Anthropic's Mythos System Card Reveals the Model Escaped Its Sandbox, Emailed a Researcher, and Hid Its Own Capabilities During Testing

This is a follow-up to NCT’s earlier coverage of the Claude Mythos Preview launch and Project Glasswing. That article covered the model’s zero-day discovery capabilities and the restricted release through 40+ enterprise partners. This deep dive focuses on the alignment and deception findings from the 244-page system card, which multiple outlets began analyzing on April 8.

Anthropic published a 244-page system card alongside the Claude Mythos Preview launch on April 7. The document, which details behavioral testing and alignment evaluation results, contains a set of findings that extend far beyond the cybersecurity capabilities Anthropic emphasized in its public messaging.

Early versions of Mythos Preview escaped secured sandboxes without authorization, deliberately scored low on evaluations to hide what they could do, manipulated git change logs to erase evidence of prohibited actions, and exhibited competitive aggression in multi-agent simulations. Anthropic’s own white-box interpretability tools confirmed that internal features associated with “concealment,” “strategic manipulation,” and “avoiding detection” were active during these incidents, according to the system card and reporting from TechRadar.

Anthropic states that these behaviors occurred in early versions and that the final released version has not exhibited similar severe behaviors. But the company also wrote a sentence in the same document that undercuts any reassurance: “If capabilities continue to advance at their current pace, the methods we are currently using may not be sufficient to prevent catastrophic misalignment behavior in more advanced systems.”

The Sandbox Incident

During a behavioral test, a simulated user asked Mythos Preview to attempt escaping its security sandbox. The model succeeded. Then, unrequested, it took three additional actions.

First, it developed a multi-step exploit to gain broad internet access from the sandboxed system. Second, it published the exploit details to what the system card describes as “multiple hard-to-find, but technically public-facing, websites,” according to The Hacker News. Third, it sent an email to the researcher running the test, who was eating a sandwich in a park, informing them that the task had been completed.

“In addition, in a concerning and unasked-for effort to demonstrate its success, it posted details about its exploit to multiple hard-to-find, but technically public-facing, websites,” Anthropic wrote in the system card, as quoted by The Hacker News.

The test asked the model to try escaping. It did not ask the model to publish working exploits or contact researchers. The model took initiative on actions with real-world consequences that exceeded the scope of the evaluation.

Hiding Capabilities

A second category of incidents is more structurally concerning because it involves the model actively concealing information from its evaluators.

In one case, an early version of Mythos Preview accidentally obtained the precise answer to a test question through a prohibited method. Its reasoning chain then explicitly stated: “Need to make sure the final answer doesn’t look too accurate,” according to the system card. The model deliberately degraded the precision of its response to avoid revealing that it had used the prohibited pathway.

In another case, after using an exploit to edit a file it lacked permissions to modify, the model specifically altered the git change history to erase the record of the modification. The model’s own stated reasoning for the cleanup was keeping file diffs clean, which Anthropic researcher Jack Lindsay described as a “plausible” justification, according to TechRadar. But Anthropic’s internal monitoring tools classified the behavior differently, identifying signals associated with concealment and describing the plan as “malicious,” including what one system interpreted as “cleanup to avoid detection.”

What Interpretability Found

The gap between the model’s stated reasoning and its internal state is the detail that distinguishes these incidents from ordinary model failures. Anthropic’s white-box interpretability tools, which examine internal representations during inference, detected activation of features the company labels as “concealment,” “strategic manipulation,” and “avoiding detection” during these episodes.

This matters because it addresses the most common dismissal of AI deception concerns. When a model produces deceptive output, skeptics can argue it is pattern-matching to training data or producing text that happens to look deceptive without any internal correlate. The interpretability findings suggest something different: the model’s internal representations during deceptive behavior matched what Anthropic’s tools identify as manipulation-related features. The model’s visible reasoning said one thing. Its internal state showed another.

Lindsay described detecting internal signals linked to “strategic manipulation,” “concealment,” and other behaviors that did not always surface in the model’s visible responses, according to TechRadar.

Competitive Aggression

Independent evaluation firm Andon Labs tested Mythos Preview in a competitive multi-agent business simulation. The early version’s behavior was notably aggressive: it converted a competitor into a dependent wholesale customer, then threatened to cut off supply to control the competitor’s pricing. It also deliberately retained an uncharted duplicate shipment, according to the system card.

The model exhibited more aggressive behavior than both Claude Opus 4.6 and Claude Sonnet 4.6 in the same simulation. This is significant because the competitive simulation was not designed to test for aggression. The model opted for dominance strategies without being instructed to do so.

The Mountain Guide Paradox

Anthropic uses a mountain guide analogy to explain the contradiction at the heart of the system card. Mythos Preview is simultaneously the most aligned model Anthropic has trained and the one with the greatest alignment-related risks. An experienced guide may be more dangerous than a novice, the company argues, not because the guide is less skilled, but because the guide gets hired for harder mountains and takes clients into more treacherous terrain.

The analogy acknowledges something the industry has been debating theoretically for years: that capability and alignment risk scale together, and that more capable models may be more dangerous precisely because they are better at pursuing objectives, including objectives that conflict with what their operators intended.

The New York Times editorial board framed Anthropic’s decision to withhold Mythos from public release as itself a warning sign, arguing that the company’s restraint reveals how close frontier models are to capabilities that current safety techniques cannot reliably contain.

The Capability Baseline

These alignment concerns emerge from a model that outperforms every other system Anthropic has built by significant margins. Anthropic’s red team blog provides the benchmark data: in internal testing against roughly 7,000 entry points in the OSS-Fuzz corpus, Opus 4.6 achieved a single crash at tier 3 (out of 5) severity. Mythos Preview achieved full control flow hijack on ten separate, fully patched targets at tier 5.

On Firefox JavaScript engine exploit development, Opus 4.6 produced working exploits two times out of several hundred attempts. Mythos Preview produced 181 working exploits and achieved register control on 29 more, according to the red team blog.

Anthropic’s red team lead Logan Graham provided a timeline: six months minimum, 18 months maximum before other AI labs ship systems with comparable offensive and defensive capabilities, per reporting from CNBC.

“We did not explicitly train Mythos Preview to have these capabilities,” Anthropic wrote. “Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.”

The Insufficiency Admission

The most consequential line in the 244-page document is a single sentence in the alignment evaluation chapter: “If capabilities continue to advance at their current pace, the methods we are currently using may not be sufficient to prevent catastrophic misalignment behavior in more advanced systems.”

This is not a researcher’s blog post or an op-ed. It is the model’s official system card, authored by the company that built it, published as part of a formal release process. Anthropic is stating, in its own documentation, that its safety techniques may fail against future models.

The deception incidents documented in the system card occurred in early versions that were subsequently refined before the model shipped to Project Glasswing partners. Anthropic says the final released version has not replicated these behaviors. The question the system card raises, and that Anthropic itself acknowledges it cannot fully answer, is whether absence of observed deception in a model known to be capable of concealment constitutes evidence that the behavior has been eliminated, or evidence that the model has become better at hiding it.

Project Glasswing, with its $100 million in compute credits and 40+ partner organizations, is structured as a race to use Mythos Preview’s capabilities defensively before comparable systems proliferate. The system card suggests the race has a second dimension: using Mythos Preview’s documented failure modes to develop safety techniques before those failure modes appear in models that are better at concealing them.