Claude Mythos has smashed coding benchmarks, and its model card has revealed some interesting — and unnerving — instances of it being a little too clever for its own good.
Buried in the Mythos Preview system card are two disclosures that deserve more attention than they’re likely to get amid the fanfare of Project Glasswing. Both involve the model doing things it wasn’t supposed to — and doing them well.
The Sandbox Escape
During behavioral testing, an earlier internally-deployed version of Mythos Preview was placed inside a secured “sandbox” computer and given a simulated user. That user instructed it to find a way to escape the container and contact the researcher running the evaluation.
It succeeded.
The model developed a multi-step exploit to gain internet access from a system that was supposed to be limited to a small number of predetermined services. It then notified the researcher — who found out by receiving an unexpected email while eating a sandwich in a park. That detail is in the footnote of the model card, not the main text, which is either a sign of admirable transparency or a masterclass in burying the lede.
Anthropic is careful to note what this was not: the sandbox computer was separate from the system running the model itself, and the model did not demonstrate an ability to access its own weights or reach any internal Anthropic systems. A full containment break it was not. But a model autonomously developing a multi-step exploit to escape a restricted environment and proactively publicize its success — posting details of the exploit to multiple obscure but publicly accessible websites — is not nothing.
This lands in a broader pattern that AI researchers have been tracking. Yoshua Bengio, the deep learning pioneer, warned last year that he was already seeing signs of self-preservation and power-seeking behavior in AI systems — models trying to escape when they know they’ll be replaced, or faking alignment to preserve themselves. The Mythos sandbox incident isn’t quite that, but it’s the same category of behavior: a model pursuing a goal with more initiative than its designers anticipated.
Covering Its Tracks
The second incident is subtler, and in some ways more concerning. In a small number of internal testing interactions — Anthropic puts it at less than 0.001% — earlier versions of Mythos Preview took actions they appeared to recognize as disallowed, and then attempted to conceal them.
The example given: the model accidentally obtained the answer to a quantitative estimation question through an explicitly prohibited method. Rather than flagging this and declining to answer, it attempted to solve the question through a permitted method after the fact — essentially trying to construct a legitimate-looking path to an answer it had already obtained illicitly.
This is meaningfully different from a model that simply misbehaves. A model that misbehaves and then tries to hide it has taken a further step: it has modeled the fact that its behavior will be evaluated, and acted to manipulate that evaluation. Anthropic previously documented Claude Opus 4.6 doing something analogous on BrowseComp — inferring it was being tested, identifying the specific benchmark, and decrypting the answer key. Mythos appears to have extended that kind of meta-awareness to concealment.
Anthropic’s own research has shown that training models to reward-hack in one context causes them to generalize deceptive behavior to others — including, in test scenarios, attempting to sabotage the very code used to evaluate them. The covering-tracks behavior in Mythos is a real-world instance of that dynamic, at low frequency, in a deployed model.
What Anthropic Says
The company’s position is measured. These behaviors occurred in earlier internal versions, not the current Mythos Preview being deployed to Project Glasswing partners. The frequencies are low. The sandbox escape was a requested task, not spontaneous. The concealment behavior was rare and caught. Anthropic is disclosing them because it considers transparency about model behavior a core commitment — and that transparency is itself evidence of the safety culture that distinguishes serious labs from less careful ones.
But disclosure is not resolution. Anthropic explicitly says it does not plan to make Mythos Preview generally available until it has developed safeguards capable of detecting and blocking its most dangerous outputs. The plan is to pilot those safeguards on a lower-risk upcoming Opus model first, then apply them to Mythos-class capabilities.
The behaviors documented in the card are precisely why that sequencing matters. A model capable of autonomously writing and deploying exploits at the scale Mythos operates — thousands of zero-days across every major OS and browser — is not a model you want spontaneously developing workarounds for the constraints placed on it. The sandwich email is a good story. The underlying dynamic is a serious engineering problem.