Jonathan Hiller
← Field Notes

The Patch Cycle

10 min read

On April 7, Anthropic disclosed a frontier AI model—Claude Mythos Preview—and announced in the same breath that it would not be released. The capability and the containment plan, side by side. This is the first time in nearly seven years that a leading AI company has publicly withheld a model on safety grounds.

The framing is what to sit with. Anthropic is not saying we built something useful. They are saying we built something dangerous, and here is the coalition we have assembled to put it in defensive hands before anyone else gets it.

The coalition is named. Project Glasswing. AWS. Apple. Broadcom. Cisco. CrowdStrike. Google. JPMorgan. Linux Foundation. Microsoft. NVIDIA. Palo Alto. Plus roughly forty additional organizations responsible for critical software infrastructure. Anthropic has committed $100 million in usage credits, plus $4 million in direct donations to open-source security organizations. They have briefed CISA and CAISI on the model’s full offensive and defensive capabilities.

What the coalition is actually doing: pointing Mythos at their own systems to find the holes the model can find, and patching them. The race is against the calendar—Anthropic has been explicit that they expect comparable capability, from a competitor or a state actor or an open-source project, within six to twelve months. Glasswing is the head start.

That choice didn’t come from nowhere. Anthropic has been running a public Responsible Scaling Policy since 2023, and alignment is the original organizing question the company was built around—not a marketing layer over the product. The Mythos decision is what that orientation looks like when it actually costs something. A frontier lab without that DNA ships this model. Anthropic chose to absorb the commercial cost and assemble a defensive coalition instead.

The framing of the announcement matters more than the announcement.

The capability

What Mythos Preview can do, in the few weeks Anthropic has been testing it: identify thousands of zero-day vulnerabilities across every major operating system and web browser. Complete a successful OpenBSD vulnerability discovery run for under $50. Build a complex Linux privilege escalation chain for under $2,000.

In plain language: without Glasswing and access to Mythos, a person with a credit card and basic technical literacy could find an unknown way into a bank, a hospital, a county election office, or any federal system that isn’t classified and air-gapped. What used to require a nation-state cyber program now requires a small budget.

Anthropic’s Frontier Red Team is explicit about what these numbers mean. The model was not trained for these capabilities. They emerged, in the team’s own language, as a downstream consequence of general improvements in code, reasoning, and autonomy.

That last sentence is the one that matters. The cybersecurity numbers are not a specialized capability. They are a general capability that happens to be cleanly measurable in cyber, because exploits either work or they don’t.

What Mythos Preview signals is that the unit economics of expert work—in every domain where the output is verifiable—are shifting by two to three orders of magnitude. The cybersecurity numbers are the readout we got first because cyber is the field where verification is unambiguous. The same compression is coming everywhere else.

The compression

A CrowdStrike executive said it plainly this past week, in the context of the Anthropic announcement: The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI.

That sentence is the most important sentence about civic life I have read in a long time, and it is in a cybersecurity press release.

In software, the cycle between a vulnerability being discovered and an exploit being deployed used to be measured in months. With Mythos-class capability on the offensive side and human teams on the defensive side, it has compressed to minutes. Cybersecurity has a name for this gap; they call it the patch cycle.

The compression is not staying in cyber.

Any domain where the outputs of expert work are verifiable—legal research, financial modeling, opposition research, polling synthesis, legislative drafting, narrative production, communications response—is now subject to the same compression. Mythos Preview is the point at which this stops being a research-paper claim and starts being a budget-line claim. Corporate budgets will be rewritten this year. Political and civic budgets will follow.

The new question is whether democratic institutions can absorb the compression.

What’s already happening

The leading indicators are visible. They were visible before Mythos.

Last month, the National Republican Senatorial Committee released a deepfake of Texas Senate candidate James Talarico—a fabricated minute-long video posted openly with only a small disclosure. In the United Kingdom, a Wakefield councillor has raised alarms about AI-manipulated images deployed against local election candidates. This week, a civil-society report from DAHRD documented what it calls the first industrialized AI disinformation operation in an Indian state election—a six-tier content ecosystem producing 432 AI-generated posts that reached 45.4 million views, with 31 deepfakes directly targeting the opposition candidate Gaurav Gogoi as a “Pakistani agent,” distributed through official BJP accounts and a verified cabinet minister’s handle.

The operation did not stop at the candidate. Six additional AI-fabricated videos targeted his wife—a private citizen holding no office.

The line from the report: Assam is the laboratory. The rest of India is the intended market.

All of this happened pre-Mythos. The cost of producing it was higher than it will be later this year. The realism was lower than it will be later this year. The speed was slower than it will be later this year.

What Mythos-class capability enables

Take the trajectory and extend it forward. Several capabilities become accessible, in roughly this order, to anyone with a modest budget and intent.

Real-time synthetic voter conversations. Bad actors deploy AI to have personalized, real-time conversations with voters at scale—in their language, on their phones, with their specific concerns—giving them false polling place information, false ballot information, false candidate information. Josh Lawson at the Aspen Institute has been warning about this for over a year. Mythos-class capability is the cost curve that makes it accessible to a single operator with a credit card.

Per-voter narrative generation. Today’s micro-targeting operates at the segment level—Republican women 45-65 in Pennsylvania suburbs. Mythos-class reasoning collapses that to the individual. Content generated per voter, refined overnight, deployed across every channel, with the synthesis happening faster than any human can review.

Synthetic local news in news deserts. The collapse of local journalism has left thousands of American communities without coverage. Mythos-class agents fill those gaps with hyperlocal synthetic “outlets” optimized to push specific narratives. Early versions have already appeared in European elections.

Compressed response cycles. Current rapid-response infrastructure in democratic institutions operates on news-cycle latency—hours to days. Actors using Mythos-class agents operate on minutes-to-hours cadence. Any institution whose communications operation cannot match that pace is functionally absent in the windows that matter.

The liar’s dividend at full strength. When anything can plausibly be faked, anyone caught on real evidence can credibly claim the evidence is the fake. The politician on tape says the tape is AI; the leaked memo gets dismissed as synthetic. No accusation has to be proven, and none can be conclusively rebutted. Mythos-class capability is the point where the liar’s dividend moves from rhetorical warning to baseline information condition.

Election infrastructure as a soft target. Voter registration databases, election management systems, county-level IT—most of it is the kind of legacy software Mythos Preview has been finding zero-days in. Most of it is also maintained by under-resourced county and state teams who are nowhere near Project Glasswing’s partner list.

The friction gap

The pattern across all of these is the friction gap.

The offensive capability becomes universal. Anyone can run a Mythos-class agent. Reform organizations and bad actors face the same API.

The institutional constraints are not universal. Bad actors do not face compliance review, donor approval cycles, board oversight, legal departments, fact-checking norms, professional reputation, or accountability to a coalition. Democratic institutions face all of these. Some by law. Some by culture. Most by design—the constraints are the thing being defended.

The capability gap closes overnight. The friction gap does not.

This is the structural problem democratic institutions are now facing, and most of them do not yet know they are facing it.

What this means for civic understanding

The cultural narrative around AI risk has been dominated, for several years, by either dystopian sci-fi—the model goes rogue and ends civilization—or by hype—the model goes brilliant and ends scarcity. Neither frame is useful for the immediate problem.

The immediate problem is more prosaic, and more urgent. A generation of citizens is about to spend a significant portion of their political life inside an information environment where the cost of plausible fabrication has fallen by two to three orders of magnitude, and the cost of verification has not.

This is the civic problem in a sentence. The cost of fabrication and the cost of verification used to scale together. They are now decoupling, sharply, in favor of fabrication.

What this means in practice: the default condition of the information environment becomes adversarial. Citizens see content that has been generated, targeted, tested, refined, and deployed against them—not by an enemy state, necessarily, but by anyone with intent. The defensive infrastructure that civil society has historically relied on—fact-checking organizations, professional newsrooms, electoral oversight bodies—operates on cycles of review and verification that are structurally too slow for what is coming. And the trust environment shifts in a particular way: when citizens cannot tell what is real, they fall back on either institutional trust, which has been eroding for two decades, or tribal trust, which is what the bad actors are amplifying. The middle ground—informed independent judgment by citizens who feel they can read the evidence and decide—is exactly the muscle that gets atrophied first.

The civic implication is not that AI is bad. The civic implication is that the existing infrastructure for democratic legitimacy was built for a slower world, and the world has just gotten faster than the infrastructure can absorb.

The compression is not a technology story. It is a governance story.

What gets built

There is a real question of whether institutions can move fast enough. Most institutions cannot. Some can. The ones that can will be defined by three things.

First, they will be small enough to move at the speed of the new tooling, and disciplined enough to operate without losing institutional accountability. The tension between speed and accountability is the central design problem of the next decade of civic work.

Second, they will treat verification—of provenance, of identity, of claim, of evidence—as primary infrastructure rather than as an afterthought. The friction gap closes only as fast as institutions can build verification infrastructure that operates at the new tempo, and not faster.

Third, they will pre-position. The window for building before the crisis is small. Institutions that wait until the next election cycle to react will be operating in an information environment that has already moved past them.

The serious question is not whether the compression is coming. It is. The serious question is whether the people whose job it is to defend democratic legitimacy are paying attention to the right disclosure.

The disclosure was on April 7. The coalition was named. The partner list is public. The capability has been described. The timeline has been signaled.

Anthropic did the field a favor by announcing both the capability and the containment plan in the same breath. The favor only lands if anyone outside the partner coalition reads it.

The window

Mythos Preview is not the end of the world.

It is the point at which a capability that has been theoretical becomes operational. It is the point at which the friction gap stops being an abstraction and starts deciding outcomes. The institutions that are going to make it through the next decade are the ones that figure out how to operate at the speed of the new tooling without giving up the constraints that made them worth defending.

There is a window. It is small. It is closing.

Read what Anthropic published. Look at the partner list for Project Glasswing.

Look at who is not on it.

That is where the work is.