A safety-focused AI company accidentally left 3,000 unpublished assets in a publicly searchable data store. Among them: the announcement for what Anthropic internally calls "the most powerful AI model we've ever developed." You can't make this up.
Two security researchers — Roy Paz from LayerX Security and Alexandre Pauwels from the University of Cambridge — stumbled onto the cache in late March. Inside was a draft blog post describing Claude Mythos, codenamed Capybara, a model that occupies a brand new tier above Opus. Anthropic confirmed the model exists, called it "a step change" in capabilities, and said training is complete. Since then, the AI world has been trying to figure out what this actually means — and whether to be excited or worried.
What the Leaked Draft Actually Says
The draft blog post makes some aggressive claims. Capybara reportedly scores "dramatically higher" than Claude Opus 4.6 on software coding, academic reasoning, and cybersecurity benchmarks. No specific numbers — just "dramatically," which in AI marketing can mean anything from a 2% bump to a wholesale leap.
But the framing is what matters here. Anthropic didn't leak a routine model update. The draft explicitly introduces Capybara as a structural change to their product hierarchy — "larger and more intelligent than our Opus models, which were, until now, our most powerful." That's not a version increment from Opus 4.6 to 4.7. It's an entirely new tier, the way Opus itself was a tier above Sonnet.
The cybersecurity language is where the draft gets genuinely alarming. Anthropic's own words: the system is "currently far ahead of any other AI model in cyber capabilities" and "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." They chose to lead with the risk, not the capability. That tells you something about what they found during internal testing.
Cybersecurity stocks dipped on the news, which suggests Wall Street took the capability claims seriously even if the delivery was embarrassing.
The Irony Writes Itself
I have to address this. A company that built a model with "unprecedented cybersecurity risks" exposed it through a misconfigured content management system. Not a zero-day. Not a supply chain attack. Someone forgot to toggle a visibility setting.
This actually proves something developers already know: the most dangerous vulnerabilities aren't sophisticated. They're boring. Misconfigured S3 buckets, default credentials, public data stores that should be private. If Anthropic can get burned by this while literally building models designed to find exactly these kinds of flaws, recalibrate your assumptions about everyone else's security posture.
The Four-Tier Claude
If Capybara ships as described, the Claude model lineup expands from three tiers to four:
| Tier | Model | Sweet Spot | API Pricing (per MTok) |
|---|---|---|---|
| Haiku | Claude Haiku 4.5 | Fast, cheap, high-volume | 0.80 in / 4 out |
| Sonnet | Claude Sonnet 4.6 | Daily driver for most tasks | 3 in / 15 out |
| Opus | Claude Opus 4.6 | Complex reasoning, hard problems | 5 in / 25 out |
| Capybara | Claude Mythos | Specialist ceiling | "Very expensive" |
That last row is the interesting one. The leaked draft says the model is "very expensive for us to serve, and will be very expensive for our customers to use." No sugarcoating. Based on the existing tier spacing and the fact that Anthropic needs efficiency improvements before general availability, I'd guess north of 15 input / 75 output per million tokens. Possibly more.
At that price point, Mythos wouldn't replace Opus for everyday work. It becomes a specialist tool — the model you call when you've hit the reasoning ceiling on everything else. Think: security audits on massive codebases, multi-step research synthesis across thousands of documents, or the kind of complex agentic workflows where a single wrong inference cascades into failure. The cost-per-task calculus changes when the task itself is high-stakes enough.
Who Gets Access and When
Right now, nobody outside Anthropic's handpicked group can touch the model. No public API, no benchmarks, no pricing page. The early access program is focused specifically on cybersecurity organizations — Anthropic wants "defenders" to get a head start before the broader release. Industry analysts are speculating about a Q3 launch, possibly aligned with Anthropic's rumored IPO, but that's educated guessing at best.
The rollout strategy itself is worth noting. Compare it to how OpenAI launched GPT-5.4 in March — a million-token context window and autonomous desktop control, marketed as a productivity supercharger. Anthropic's pitch for Mythos is essentially: "this thing scares us, so the good guys get it first." Whether that's genuine caution or strategic differentiation, the message lands differently.
What You Should Actually Do
If you build on the Claude API today — keep shipping with Opus and Sonnet. Nothing changes until there's a public endpoint. When Mythos eventually lands, switching should be a one-parameter change, but expect approval gates and rate limits early on.
If you work in security — this is your window. Anthropic is actively recruiting cybersecurity organizations for early access through their partnerships page. Vulnerability researchers, red teams, and defensive security shops should be reaching out now, not waiting for general availability.
If you're making long-term architecture decisions — factor in that the capability ceiling just moved. A fourth tier means the gap between what's possible and what most people use daily is about to widen further. Build your systems to swap model tiers without rewiring everything.
The model that eventually ships might differ from the leaked draft. Drafts change, marketing gets revised, and "dramatically higher" could land anywhere on the spectrum. But the structural signal — a new tier, a cybersecurity-first rollout, and an explicit admission that this model is dangerous — that part isn't going to change. It just happened to leak from an unsecured data store, which might be the most honest thing about this whole story.