opus 4.6, which only recently topped Terminal-Bench 2.0 at 65.4%, the leaked draft claims Capybara achieves “dramatically higher scores” on tests of software coding, academic reasoning, and cybersecurity.
No specific benchmark numbers have been released. “Dramatically higher” is doing a lot of work in that sentence. But the framing is clear: Anthropic considers this a generational jump, not an incremental one.
The model is also expensive. Anthropic acknowledged in the draft that Mythos is “very expensive for us to serve, and will be very expensive for our customers to use.” They’re working to make it more efficient before any general release.
The Cybersecurity Paradox
One of the leaked drafts describes Mythos as “currently far ahead of any other AI model in cyber capabilities.” It warns that the model could “exploit vulnerabilities in ways that far outpace the efforts of defenders.” Mythos can apparently find and exploit software vulnerabilities at a speed and scale that current cybersecurity tools can’t match.
You have to appreciate the comedy here. An AI company built a model so powerful at finding security holes that they’re worried about releasing it. And the reason we know this is because they left their own security holes wide open.
They built a model that finds vulnerabilities faster than defenders can patch them. Then they stored the announcement in a system where the default setting was “public.” The model finds flaws. The company forgot to check its own.
Wall Street, meanwhile, was not laughing. Cybersecurity stocks dropped hard on March 27. The iShares Cybersecurity ETF fell 3%. CrowdStrike and Palo Alto Networks dropped 7%. Tenable cratered nearly 11%. Okta and Netskope fell more than 6% each. The fear isn’t just about Mythos specifically. It’s about what happens when an AI model can automate threat detection and response at scale, commoditizing the products that cybersecurity companies charge premium prices for.
Defenders First
Anthropic’s release plan for Mythos is new. Instead of the usual approach (announce model, launch API, post benchmarks, collect revenue), they plan to release Mythos first to cyber defense organizations before making it broadly available.
The logic makes sense on paper. If the model is as good at finding exploits as the leaked docs suggest, you want the defenders to have it before the attackers do. Give the good guys a head start.
But I have questions.
What counts as a “cyber defense organization”? Government agencies? The Pentagon? CrowdStrike? A startup with “cyber” in the name? The criteria matter. And Anthropic hasn’t shared them, because they hadn’t planned to share any of this yet.
There’s also a part of me that wonders if this is partly great marketing. Telling the world “our model is too powerful for general release” is a very effective way to generate demand. Nothing sells like exclusivity.
This isn’t the first time a frontier model got a staggered release. OpenAI gave the US government early access to GPT-4. But Anthropic is making the security framing explicit and central. That’s new.
Safety as a Brand
Anthropic was founded in 2021 by former OpenAI researchers who left because they wanted to focus more on AI safety. That origin story is central to their identity. They’re not just an AI company. They’re the safety-first AI company. It’s in the pitch deck. It’s in every press release. It’s in the name of their alignment research.
The thing about building your brand around safety is that people notice when you trip over your own shoelaces. Alignment research is important. Constitutional AI is interesting work. But if your CMS is set to “public by default” and nobody catches it until a security researcher at Cambridge finds your secret model in a public bucket, people are going to have some fun with that.
This wasn’t a sophisticated attack. Nobody hacked anything. The documents were just there, sitting in the open, waiting to be found. A misconfigured toggle. “Human error,” Anthropic called it. Which, honestly, is relatable. Every engineer has shipped something with a default they forgot to change. It just usually doesn’t end up in Fortune.
I don’t doubt that Anthropic cares about safety. I think they do. But there’s a growing gap between “philosophical safety” (how do we align superintelligent systems) and “operational safety” (how do we not leave 3,000 confidential documents in a public database). You need both. The second one is less glamorous, but it’s the one that actually tripped them up this week.
I’m still a fan. I’m still going to use Claude tomorrow. But I will admit there’s something poetic about a company that warns its own model could be a cybersecurity nightmare, getting undone by a CMS default setting. You couldn’t write it better if you tried.