On July 1 at 12:30 PM Pacific, Anthropic restored public access to Claude Fable 5 — three weeks after the US Department of Commerce shut it down over national security concerns. Fable 5 is the public-facing version of Claude Mythos 5, the cybersecurity model that has found more than 23,000 software vulnerabilities since April, including zero-days in every major operating system and every major web browser. If you run a website, use software, or have a business that depends on either, this matters to you.

The story of Claude Mythos is the fastest escalation from "impressive demo" to "government intervention" in the history of AI. It is also the first time an AI model has forced the cybersecurity industry to confront a problem it has been ignoring for decades: there are not enough humans to fix the bugs that already exist, and now a machine is finding them faster than anyone can patch.

What Mythos actually did

Anthropic disclosed Claude Mythos on April 7, 2026, through a program called Project Glasswing. The model was not released publicly. Instead, more than 40 companies — Microsoft, Apple, Google, AWS, the Linux Foundation, Cisco, Nvidia, and Broadcom among them — were given access to use it for finding and fixing vulnerabilities in their own software.

The results were immediate and uncomfortable. Mythos found and exploited zero-day vulnerabilities in every major operating system and every major web browser during testing. The oldest bug it found was a 27-year-old flaw in OpenBSD, an operating system whose entire reputation is built on being secure. It autonomously wrote a remote code execution exploit against FreeBSD's NFS server from a 17-year-old bug (CVE-2026-4747). Mozilla used Mythos to find and patch 271 security vulnerabilities in Firefox in two weeks.

The raw numbers tell the scale story. Mythos scanned over 1,000 open-source projects and identified more than 23,000 flaws. More than 6,000 of those were rated high or critical severity. One of them was a vulnerability in wolfSSL, a cryptography library used by billions of devices, that would have allowed attackers to forge certificates and impersonate legitimate websites. It has since been patched.

During testing, Mythos generated working exploits 72.4 percent of the time. For comparison, Claude Opus 4.6 — Anthropic's previous best model — scored near zero on the same tasks. Anthropic researchers with no formal security training reportedly asked Mythos to hunt for vulnerabilities overnight and woke up to complete, functional exploits.

Why the government stepped in

On June 9, Anthropic shipped Claude Mythos 5 and its public twin Claude Fable 5. The two models are the same underneath. The difference is a layer of safety classifiers that Fable 5 runs on top. When a request trips a cybersecurity, biology, chemistry, or distillation classifier, Fable 5 does not refuse the request — it hands the response to Claude Opus 4.8, a weaker model, and tells the user the handoff happened.

This design did not satisfy the US government. On June 12, three days after launch, the Department of Commerce sent Anthropic a letter prohibiting access to both Mythos 5 and Fable 5 to any non-US national, regardless of location. Anthropic responded by revoking access to both models for all customers. The stated reason was national security, though the specifics were not disclosed.

The ban lasted 18 days. On June 30, Anthropic announced on X that the Department of Commerce had lifted restrictions on both models. Access started restoring on July 1. As of this writing, Fable 5 is available through the Claude API and on Pro, Max, Team, and Enterprise plans.

What Fable 5 means if you are not a security researcher

Fable 5 costs $10 per million input tokens and $50 per million output tokens. That is less than half the price of the earlier Mythos Preview. It is included at no extra cost on Claude Pro, Max, Team, and seat-based Enterprise plans.

For most users, Fable 5 behaves identically to Mythos 5. Anthropic's own data shows the safety classifiers trigger in fewer than 5 percent of sessions. That means more than 95 percent of the time, you get the full Mythos-class model. The safeguards only engage when the model detects requests that look like offensive cybersecurity tasks: reconnaissance, exploit development, lateral movement, or defense evasion.

The practical uses for a non-security business are less dramatic than the headlines suggest but still significant. Fable 5 can audit your own code for vulnerabilities. It can review your WordPress plugins, your custom code, or your third-party dependencies and flag the same class of bugs that Mythos found in Firefox and OpenBSD. It can explain the risk in plain language and suggest fixes. It will not write you an exploit for someone else's system — that is what the classifiers block — but it will tell you where your own systems are exposed.

The problem nobody has solved

The real story is not that Mythos found 23,000 bugs. It is what happened next. Open-source maintainers asked Anthropic to slow its disclosure rate. The flood of bug reports exceeded their capacity to address them. Some bug bounty programs shut down entirely. The median time from vulnerability disclosure to mass exploitation is five hours, and the number of disclosed vulnerabilities just jumped by an order of magnitude.

Anthropic's suggested solution is more AI — using models to not just find bugs but fix them. The Claude Mythos system card predicts that AI tools will ultimately benefit cybersecurity defenders, though Anthropic concedes that attackers may have an advantage for the time being. The UK AI Security Institute tested Mythos against GPT-5.4 and GPT-5.3 Codex in a cyber range. Mythos ranked highest.

The uncomfortable truth is that the gap between "bugs found" and "bugs fixed" just got much wider. If you run WordPress, the math is straightforward: the plugins and themes you depend on are now being scanned by a class of tool that finds vulnerabilities at a rate no human team can match. The question is whether the people maintaining those plugins can fix what the AI finds before someone else exploits it.

What to do right now

If you use Claude for your business, Fable 5 is worth testing for code review and security auditing of your own systems. The pricing is reasonable, the safeguards are transparent, and the capability gap between Fable 5 and the previous generation is large.

If you do not use Claude, the Mythos story still affects you. The vulnerabilities it found are in software you use every day. The patches are rolling out. Keep your plugins, themes, and core software updated. The five-hour exploitation window is real, and the volume of disclosed vulnerabilities is only going to increase.

The cybersecurity industry spent decades building processes around the assumption that finding bugs was the hard part. Mythos just made finding them trivial. The hard part is now, and always was, fixing them fast enough.

Sources: Anthropic — Claude Fable 5 and Mythos 5, The Hacker News — Anthropic Releases Claude Fable 5, Mashable — Anthropic's Claude Mythos Might Get Public Release, Wikipedia — Claude Mythos