
The forty-company model
Anthropic released Mythos by not releasing it. No API, no waitlist, just a list of forty companies. The frontier-lab release model just changed shape.
Anthropic's launch of Mythos this week is the first time a frontier lab has released a model by not releasing it. There is no API. There is no waitlist. There is no "apply and we'll get back to you." There is a list of forty companies, negotiated privately, and if you are not on the list you do not get the model. Anthropic's stated reason is that Mythos can find novel vulnerabilities in major operating systems and browsers at a rate and depth that, in the wrong hands, would constitute a serious threat to economic and national security. The G7 central bank governors discussed it at the IMF spring meetings. US software stocks, already soft, fell further on the news.
I want to write about what this release tells us, because I think most of the commentary this week has been about the wrong thing. The interesting story is not whether Mythos is really as dangerous as Anthropic says. The interesting story is that the distribution model for frontier AI has just quietly bifurcated, and almost no one is talking about what that means for the shape of the market over the next three years.
The interesting story is not whether Mythos is really as dangerous as Anthropic says.
What actually happened

The facts, as best I can establish them from Anthropic's launch post, the accompanying model card, and reporting from the FT and The Information over the past 48 hours:
Mythos is Anthropic's most capable model, succeeding Claude Opus 4.5. Anthropic has not published benchmark scores on the usual suites. The model card states that on an internal evaluation of "novel exploitable vulnerability discovery in production codebases," Mythos achieves results Anthropic characterises as "categorically beyond" prior models, including its own. The consortium, Anthropic calls it the Mythos Access Group, comprises forty organisations. The membership list has not been published in full, but the FT named twelve: four of the US hyperscalers, three major defence primes, two US investment banks, one European bank, and two national cyber agencies (UK's NCSC and the US CISA). The other twenty-eight are reportedly a mix of critical infrastructure operators, further financial institutions, and a small number of pharmaceutical and energy firms.1
Access terms: on-premise or dedicated-tenant deployment only. No data leaves the customer environment. Usage is logged and auditable by Anthropic. There is a pricing floor, reported by The Information at $40M/year minimum commitment, though Anthropic has declined to confirm.2 Members sign a use-case charter that restricts Mythos to defensive security work, internal red-teaming, and a narrow set of pre-approved research applications.
The safety case Anthropic makes is straightforward: Mythos can find zero-days in Windows, macOS, iOS, Android, Chrome, and Safari at a pace that a well-resourced attacker could weaponise faster than patching cycles can respond. Anthropic argues that open release would create a meaningful window during which critical infrastructure, financial systems, and consumer devices would be materially less safe. The consortium structure is meant to let defenders get the tool first and harden systems before any equivalent capability leaks or is replicated.
You can believe or disbelieve this case on its merits. I think it is more likely true than not, on the evidence Anthropic has shared, but I hold that loosely, the evaluation methodology is partly redacted and the claim is one that Anthropic has commercial and regulatory reasons to make whether or not it is exactly true. I want to set the safety question aside, because it is not what I think the release is actually about.
The obvious reading, which is wrong
The obvious reading is: Anthropic has found a dangerous capability, chosen to restrict it, and this is an RSP (Responsible Scaling Policy) working as advertised. On this reading, Mythos is a one-off. Future models will return to normal release patterns once mitigations exist; the consortium is a safety pause, not a distribution model.
I do not think this reading survives contact with the economics.
Consider what Anthropic has just demonstrated to itself. It has sold a single model to forty customers at a floor of $40M each. That is $1.6bn in annual recurring revenue from one model, before any broader release, with zero customer acquisition cost beyond the negotiation itself, and with a customer base that is almost definitionally non-churning, you do not drop your frontier security model once you have built a year of defensive posture around it. The gross margin on dedicated-tenant inference at this price point is, by any reasonable estimate, north of 80%. Anthropic's total 2025 revenue was reported in the $8–10bn range. Mythos adds roughly 15–20% to that, from forty customers, from one SKU.
Now ask: if you are Anthropic, and you have just discovered that the top of your capability curve is worth this much to forty buyers, what do you do with the next model?
The honest answer is that you think very hard about whether the broad-release API, the thing that made Anthropic a household name in developer tooling, is actually where the margin is on frontier capability. For the middle of the capability curve, obviously yes: Claude Sonnet-class models are a volume business and the API is the right channel. For the top of the curve, the Mythos release suggests the answer might be different. The top might be a consortium business.
This is the shift I think has happened this week, and which is being obscured by the safety framing. Anthropic has, perhaps without meaning to in quite these terms, demonstrated that frontier models have two distinct commercial profiles. The profile below the frontier is SaaS-shaped: broad API, usage-based pricing, developer ecosystem, competition on price and latency. The profile at the frontier is something closer to defence procurement: small number of buyers, direct negotiation, dedicated deployment, annual commitments, and, crucially, pricing that reflects the strategic value of the capability rather than the marginal cost of inference.
The safety case and the commercial case point in the same direction. That is not a coincidence. It is why this release will have successors.

Why the release pattern persists
There are three reasons I think the Mythos pattern becomes the template for frontier releases, not the exception.
First, the capability argument generalises. Mythos's dangerous capability is vulnerability discovery, which is a particularly clean case because the harm is concrete, the defenders are identifiable, and the public/private asymmetry is stark. But frontier models are increasingly demonstrating capabilities where similar logic applies: biological design, sophisticated financial modelling with market-moving implications, large-scale influence operations analysis, advanced cryptographic work. Each of these has a constituency of legitimate high-value users and a credible misuse story. Each can sustain a consortium pricing model. Anthropic's competitors, OpenAI, Google DeepMind, and, at a lag, xAI and the Chinese labs, face the same incentive structure once they see the Mythos numbers.
Second, the regulatory wind is behind it. The EU AI Act's general-purpose model tier, the UK AI Safety Institute's pre-deployment evaluation regime, and the US executive order on frontier model reporting all push toward a world where broad release of the most capable models requires clearing evaluation thresholds that are becoming genuinely difficult to clear. A restricted consortium release sidesteps much of this, you are not broadly deploying, so many of the broad-deployment obligations don't attach in the same way. This is an unintentional regulatory arbitrage, but it is a real one, and labs' general counsels will notice.
Third, and I think most importantly: the consortium model solves a problem that the API model does not solve, which is that frontier capabilities have become too valuable to meter by the token. If Mythos can find a zero-day in Chrome that would cost Google $500M in incident response and reputational damage to have exploited, the appropriate price for Mythos's time is not $0.015 per thousand tokens. It is a share of the value protected. A $40M annual commitment for a single enterprise customer is, viewed this way, cheap. The API pricing model cannot capture this. It was designed for a world where the marginal value of a query was bounded. At the frontier, it no longer is.
I have written before, and this is the point where I need to be careful not to preach my own prior, that time-based and usage-based pricing don't survive the agentic transition in professional services. Mythos is the same argument arriving one layer down the stack. The model layer is discovering that metered inference undersells frontier capability the same way billable hours undersell senior partner judgement. The answer in both cases is roughly the same: price the outcome, not the input. The consortium structure is the first serious attempt to do that for AI models themselves.
I want to hold this claim with some care, because it could be wrong in a specific way: it is possible that Mythos is genuinely sui generis, a capability so obviously dual-use that its release pattern tells us nothing about how GPT-6 or Gemini 3 Ultra will be released. If the next three frontier releases across the major labs all go out on normal APIs, I will have been wrong about this. But I think the probability is low, because the commercial logic is too strong for a single lab to leave on the table once one of them has demonstrated it.
What it does to the software stack below it
Now the part that the market has started to price, though I think only partially.
Software stocks fell on the Mythos news. The immediate reasoning in the analyst notes I have read is roughly: if Mythos can find vulnerabilities at scale, the entire application security category, the Snyks, the Veracodes, the Checkmarxes, and arguably the CrowdStrikes and SentinelOnes for the endpoint side, has a capability ceiling above it that they cannot match. The forty companies that have Mythos get defensive security that is categorically better than what anyone else can buy. That is obviously bad for the incumbent security software vendors.
I think this reading is right but shallow. The deeper effect is on the shape of the enterprise software market, and it is this: Mythos is the first clear instance of a frontier AI capability being available to a named list of companies and not to their competitors. For the forty members of the consortium, this is not a productivity tool. It is a structural advantage of a kind that enterprise software has not produced in twenty years, because enterprise software has been sold, fundamentally, on the premise that everyone can buy the same thing. Salesforce sells to everyone. AWS sells to everyone. Even Palantir, which is closest to the consortium model historically, ultimately scales by adding customers.
Mythos breaks this. If the pattern holds, and I have argued it will, then over the next three years, the frontier capability layer becomes something that some enterprises have and others do not, and the gap between the two is not "a slightly better version of the same tool" but "a capability the other side cannot access at any price." The companies inside the Mythos consortium will, within eighteen months, have defensive security postures that their competitors cannot replicate by spending more money on the current incumbents. That is a very unusual situation in enterprise technology.
The implication for the software vendors below Mythos is worse than the market is currently pricing. It is not merely that their products are being competed with by a better one. It is that their products are being competed with by a better one that their customers' competitors have, and they do not. In application security specifically, this breaks the standard procurement logic: you do not buy Snyk because it is adequate for your threat model; you buy Snyk because everyone else is also buying Snyk and being adequately protected is enough. Once some of your peer group has Mythos, "adequately protected" is no longer a defensible posture for a CISO whose board is asking questions.

I think you see, over the next four quarters, a rotation in how security software is evaluated by sophisticated enterprise buyers. The question shifts from "does this tool cover our attack surface" to "does this tool close the gap between us and the companies with frontier access." Most current-generation security software cannot answer that question favourably. Some will pivot to positioning themselves as Mythos-consortium complements, integration partners for the forty, but that is a much smaller addressable market than the one they are currently sized for.
The hyperscaler angle is also more interesting than it first appears. Four of the US hyperscalers are in the consortium (per the FT's reporting, which I am taking at face value). They are in the consortium partly as customers, their own infrastructure needs defending, but also, almost certainly, as distribution partners for the subset of Mythos capability that Anthropic is willing to expose through managed services. This is the same pattern as Anthropic's existing Bedrock and Vertex relationships, but with a crucial difference: the hyperscalers are now inside the consortium boundary and their competitors in the same tier are not. If one major cloud provider ends up outside this consortium while its peers are inside, that is a genuinely novel competitive situation for cloud infrastructure.
What it does to the labs
The last thing I want to think through is what Mythos does to Anthropic's competitive position against OpenAI and Google DeepMind specifically.
The conventional view on lab competition has been that it is a race on capability benchmarks, mediated by API pricing and developer mindshare. OpenAI has had the lead on brand and developer reach; Anthropic has had the lead on enterprise safety positioning; Google has had the lead on integration and distribution through its existing products.
Mythos reframes this. The question is no longer only "who has the best model on the benchmarks." It is also "who can credibly sell a consortium-tier product to a Fortune 500 CISO and a national cyber agency in the same deal." That is a different competence. It requires government relations, security clearances, dedicated-deployment operations, and the kind of enterprise sales organisation that can negotiate a $40M floor with a defence prime's procurement team. Anthropic has spent three years building this, visibly, and most of the market has read it as enterprise-SaaS go-to-market. In retrospect it looks more like preparation for exactly the release pattern Mythos has inaugurated.
OpenAI can build this capability, it has the capital and the talent, but it is starting from a more consumer-and-developer-weighted position and has a brand that is partially incompatible with the consortium posture. Google DeepMind has the institutional muscle but has historically struggled to ship frontier product on a competitive timeline; whether that has changed with Gemini 3 is an open question I do not have a confident view on. The Chinese labs are effectively blocked from this market by the geopolitical layer of who gets into a G7-adjacent consortium.
So Mythos is, among other things, a positioning move. It is Anthropic saying: the frontier tier of this market is going to be a small number of high-trust relationships with very large buyers, and we are the lab most naturally shaped for that. I think they are right about the market structure. I am less sure they will be the only winner in it, OpenAI in particular has the resources to build a competing consortium, and I would expect an announcement within six months of something structurally similar, whether or not it is framed that way.
What to watch
Three things, in order of how quickly they will resolve.
First, the next frontier release from OpenAI or Google DeepMind. If it ships on a normal API with normal pricing and normal availability, I am partially wrong about the pattern generalising. If it ships with any variant of restricted access, tiered deployment, or named-customer list, the pattern is real.
Second, the membership of the Mythos consortium as it expands. Anthropic has said the forty is not a cap; additional members can be added subject to vetting. The rate and shape of expansion will tell us whether this is functionally a permanent tier or a transitional arrangement. If the consortium is at eighty members in a year, with most Fortune 100 firms in, it is a tier. If it is still at forty or forty-five, it is something closer to a genuinely restricted safety arrangement.
Third, what the application security incumbents do at their next earnings calls. The honest answer about their position is hard to give on a public earnings call; the interesting signal will be in how they reframe their competitive set. If they start talking about "AI-assisted security workflows" and partnership pipelines with frontier labs, they are positioning as complements. If they double down on standalone capability claims, they have not yet accepted the shape of the new market.
I will have views on all three as they resolve. For now: the most important AI release of 2026 so far was a release to forty companies, and the interesting thing about it is not the model.
Footnotes
Footnotes
-
FT, "Anthropic unveils Mythos in restricted consortium launch," 18 April 2026. The twelve named members were identified through Anthropic's launch partners section and separate confirmation from three of the firms; the remaining twenty-eight are unconfirmed. ↩
-
The Information, "Inside Anthropic's $40M-floor Mythos deal," 18 April 2026, citing three people familiar with the commercial terms. Anthropic declined to comment on pricing in its launch post and in response to FT questions. ↩
Discussion
No comments yet, be the first.