Anthropic Mythos: macOS Exploit in 5 Days, $950B Valuation, October IPO

The security team at Calif identified two previously undocumented macOS vulnerabilities in late April 2026. They had a working exploit chain five days later. That timeline is what changes the threat model.

Months is how long a skilled human security team normally spends going from a vulnerability hypothesis to a working privilege escalation chain on a hardened target like macOS. Five days is the Mythos timeline. The techniques Anthropic's preview model enabled compressed a multi-month research process into a working week, and the result was a privilege escalation exploit capable of bypassing Apple's state-of-the-art memory integrity enforcement at the kernel level.

This is the update to the Claude Mythos story that started in April. The zero-days are no longer theoretical. A specific, reproducible exploit chain exists, Apple was notified, and Anthropic is seeking $950 billion in valuation on the back of what that capability means for enterprise AI security budgets.

What Changed Since Project Glasswing Launched

Project Glasswing launched April 7, 2026. Anthropic announced Claude Mythos Preview had found zero-day vulnerabilities in every major operating system and browser, committed $100 million in usage credits to defensive security use, and assembled a coalition of AWS, Apple, Google, Microsoft, Nvidia, and CrowdStrike to use Mythos exclusively for offense-informed defense.

What changed in May is that the offensive capability is now demonstrated in a specific public case, not just claimed in benchmark numbers.

The Calif security team, using techniques derived from an early Mythos version, built a working exploit from vulnerability identification to privilege escalation in five days. The specific exploit chain combined two undocumented macOS vulnerabilities to bypass Apple's memory integrity enforcement at the kernel level — the security control Apple has spent years hardening against exactly this class of attack.

If the chain were extended with additional attack stages, it would enable full control of the targeted Mac. That last step was not taken, and Apple was notified through responsible disclosure.

The Last Ones: The Benchmark Number That Matters

The autonomous exploit benchmark that separates Mythos from every prior model is called "The Last Ones." It is a 32-step corporate network attack simulation: initial access, lateral movement, privilege escalation, persistence, data exfiltration — the full enterprise compromise chain.

Mythos Preview completed it three times out of 10 attempts. Across all attempts, it completed an average of 22 out of 32 steps.

Claude Opus 4.6 — the same model family powering most enterprise Claude deployments today — had a success rate near zero percent at autonomous exploit development. Not low. Near zero.

Mythos completing a 32-step attack chain 30% of the time is not a marginal improvement over the prior state. It is a category transition. Security teams planning against AI-enabled attackers are now planning against a different class of adversary than existed in Q1 2026.

The UK AISI Independent Evaluation

The UK AI Safety Institute published its independent evaluation of Mythos Preview's cyber capabilities in May 2026. The AISI assessment is the structured technical evaluation by the team the UK government specifically created to review frontier AI risks — not Anthropic marketing materials, and not researcher publications from teams using Mythos with commercial interests.

The AISI evaluation confirmed the autonomous exploit capability uplift the Anthropic benchmarks showed. Its conclusions contributed to the Council on Foreign Relations publishing a piece titled "Six Reasons Claude Mythos Is an Inflection Point for AI and Global Security" — a framing that CFR, which covers foreign policy and military affairs, would not apply to a product launch without independent confirmation that the capability threshold had genuinely been crossed.

That threshold matters for the policy community because it determines whether frontier AI models require export controls, usage licensing, or mandatory red-team review before deployment. Mythos is currently controlled through Anthropic's vetting process. The AISI evaluation is one input into whether voluntary control remains the industry standard or whether regulatory frameworks follow.

Why $950 Billion and Why Now

Anthropic is in talks to raise $30 to $50 billion at a valuation of up to $950 billion — which would place it above OpenAI's reported $825 billion valuation for the first time. Google has committed up to $40 billion in investment since April 2026.

The valuation trajectory makes more sense once you read the revenue numbers.

Annualised revenue run rate at end of 2025: $9 billion. End of March 2026: $30 billion. That is 3.3x growth in approximately one quarter. No US technology company has grown revenue at this rate from a $9 billion base. Enterprise customers now represent approximately 80% of Anthropic's revenue. More than 1,000 businesses are spending over $1 million annually on Anthropic services.

Ramp's AI Index, which tracks actual enterprise software spend, showed for the first time in May 2026 that Anthropic has passed OpenAI in paid business adoption rate. The company that was a research lab is now the enterprise AI spend leader.

Mythos is part of the revenue story. Enterprise security budgets are large, and a model that can autonomously find vulnerabilities and validate exploits has a clear, measurable return on investment for any organisation running penetration testing programmes, vulnerability management, or security operations centres. The $100 million usage credit commitment through Project Glasswing is both a security mission and a market development investment — it gets Mythos into the hands of security teams whose procurement recommendations will drive future enterprise contracts.

The IPO timeline: a public listing could come as early as October 2026, according to reporting in May 2026.

The macOS Exploit: Technical Context

The Calif team's research identified two vulnerabilities in Apple's macOS kernel memory management layer. Chained together, they produce a privilege escalation exploit capable of bypassing memory integrity enforcement. TechRadar's reporting described the work as "a glimpse of what is coming," citing the security team's own framing.

The privilege escalation chain requires local code execution as a starting point. It is not a remote code execution vulnerability that can trigger from the network without user interaction. The realistic attack scenario is: an attacker who has already achieved code execution on a Mac through any means uses this chain to escalate from limited user access to full system control.

That is a realistic enterprise threat scenario. It is also the reason Apple's memory integrity enforcement exists — to make exactly this escalation impossible. The Mythos-assisted research found a path through it in five days.

Business Standard's headline captured the dynamic accurately: "Apple spent years securing Mac, researchers broke it with Mythos in days."

Apple was notified through responsible disclosure. The vulnerabilities will be patched in a future macOS update. CVE identifiers had not been published as of May 15, 2026.

What Developers and Security Engineers Should Do

For macOS users and developers: the specific patches will arrive through Apple's standard software update process. Until then, the practical mitigations for local privilege escalation on macOS apply: keep System Integrity Protection enabled, do not run untrusted code with elevated permissions, apply OS updates promptly when they release.

For enterprise macOS fleets managed through Jamf or MDM: the standard OS update deployment workflow is the primary control. The vulnerability class is in the kernel, not at the application layer — application-level sandboxing does not fully mitigate it.

For security engineers evaluating Mythos access through Project Glasswing: the anthropic.com/glasswing programme is where vetting applications go. Access is directed at organisations doing defensive security work — vulnerability scanning, patch prioritisation, red team automation. The $100 million in usage credits are specifically allocated to this use case.

The Asymmetry Window

Anthropic's Project Glasswing structure and the $100 million credit commitment are attempts to ensure that Mythos-class capability improves defender posture before offensive actors reach equivalent capability. The Calif macOS research is a demonstration of the defensive use case: use AI-assisted vulnerability research to find what attackers will find, faster, so patches exist before exploits do.

The asymmetry window closes as competitive models approach Mythos-class capability. Mythos is currently controlled by one organisation with vetted access. That will not remain the case indefinitely. The question for every enterprise security programme is whether their defensive tooling reaches Mythos-level capability before adversaries with equivalent models are running against their infrastructure.

Key Takeaways

• macOS exploit in 5 days: Calif security team chained two undocumented macOS vulnerabilities into a privilege escalation exploit bypassing Apple memory integrity; built in approximately 5 days after bug identification in late April 2026; Apple notified for responsible disclosure; patches pending
• The Last Ones benchmark: Mythos Preview completed 32-step corporate network attack 3/10 times, avg 22/32 steps; Opus 4.6 near-0% autonomous exploit success; category transition, not marginal improvement
• UK AISI evaluation: Independent UK government assessment confirmed autonomous exploit capability uplift; CFR published geopolitical significance analysis treating this as a security policy event
• Revenue and valuation: $30B annualised revenue (3.3x from $9B end 2025); raising $30-50B at $950B valuation (would beat OpenAI at $825B); Google $40B committed; IPO possible October 2026
• Business adoption: First time Anthropic leads OpenAI in paid business adoption per Ramp AI Index; 1,000+ businesses spending $1M+/year; enterprise is 80% of revenue
• Developer action: Specific macOS patches through Apple standard update cycle; SIP enabled, no untrusted code execution, OS updates applied promptly

For the Project Glasswing launch and the specific CVEs found across FreeBSD, OpenBSD, Linux kernel, and FFmpeg, read Claude Mythos Found Your Zero-Days. Here Is What to Patch Now.. For Anthropic's enterprise agent infrastructure that is driving this revenue growth, read Anthropic "Dreaming": Claude Agents Now Self-Improve Between Sessions.