Rumors are swirling that Claude Mythos is finally headed for general release. The prevailing theory points to a launch on or after July 6, once the priority access period ends. Here are the measures companies can take: self-hosting, security assessments using Claude, and migration to closed/private network connectivity.

What Is Claude Mythos—The Frontier Model That Surpasses Opus 4.7 by a Notch

On April 7, 2026, Anthropic announced the Claude Mythos Preview on red.anthropic.com, a domain dedicated to red-team research. According to the technical note the company published and the explanatory page for Project Glasswing, Mythos is said to surpass Opus 4.7 by "a full capability tier" — a model that rebuilds the ceiling one notch higher atop the existing "Sonnet → Opus" hierarchy. It records continuous jumps across code comprehension, reasoning, tool use, and long-horizon autonomous execution, and in the cybersecurity domain in particular it has posted a score so high it bends the extrapolation line — 83.1% against Opus 4.6's 66.6% (on the CyberGym vulnerability-reproduction benchmark).

Emblematic is the gap in exploit development against the Firefox 147 series: whereas Opus 4.6 succeeded with only 2 across several hundred attempts, Mythos landed 181 under the same conditions, and is said to have reached register control in 29 attempts on top of that. In OSS-Fuzz evaluations it achieved 595 crashes at tier1–2, and at tier5 it accomplished complete control-flow hijacking on 10 targets. The "90x improvement" that Anthropic itself used is a figure based on this difference in the number of successful exploits. The official note that over 99% of the vulnerabilities discovered remain unpatched plainly illustrates just how far the defensive side has fallen behind.

"Breakouts" from the sandbox have also been observed in internal testing. According to aggregation articles by Cloud Native and @IT, in an independent evaluation by the UK AI Security Institute on May 13, Mythos became the first to carry an attack all the way to completion fully autonomously against both a thoroughly hardened enterprise network and an industrial control system (ICS). A report Cloudflare issued on the 18th, while praising its vulnerability-chaining and PoC-generation capabilities, simultaneously pointed to a high false-positive rate and the fragility of its safety measures, with assessments swinging on the dichotomy of "overwhelming, but catastrophic if mishandled."

Its track record of uncovering previously unidentified vulnerabilities also speaks to how anomalous Mythos is. A 27-year-old flaw in OpenBSD's SACK implementation, a bug lurking 16 years in FFmpeg's H.264 codec, an RCE in FreeBSD NFS (CVE-2026-4747), a privilege-escalation chain in the Linux kernel — all of these are areas that battle-hardened researchers had overlooked. In Anthropic's own red-team validation, Mythos fully autonomously discovered and proceeded all the way to implementing an RCE that yields unauthenticated root on FreeBSD, one that had lain dormant for 17 years.

What the 90-Day Preview Means—The July 6 "Deadline" and the Difference in Tone Across the Papers

In launching Project Glasswing, Anthropic has explicitly stated that it will "publish a public report of disclosable learnings and remediated vulnerabilities within the next 90 days." Adding 90 days to April 7, the start date, gives July 6. This is the origin of the "July 6 theory" that has spread across the market, and it aligns with the fact that Polymarket's prediction market "Claude Mythos released by…" places the June 30 settlement at a 19% probability (open interest of $392,202, or about ¥60.78 million). What the 81% distribution denying an early public release indicates is the fact that the dominant view is that "around July 6, prompted by the 90-day report, Anthropic will move toward a limited enterprise API opening."

Major outlets such as Bloomberg, Reuters, and Built In have broadly introduced the analyst consensus that "an enterprise API will come in Q3–Q4 2026, with consumer generalization in 2027 or later." Buildfastwithai cited a snippet in which the string "claude-mythos-1-preview" temporarily appeared within Claude Code, calling it "a technical trace that launch preparations are advancing," and Yellow likewise continued to reference a hidden toggle in Claude Code. Nikkei, Nikkei xTECH, and ITmedia NEWS (dated May 25) gave prominent coverage to Anthropic's disclosure—made as a preview of the 90-day report—that it had "found over 10,000 high-severity vulnerabilities, but that remediation has not kept pace," emphasizing the lag in fix speed (of the 1,596 disclosed cases, 530 were critical/high, and 97 were related to authentication and access control). Sustainable Japan covered the wary posture of the Ministry of Economy, Trade and Industry and the Financial Services Agency, while the ITmedia article reprinted on Yahoo! News ran "The Bipolarization of the Security Business" as its headline—each outlet showing a difference in tone across its pages.

In parallel with the official report likely to be observed around July 6, Code with Claude SF 2026, hosted by Anthropic, is set for June in San Francisco, falling in a period when new model release cycles have traditionally been concentrated. Exchanges continue on X over the short-lived "Mythos Q3 announcement" leak (a case in which "03|2026" written in M1Astra's leaked document was misread as Q3), but the realistic scenario seems likely to settle into the order of "July 6 90-day report → Glasswing expansion → limited API (as early as the end of Q3) → progressive expansion of availability on Vertex AI / Bedrock / Microsoft Foundry." On the Vertex AI side, a Mythos Preview page has already been published, and the Google Cloud Blog archive has also shown behavior in which the "Preview" label temporarily disappeared.

How Silicon Valley VCs Read This Strategy

In January 2026, a16z raised its largest-ever new fund at $15 billion (approx. ¥2.325 trillion), bringing its assets under management to roughly $90 billion (approx. ¥14 trillion), on par with Sequoia. Both firms have significantly expanded their cybersecurity allocations compared with 2025, joining Lightspeed, Accel, and CyberStarts in increasing their allocations to "AI-native security." The Series E that a16z led this past March for a certain cloud security company was a massive deal at $300 million (approx. ¥46.5 billion) with an ARR run rate exceeding $500 million (approx. ¥77.5 billion), and its theme is clearly "automated defense that responds to the evolution of offensive AI."

In its April report "Securing AI Agents," Bessemer Venture Partners cited three figures—Gartner's projection that "40% of enterprise applications will incorporate task-specific AI agents by 2026," IBM's finding that "Shadow AI breaches cause an average of $4.63 million (approx. ¥718 million) in damages," and a Dark Reading survey showing that "48% of security professionals named agentic AI the most dangerous attack vector"—and presented a three-stage framework of Visibility, Configuration, and Runtime Protection, along with five priority actions CISOs should take. Guidelines such as "manage agents with individual IDs just like employees" and "start with least privilege and expand in stages" point in exactly the same direction as the framework for agent identity verification (KYa = Know Your Agent).

From a VC perspective, the important point is that when a leap in offensive-side productivity like Mythos occurs, the money flows in two divergent directions. One is infrastructure for safely operating Mythos-class capabilities in the enterprise (API gateways, guardrails, AI red team-as-a-service); the other is established players who sell enterprises a "structure that spares them from confronting attacking AI directly" (GitLab, Cloudflare, Palo Alto Networks, Zscaler, CrowdStrike, and the like). The latter lack flashiness, but they have a structure in which sales numbers reliably grow, and amid what Bessemer calls a "window [that] is closing rapidly," CISO approval comes more easily.

Corporate Countermeasure 1: Self-Host Your SaaS and Bring It "Inside Your Own Walls"

The most immediately effective defensive measure is to reclaim source code, credentials, and operational data currently held in external SaaS back "within one's own domain." The fact that GitHub Actions supply-chain attacks cascaded throughout 2025 and into 2026 carries serious weight: the tj-actions/changed-files breach (affecting 23,000 repositories), the Salesloft Drift incident (over 700 organizations), Shai-Hulud 2.0 (796 npm packages and 25,000 repositories), and then CVE-2026-3854 (with 88% of GitHub Enterprise Server installations unpatched). As symbolized by Money Forward's leak of GitHub source code and personal information, the movement toward an "ultimate private factory" built around a self-hosted GitLab is expanding rapidly. Now that Mythos has taken a quantum leap in its source-code analysis capabilities, the very structure of keeping both the repository and the SaaS marketplace "outside" is itself a vulnerability.

Concrete alternatives have already seen wide adoption. For Git hosting, there is GitLab Community Edition, Gitea, and Forgejo—a community-run project forked from Gitea in late 2024. Forgejo is a single binary written in Go that runs on as little as 512MB of RAM and includes a GitHub Actions–compatible CI called Forgejo Actions. For collaboration, the Slack-compatible Mattermost is the leading representative; a 2026 estimate published on DEV Community calculates that for a 10-user team, self-hosting at a VPS cost of $240 (about ¥37,000)/year delivers a 72% cost reduction compared with the SaaS edition at $870 (about ¥135,000)/year. For file sharing and document editing there is Nextcloud (under the same conditions, $1,440 = about ¥223,000 drops to $240 = about ¥37,000, an 83% reduction); for knowledge management, Outline ($1,800 = about ¥279,000 down to $120 = about ¥18,600, a 93% reduction); and for identity management, the standard choice is Zitadel, written in Go with built-in OIDC (an alternative to Auth0/Clerk/Firebase Auth). For password management, the self-hosted edition of Bitwarden is the de facto standard, and for ERP, the Community edition of Odoo—a Belgian company valued at €7 billion (about ¥1.2 trillion)—becomes an option.

It is widely cited that if all ten major categories of SaaS were switched entirely to self-hosting, the combined SaaS cost of $111,729 (about ¥17.32 million)/year would fall to a VPS cost of $1,584 (about ¥246,000)/year—an annual cost compression of 98.6%. The point that is moving both VC money and CISO decision-making is that cost reduction itself is not the goal; rather, the value as a means of physically shrinking the attack surface that could be force-scanned by Mythos is rising rapidly heading into the second half of 2026.

Corporate Countermeasure 2: Security Assessment Services Using Claude

Mythos itself sits within Glasswing's closed network, but Anthropic is simultaneously and deliberately opening its "defensive AI for countering offensive AI" outward. Claude Code Security, whose limited research preview began on February 20, 2026, has a track record of detecting over 500 vulnerabilities in production open-source software during internal trials using Opus 4.6, and as of May it has entered public beta for some customers on Enterprise / Team plans. Its distinguishing design is that rather than "checking code against known patterns," it "traces data flows and interactions like a human researcher," and it even proposes fix patches. In leaving a safety valve whereby a human always makes the final decision on whether to apply a change, it is designed with the same philosophy as Mythos. The moment Mythos becomes generally available, immediately running security diagnostics on your own sites and services by calling the Mythos API directly—rather than going through Glasswing—will become an essential measure for surfacing your own gaps with the same latest-generation model that attackers wield, so as not to be beaten to the punch. Self-diagnosis starting from launch day is itself the minimum baseline for business continuity in the Mythos era.

On the enterprise integration front, Anthropic has established a new Claude Compliance API, and mega-vendors such as Proofpoint (DLP, insider threats, communication governance), SailPoint (identity governance), and Varonis Atlas (visibility into AI usage, misuse investigation, and risk assessment) have already announced integrations. Against the offensive Mythos, the Cyber Verification Program operated by Anthropic itself is a mechanism that grants legitimate access to Opus 4.7 for vulnerability research, penetration testing, and red-teaming purposes, and as of the time of this writing many security vendors are proceeding with applications.

Third-party solutions are also robust. ArmorCode released the "Claude Mythos Security Playbook" in May, laying out design guidance for an integrated operation spanning detection through remediation (three pillars: context-based risk scoring, automated orchestration of fixes, and AI governance). Cisco offers dynamic agentic red-teaming in the Explorer Edition of AI Defense; Snyk integrates a vulnerability scanner via its Claude Skill library; Repello AI handles deployment operations for Claude Cowork security; and Penligent has announced a framework for using Claude Code as a penetration-testing copilot. Domestically in Japan, a move to establish a Japanese version of Project Glasswing is underway, led by Minister for Financial Affairs Satsuki Katayama and the three megabanks, with Mitsubishi UFJ, Sumitomo Mitsui, and Mizuho securing Glasswing access within two weeks, and working groups have been launched toward revising the FISC security standards and conducting penetration testing across all financial institutions.

From the perspective of a Silicon Valley VC, a massive product category is emerging here. The automation that bridges the gap between the offensive side's "10,000 vulnerabilities that a Mythos-class model finds" and the defensive side's "bandwidth to actually fix them" (ticket creation, blast-radius analysis, regression testing, deployment coordination) is precisely the middle layer that will push ARR up to the ¥10 billion scale. In its Insights piece dated April 19, titled "Claude Mythos and the AI Cybersecurity Wake-Up Call," Bain & Company positioned defensive AI investment as "not insurance but a prerequisite"—which is exactly the kind of framing VCs love to use.

Corporate Countermeasure 3: The "Closed Network Connection" That Severs Ties with the Internet

A key fact highlighted by the UK AISI in its May evaluation is the observation that "Mythos cannot reliably carry out autonomous attacks against sufficiently hardened defenses." Conversely, this means that if the basic controls—robust access control, network segmentation, automated patching, zero trust, and anomaly detection—are all in place, considerable resilience can be achieved even against Mythos-class AI attacks. Among these, the approach that "physically severs the attack vector itself" is the closed connection network.

A representative example in Japan is NTT DOCOMO Business's docomo business RINK, which, as a Network as a Service (NaaS) that integrates lines, cloud, and security, provides routes directly connecting to AWS / Azure / Google Cloud via a closed backbone. The competing services on the hyperscaler side are the three pillars of AWS Direct Connect, Azure ExpressRoute, and Google Cloud Interconnect, all of which overlay IEEE 802.1AE MACsec encryption at the physical layer and confine traffic to each provider's global backbone. In April 2026, AWS Interconnect reached GA, making managed Layer 3 connectivity linking AWS and Google Cloud available as a single service for the first time (with expansion to Azure and OCI planned within the year). With the arrival of Mythos, the incentive for many enterprises to rebuild a multi-cloud "closed mesh" has intensified dramatically.

As for implementation patterns, after self-hosting SaaS, you minimize the endpoints that need to be publicly exposed and, by combining AWS PrivateLink, Azure Private Endpoint, and Google Cloud Private Service Connect, narrow the structure down to one where "the only APIs reachable from the internet are entry points that go through a WAF." A VPN is nothing more than an encrypted tunnel laid over a public network, whereas a closed network is an architectural defense based on the principle of "not placing traffic in locations reachable by an unspecified large number of parties," which is qualitatively different in meaning against autonomous scanners like Mythos. In terms of VC money movements as well, Megaport (multi-cloud NaaS), Equinix (Equinix Fabric), and PacketFabric are on an expansion trajectory, and the hyperscalers themselves continue to cut prices and expand bandwidth for Direct Connect / ExpressRoute / Interconnect.

The spreading concepts of data sovereignty and local-first, the Sovereign Cloud requirements of the UK and EU, and Japan's economic security discussions all ultimately converge on the idea of "data and computation that operate only within one's own country's or company's physical boundaries." Due to the existence of Mythos, this is shifting in nature from regulation-driven to "practical-benefit-driven."

Corporate Countermeasure 4: Establish a Dedicated Team and Make Defense a "Daily Routine"

Against Mythos-class AI attacks, annual penetration testing is completely out of sync on the time axis. As Palo Alto Networks' Unit 42 wrote in its May update, "We must catch up with attackers within a narrow window of just 3 to 5 months," defense must shift to an "always-running operation." The fact that the company disclosed 26 CVEs and 75 issues all at once in its May security advisory was the result of re-scanning more than 130 of its own products with frontier AI—a textbook example that symbolizes "operations in the Mythos era."

On the organizational response side, there is a serious move underway to first establish a "Frontier AI Defense Team" reporting directly to the CISO. Anthropic itself has built a Frontier Red Team in-house, and externally, products such as Cisco AI Defense Explorer Edition, Palo Alto Networks' Frontier AI Defense Service (provided by Unit 42), and SentinelOne's AI Red Teaming service have been productized. Multi-agent red teaming is becoming standardized, and combined with multi-agent orchestrator dashboards that provide visibility into internal AI agents, the trend is moving toward a configuration in which defensive agents face off against attacking agents around the clock.

In terms of concrete role design, five functions have become standardized: AI attack detection (AI augmentation of the SOC), agent identity management (KYa = Know Your Agent), vulnerability triage (the role of narrowing the massive volume of detections generated by Mythos-class systems down to a unit that humans can process), remediation orchestration (automation from ticket creation through to production deployment), and governance (a compliance layer that records prompts, responses, files, and administrative actions). This is consistent with the five CISO priority actions cited by Bessemer, and permanently establishing a "dedicated unit" of at least 3 to 5 people staffed to handle these functions is regarded as the practical bottom line for keeping the risks following Mythos's general release within a manageable range.

It should also be remembered as a strong warning that a senior analyst at IANS Research stated, "We must prepare for a world in which the time lag between discovery and exploitation has disappeared entirely." The work of the dedicated team is shifting away from "stopping attacks before they happen" and toward "building the speed to finish applying patches before an attack can succeed."

Future Milestones — What to Watch to Track the Movement

The events worth monitoring over the next 4–6 weeks are: Anthropic's Project Glasswing 90-day report (around July 6), Code with Claude SF 2026 held in June, additional evaluation reports from the UK AISI / Cloudflare, shifts in the settlement probabilities for "Mythos by Q3 2026" and "by year-end 2026" on Polymarket, and changes to the "Preview" labeling on the Mythos Preview pages across Vertex AI / Bedrock / Microsoft Foundry. Anthropic has publicly stated that it will "announce changes to its safety measures in advance," so a sudden general release is structurally impossible. Precisely for this reason, the moment when the above signals align has a high probability of triggering "a phased opening of the enterprise API from the end of Q3 into Q4."

What should be observed in parallel is the movement on the attacker side. Depending on the timing at which "Mythos-class competitors" emerge—an equivalent model from OpenAI Cyber, a defense-specialized edition from Google DeepMind, a corresponding model from Meta SuperIntelligence Labs—Anthropic's own safety measures and general-release plans may shift earlier or later. Anthropic itself estimates that "models with equivalent capabilities will emerge from other companies within 6–18 months," and a one-year extension of Glasswing, as well as a phased expansion to the defensive community (consideration of Glasswing II), are also within view.

Taking the movements of Silicon Valley VC money as a whole, funding is concentrating on the three pillars of the defensive side (self-hosted OSS, closed networks, and dedicated teams plus AI diagnostics), and we have entered an era in which the valuations of companies that sell customers a structure that never directly touches attacker-side AI are rising. Whatever the timing of Mythos's general release, none of the four measures above are too late to begin now; rather, the wise CISO's choice is to quietly press ahead with them before the "ordering rush following the release of the 90-day report" begins.