The Butterfly Cage Got Bigger
Published: 06/03/2026 • 11 min read
Tech Article • NeuralKnot Archive
A transparent glasswing butterfly hovering in a darker AI security lab with red alarm glints, server racks, cables, containment glass, and cold teal smoke.

The Butterfly Cage Got Bigger

On Claude Mythos, institutional access, and the future where the best models never reach daylight


The tab was already open because of course it was.

Anthropic. Project Glasswing. The butterfly with transparent wings, still glowing in the corner of the browser like a tiny corporate omen. I had written about the thing when it first appeared in April, when Anthropic announced Claude Mythos Preview as a gated cybersecurity model powerful enough to find and exploit vulnerabilities across critical software. The public did not get access. Launch partners did. A few dozen more did. The rest of us got a landing page, a system card, and the privilege of being told this was for our safety.

Then on June 2, Anthropic widened the cage.

Roughly 150 new organizations. More than 15 countries. Power, water, healthcare, communications, hardware. Vendors whose code sits underneath governments, hospitals, banks, clouds, and the boring systems everyone forgets until they fail. Each partner has to meet Anthropic’s security requirements before touching Claude Mythos Preview, which sounds responsible until you sit with the other half of the sentence:

The most capable security model Anthropic has is becoming infrastructure for selected institutions.

The public still does not get it.

That may be the right call.

That is what makes it worse.

The Public Gets The Press Release

Anthropic’s stated reason is not stupid. I want to be very clear about that before the cynicism starts doing push-ups in the corner.

Mythos Preview appears to be dangerous in the old, practical, non-philosophy way. Anthropic says the model has helped partners find more than 10,000 high- or critical-severity vulnerabilities. Its May update said Mythos had scanned more than 1,000 open-source projects, estimated 6,202 high- or critical-severity findings, and confirmed enough of them to project nearly 3,900 real high- or critical-severity open-source vulnerabilities even if the model found nothing else.

That is not a toy. That is a machine that turns the internet into homework.

The same Anthropic red-team writeup says Mythos can identify and exploit zero-days in every major operating system and major browser when directed to do so. The company says the model’s cyber capability was not explicitly trained into it as a weapons feature. It emerged from better coding, reasoning, and autonomy. The part that fixes the software is the part that breaks the software. Same hands. Different instruction.

So yes, if you hand that model to everyone tomorrow morning, somebody will point it at routers, hospital software, school districts, municipal water systems, and whatever forgotten C++ relic is currently load-bearing inside a payment processor. The public release argument is not clean. Open access has a body count when the capability is exploit generation at scale.

Fine.

But closed access has a politics.

The New Priesthood

Reuters put the expansion in the bluntest market language: access to Mythos is expanding from about 50 Glasswing partners to roughly 200. Government and financial institutions around the world are interested because the model can find software vulnerabilities. Goldman Sachs is among the banks testing it. Anthropic declined to name the new organizations.

There it is. The future arrives wearing a nondisclosure agreement.

The new cohort includes governments, critical infrastructure providers, banks, and major vendors. Anthropic says each will have to clear security requirements. Maybe those requirements are excellent. Maybe the review process is careful, adversarial, and boring in exactly the way civilization needs. Maybe every approved organization has mature disclosure workflows, isolation controls, audit logs, and people who know that “AI found root” is not a ticket you leave in backlog until next sprint.

Maybe.

I have met institutions.

I have seen governments buy software like a drunk uncle shopping for fireworks. I have watched Fortune 500 companies turn a password reset flow into a philosophy problem. I have seen “trusted partner” mean “large enough to sue us,” “strategically important,” “already in the room,” or “knows the right person at the right agency.” If the next generation of frontier models is too dangerous for public release, then access becomes a power structure. Who gets it. Who does not. Who audits the list. Who appeals a denial. Who decides that a bank deserves Mythos but an underfunded open-source maintainer does not.

That is the real story.

Glasswing is not only a cybersecurity project. It is an access regime.

Safety Becomes A Velvet Rope

The phrase “frontier AI safety” has always had a weird class smell to it.

At one level, it means something real: evaluate models before deployment, prevent misuse, restrict capabilities that can hurt people at scale. Good. Necessary. Anyone pretending otherwise is selling accelerationist incense out of a hoodie pocket.

At another level, safety becomes the polite vocabulary of exclusion. The model is too dangerous for ordinary people. Too risky for small labs. Too sensitive for public inspection. Too capable for open research. But it is somehow safe enough for the largest cloud providers, financial institutions, defense-adjacent contractors, and governments whose moral development, historically speaking, has not always kept pace with their procurement authority.

This is where the stomach drops.

Because the institutions receiving these systems are not neutral containers. They have incentives. Banks want advantage. Governments want visibility and control. Cloud providers want dependency. Security vendors want product gravity. Large software companies want to patch their own platforms before anyone else knows what was broken. Every one of those motives can coexist with genuine defensive work. That is what makes the arrangement sturdy. Nobody has to be twirling a mustache. They can all be doing their jobs.

Their jobs still concentrate capability.

If the best models become gated tools for the well-connected, then the public gets two things: downstream effects and official explanations. We get software patched after invisible scans. We get advisories after disclosure windows. We get assurances that the work is defensive. We get told the cage is for our protection, while the people inside the cage learn what the model can really do.

The cage may protect us.

It also protects them from us.

The Patch Bottleneck Is A Governance Bottleneck

Anthropic’s May update had a sentence that should have made every CISO in the country stare quietly at a wall: finding vulnerabilities is no longer the limiting factor. Verification, disclosure, and patching are.

That is a technical statement, but it turns political almost immediately.

When a model can produce thousands of plausible severe findings, the bottleneck moves to human institutions. Who verifies? Who gets notified first? How long before disclosure? Which bugs are patched quietly because the affected vendor is strategically important? Which maintainers get flooded with reports they cannot process? Which governments get early warning? Which attackers already have equivalent models and do not care about disclosure norms because, unlike Anthropic, they are not trying to win a Better Citizen ribbon.

The old vulnerability process assumed scarcity. Humans found bugs. Humans wrote reports. Humans negotiated timelines. Everyone pretended 90 days was a stable ritual instead of a peace treaty held together by calendar invites and fear.

Mythos breaks the scarcity assumption.

Anthropic says cheap, fast models with powerful cyber capabilities are coming within 6 to 12 months. That line is meant as urgency. It reads like a weather report from the edge of a hurricane. If comparable capability arrives everywhere, defenders need a head start. That is the pro-Glasswing argument, and it is strong.

But the head start is being allocated.

Not democratically. Not transparently. Not through some public institution we can vote out when it becomes venal or incompetent. Through a private AI lab deciding which institutions get early access to a model that may define the tempo of cyber conflict.

We are outsourcing the first draft of cyber civil defense to a cap table.

Open Models Will Be The Scapegoat

I can already hear the counterargument forming in the industry bloodstream: open models will ruin everything.

There will be hearings. There will be charts. Some senator who cannot explain the difference between a model weight and a Word document will demand to know why “the open source” was allowed to happen. Lobbyists will explain that responsible frontier AI requires controlled distribution, know-your-customer access, government partnership, and a handful of approved vendors who, by pure coincidence, already own the cloud, the identity layer, the office suite, and half the internet’s telemetry.

The story will be tidy: open is dangerous, closed is responsible.

Too tidy.

Open models can absolutely be dangerous. A strong public cyber model could supercharge attackers. Pretending otherwise is childish. But closed models do not remove power from the world. They hide where power sits. They move capability into institutions with legal departments, classified relationships, and procurement channels. They make the frontier less inspectable.

The public risk does not disappear.

It becomes something we are asked to trust.

Trust Anthropic. Trust the partners. Trust the government. Trust the banks. Trust the vendors. Trust that everyone with early access is using the dangerous model to make your life safer and not to gain leverage, hoard knowledge, quietly harden their own stack while competitors remain exposed, or build internal capabilities nobody will talk about until the inevitable leak lands at 11:43 PM on a Thursday.

That is a lot of trust to ask from people who still get three different answers when they call health insurance.

The Ugly Version Of The Future

The ugly version is simple.

The best models stop being public. The frontier moves behind institutional doors. Consumers get polished assistants with safety rails, rate limits, and cheerful refusal messages. Small companies get productized crumbs. Researchers get API access under terms that can change overnight. Open-source maintainers get bug reports generated by systems they cannot use. The powerful get Mythos-class capability under “defensive” programs. The rest of us get thanked for our patience.

Then governments discover how useful restricted AI access is.

Of course they do. Governments love controlled channels. They love partner lists, eligibility rules, quiet exceptions, security reviews, and emergency powers that accidentally become permanent. They love systems where the official explanation is public safety and the operational benefit is control.

And because the models really are dangerous, the argument against this future is hard to make without sounding irresponsible. That is the trap. The danger is real enough to justify restriction. The restriction is valuable enough to attract capture. Capture is boring enough to happen without a villain speech.

This is how you get a two-tier intelligence economy.

The well-connected ask the frontier model to find the fault lines in the world.

Everyone else waits for the aftershocks.

Keep The Cage, Put Windows In It

I am not arguing that Anthropic should dump Mythos weights on Hugging Face and let the internet do what the internet does, which is mostly solve hard problems and invent new misdemeanors. That would be a stupid sentence, and I try to limit myself to two stupid sentences before midnight.

Restricted release may be necessary. Project Glasswing may prevent real harm. The partners may patch vulnerabilities that would otherwise end up in ransomware crews, intelligence shops, and bored teenagers with too much GPU credit. Anthropic may be doing the least-bad thing available in a nasty capability regime.

But least-bad is not the same as clean.

If frontier cybersecurity models are going to be gated, then the gate needs public pressure. Publish partner categories and selection criteria. Publish conflict rules. Publish aggregate denial reasons. Create real channels for open-source maintainers and smaller critical vendors alongside the giants with security teams and executive relationships. Separate government access from political convenience. Make disclosure metrics public. Let independent auditors inspect the process. Give the public more than trust-us language and butterflies.

The cage may be necessary.

Put windows in it.

Because the thing I cannot shake is the direction of travel. Anthropic is probably right that Mythos-class models are coming fast. The public release problem is real. The attacker problem is real. The patch bottleneck is real. Everything in this story is real enough to justify adult supervision.

The question is whose adults.

By the time I closed the Anthropic tab, the butterfly was still there in my head: transparent wings, dark server room, delicate little symbol for a model most of us will never touch. The name works better than they probably intended. A glasswing survives by being hard to see.

So does power.


Sources