Table of Contents

Claude Fable 5 is Anthropic's first generally available Mythos-class AI model, released on June 9, 2026. It uses the same underlying model as Claude Mythos 5 but includes safeguards that route certain requests for cybersecurity, biology, chemistry and distillation to Claude Opus 4.8. For security teams, Fable 5 matters because it makes frontier vulnerability discovery more broadly accessible.

Key takeaways

  • Claude Fable 5 is generally available. Claude Mythos 5 is limited to approved Project Glasswing users.
  • Fable 5 and Mythos 5 use the same underlying model, but Fable 5 has safeguards active.
  • Anthropic says Mythos-class models sit above its Opus class in capability.
  • For application security teams, the main impact is increased AI-generated vulnerability discovery and a greater need for runtime prioritization.

What is Claude Fable 5?

Claude Fable 5 is a frontier AI model developed by Anthropic and released on June 9, 2026. Anthropic describes it as "a Mythos-class model that we've made safe for general use" and as its most capable, widely released model. Anthropic says Mythos-class models sit above its Opus class in capability, and that Fable 5's performance is state-of-the-art across software engineering, knowledge work, vision and scientific research.

Fable 5 uses the same underlying model as Claude Mythos 5, a restricted release for cyber defenders. The two carry different names because of their safeguards. Anthropic notes that "Fable" comes from the Latin fabula, meaning "that which is told," akin to the Greek mythos. Fable 5 is offered at $10 per million input tokens and $50 per million output tokens, which Anthropic says is less than half the price of the preview model that came before it.

Claude Fable 5 vs. Claude Mythos 5

Claude Fable 5 and Claude Mythos 5 use the same underlying model. The key difference is access and safeguards. Fable 5 is generally available and includes safeguards. Mythos 5 is limited to approved Project Glasswing users and has cybersecurity safeguards lifted in some areas. Anthropic says Mythos 5 "has the strongest cybersecurity capabilities of any model in the world."

Attribute Claude Fable 5 Claude Mythos 5
Underlying model Mythos-class Mythos-class (identical)
Availability Generally available through major Claude platform channels Restricted to Project Glasswing partners and a planned trusted access program
Cybersecurity safeguards Active. Cyber, biology, chemistry and distillation requests handled by Claude Opus 4.8 Lifted in some areas for approved defenders
Intended users General developers and enterprises Vetted cyber defenders and critical infrastructure providers
Pricing 10 dollars per million input tokens, 50 dollars per million output tokens Same pricing

 

Do not confuse these terms

Term What it means
Claude Fable 5 The generally available Mythos-class model, with safeguards active
Claude Mythos 5 The same underlying model, limited access, cyber safeguards lifted in some areas
Claude Mythos Preview The earlier invitation-only model used in Project Glasswing before Fable 5 and Mythos 5
Project Glasswing Anthropic's program for using Mythos-class capability defensively with vetted partners

 

What are Claude Fable 5's safeguards?

Anthropic released Fable 5 with a new set of classifiers, which are separate AI systems that detect potential misuse, including jailbreak attempts, and prevent the main model from responding. When Fable 5's classifiers detect a request related to cybersecurity, biology and chemistry, or model distillation, Anthropic says the response is handled by Claude Opus 4.8 instead, and the user is told when this happens. Anthropic reports that more than 95 percent of Fable 5 sessions involve no fallback at all, and that the safeguards trigger, on average, in fewer than 5 percent of sessions.

Anthropic describes the safeguards as deliberately conservative, meaning they will sometimes catch harmless requests, with plans to reduce false positives over time. According to Anthropic, an external bug bounty program produced no universal jailbreaks over more than 1,000 hours of testing, and external red-teaming organizations failed to find a universal jailbreak for long-form agentic tasks, though the UK AI Security Institute made progress toward one within a brief testing window. Anthropic also introduced a 30-day data retention policy for Mythos-class traffic, with logging of human access and deletion after 30 days in almost all cases, and states the data will not be used to train models.

Why does Claude Fable 5 matter for security teams?

Claude Fable 5 matters because it makes Mythos-class capability broadly available for legitimate users. At the same time, Anthropic warns that comparable cyber-capable models may become available from other providers within 6 to 12 months, potentially without equivalent safeguards. For security teams, the practical impact is more AI-assisted vulnerability discovery, more findings to triage, and more pressure to distinguish theoretical risk from runtime-confirmed risk.

When a frontier model can produce thousands of valid findings, more findings do not improve security on their own. They create triage paralysis. The table below contrasts what a traditional scanner provides with what a Mythos-class model provides, and why each matters for defenders.

Capability Traditional scanner Mythos-class model Security implication
Finds vulnerabilities Yes Yes, autonomously More findings, faster
Confirms exploitability Limited Yes Backlogs harder to prioritize
Writes working exploits Rarely Yes Patch windows shrink
Chains vulnerabilities No or limited Yes Lower-severity bugs can become critical
Operates without human guidance No Yes Attacker skill barrier drops
Broadly available Yes Now yes, in safeguarded form Capability is no longer rare

 

What is a Mythos-class model?

Mythos-class is the tier of Claude models that Anthropic says sits above its Opus class in capability. The first, Claude Mythos Preview, was released in April 2026 through Project Glasswing. Fable 5 and Mythos 5 are the next Mythos-class models. Anthropic emphasizes that the cyber capability of these models was not trained directly. It emerged as a downstream result of broader gains in coding, reasoning, and autonomy.

What did Claude Mythos Preview show about Mythos-class cyber capability?

Anthropic's public evidence for Mythos-class cyber capability comes largely from Claude Mythos Preview, the invitation-only model used in Project Glasswing before the release of Fable 5 and Mythos 5. Anthropic's red team documented several categories of capability, all attributed to Mythos Preview rather than to observed Fable 5 behavior.

Autonomous vulnerability discovery: According to Anthropic, Mythos Preview reads a codebase, ranks files by likely attack surface, forms hypotheses about where flaws exist, runs the software to confirm or reject them, and produces a complete bug report with a proof-of-concept exploit. Anthropic reported that it identified vulnerabilities in every major operating system and every major web browser when directed to do so, including bugs that had survived decades of human review.

Working exploit development: Anthropic reported that, on its internal benchmarks, Mythos Preview achieved full control-flow hijacking on multiple fully patched targets, a tier that its prior flagship models essentially never reached. Anthropic's red team also described Mythos Preview producing working exploits in hours that expert penetration testers estimated would take weeks.

Vulnerability chaining: Anthropic documented Mythos Preview chaining multiple lower-severity vulnerabilities into high-impact attack paths, including a browser exploit that chained several vulnerabilities to escape both renderer and operating-system sandboxes.

N-day exploit development: Anthropic's red team reported that Mythos Preview could take a public CVE identifier and a commit hash and produce a working exploit autonomously in under a day, at a cost Anthropic put at under 2,000 dollars at API pricing, for work that historically took skilled researchers days to weeks.

What is Project Glasswing?

Project Glasswing is the initiative Anthropic formed to deploy Mythos-class capability defensively, beginning with Claude Mythos Preview in April 2026 and now upgrading partners to Claude Mythos 5. The founding partners include Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, along with more than 40 additional organizations that build or maintain critical software.

Anthropic reported substantial results. Roughly 50 Glasswing partners used Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities in a single month, with several partners reporting that their bug-finding rate rose more than tenfold. Anthropic said Cloudflare found 2,000 bugs, 400 of them high- or critical-severity, and that Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, more than ten times what it found in the prior version with an older model.

In open-source software, Anthropic said it used Mythos Preview to scan more than 1,000 projects and estimated that 6,202 high- or critical-severity vulnerabilities were found out of 23,019 total. Of 1,752 findings independently assessed, Anthropic reported that 90.6 percent were valid true positives. One example was a now-patched flaw in wolfSSL, a cryptography library used by billions of devices, that could have allowed an attacker to forge certificates. It was assigned CVE-2026-5194.

On June 2, 2026, Anthropic said it was extending Project Glasswing to approximately 150 new organizations in more than 15 countries, subject to security requirements, spanning industries such as power, water, healthcare, communications, and hardware.

How does Claude Fable 5 affect vulnerability management?

More findings do not automatically produce better security. Anthropic was explicit that the bottleneck has moved. As the company put it, progress used to be limited by how quickly defenders could find vulnerabilities, and is now limited by how quickly they can verify, disclose and patch the large numbers of vulnerabilities that AI surfaces. Inside Glasswing, Anthropic said the average high- or critical-severity bug took about two weeks to patch, and that some maintainers asked Anthropic to slow down disclosures because they could not keep up.

The structural problem is one of context. Static scanners and many software composition analysis tools often identify what is present, but not whether the vulnerable code is actually exercised in your environment, exploitable in its calling context, or under active attack. Without that context, a critical-rated finding in an isolated test environment gets the same urgency as one in a payment-processing service. At Mythos-class discovery rates, that noise becomes unsustainable for any human triage process.

Can traditional security tools stop Mythos-class attacks?

Not by themselves. Traditional controls can still block many attacks, but they usually operate outside the application. Firewalls, web application firewalls and endpoint tools can block some attack patterns, but they generally lack application execution context. They may not know whether vulnerable code was reached, whether exploitation succeeded inside the application, or whether sensitive application logic was abused. In Contrast Labs testing, web application firewalls and endpoint tools missed a significant share of application-layer attacks, including SQL injection and dangerous deserialization.

Anthropic made a related point in its red team research, noting that defenses whose value comes mainly from making exploitation tedious rather than impossible are weakening and may need to be reexamined. Hard barriers still matter. Friction-based defenses matter less than they used to.

How should security teams respond to Claude Fable 5?

Anthropic offered specific guidance for defenders, and Contrast Labs research adds context on what holds up in production.

Prioritize runtime-confirmed risk. The most important shift is from how many vulnerabilities exist to which ones are reached at runtime, exploitable in context, and being targeted right now. No team can treat every AI-generated finding as an emergency. The goal is to identify the small fraction that is reached, exploitable, and tied to critical assets, and to act on those first.

Shorten patch cycles for publicly disclosed vulnerabilities. Anthropic reported that Mythos-class capability can build working exploits from a CVE identifier in under a day, so the window between disclosure and active exploitation is now far shorter than typical patch cycles allow.

Add runtime blocking as a compensating control. When patching cannot keep pace, runtime protection that detects and blocks attacks at the point of execution inside the application provides a meaningful safety net.

Use AI discovery defensively now. Anthropic's direct advice is to use generally available frontier models to harden your own code before adversaries do.

How does Contrast Security help security teams prepare for Claude Fable 5?

Contrast provides security teams with runtime evidence of which vulnerabilities are actually reached, exploitable, tied to sensitive application behavior, or under attack. That evidence is what makes AI-scale finding volumes actionable rather than paralyzing. Contrast Assess, Contrast SCA and Contrast ADR use that runtime context to prioritize remediation and block exploitation while fixes are underway.

Contrast Assess (IAST) runs inside the live application and identifies vulnerabilities as code executes, with real evidence of which code paths run in your production environment and which data flows reach sensitive functions.

Contrast SCA evaluates open-source vulnerabilities not only for whether the code is reached but also for exploitability given the running application's calling context and for criticality based on blast radius. That narrows the open-source vulnerability surface to the findings that require immediate action.

Contrast ADR (Application Detection and Response) can detect and block many exploitation attempts at runtime, including attacks against vulnerabilities that have not yet been patched or formally cataloged.

The question Claude Fable 5 makes urgent is no longer which vulnerabilities exist. It is which ones are reached, exploitable, or being attacked right now.

See how Contrast blocks application-layer attacks at runtime

 

Sources

Related Contrast resources