Exclusive: Anthropic acknowledges testing new AI model representing ‘step change’ in capabilities, after accidental data leak reveals its existence

AI company Anthropic is developing and has begun testing with early access customers a new AI model more capable than any it has released previously, the company said, following a data leak that revealed the model’s existence. 

An Anthropic spokesperson said the new model represented “a step change” in AI performance and was “the most capable we’ve built to date.” The company said the model is currently being trialed by “early access customers.”

Descriptions of the model were inadvertently stored in a publicly-accessible data cache and were reviewed by Fortune.

A draft blog post that was available in an unsecured and publicly-searchable data store prior to Thursday evening said the new model is called “Claude Mythos” and that the company believes it poses unprecedented cybersecurity risks.

The same cache of unsecured, publicly discoverable documents revealed details of a planned, invite-only CEO summit in Europe that is part of the company’s drive to sell its AI models to large corporate customers. 

The AI lab left the material, including what appeared to be a draft blog post announcing a new model, in an unsecured, public data lake, according to documents separately located and reviewed by Roy Paz, a senior AI security researcher at LayerX Security, a computer and network security company, and Alexandre Pauwels, a cybersecurity researcher at the University of Cambridge. 

In total, there appeared to be close to 3,000 assets linked to Anthropic’s blog that had not been published previously on the company’s news or research sites that were nonetheless publicly-accessible in this data cache, according to Pauwels, who Fortune asked to assess and review the material.

After being informed of the data leak by Fortune on Thursday, Anthropic removed the public’s ability to search the data store and retrieve documents from it.

In a statement provided to Fortune, Anthropic acknowledged that a “human error” in the configuration of its content management system led the draft blog post to being accessible. It described the unpublished material that was left in an unsecured and publicly-searchable data store as “early drafts of content considered for publication.”

As well as referring to Mythos, the draft blog post also discussed a new tier of AI models that it says will be called “Capybara”. In the document, Anthropic says: “’Capybara’ is a new name for a new tier of model: larger and more intelligent than our Opus models—which were, until now, our most powerful.” Capybara and Mythos appear to refer to the same underlying model.

Currently, Anthropic markets each of its models in three different sizes: the largest and most capable model versions are branded Opus, while a slightly faster and cheaper, but less capable, versions are branded Sonnet, and the smallest, cheapest, and fastest are called Haiku. However, in the blog post, Anthropic describes Capybara as a new tier of model that is even larger and more capable than Opus, but also more expensive.

“Compared to our previous best model, Claude Opus 4.6, Capybara gets dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity, among others,” the company said in the blog.

The document also said the company had completed training “Claude Mythos,” which the draft blog post described as “by far the most powerful AI model we’ve ever developed.”

In response to questions about the draft blog post, the company acknowledged training and testing a new model. “We’re developing a general purpose model with meaningful advances in reasoning, coding, and cybersecurity,” an Anthropic spokesperson said. “Given the strength of its capabilities, we’re being deliberate about how we release it. As is standard practice across the industry, we’re working with a small group of early access customers to test the model. We consider this model a step change and the most capable we’ve built to date.”

The document Fortune and the cybersecurity experts reviewed consists of structured data for a webpage, complete with headings and a publication date, suggesting it forms part of a planned product launch. It outlines a cautious rollout strategy for the model, beginning with a small group of early-access users. The draft blog notes that the model is expensive to run and not yet ready for general release.

Significant new cybersecurity risks

The new AI model poses significant cybersecurity risks, according to the leaked document. 

“In preparing to release Claude Capybara, we want to act with extra caution and understand the risks it poses—even beyond what we learn in our own testing. In particular, we want to understand the model’s potential near-term risks in the realm of cybersecurity—and share the results to help cyber defenders prepare,” the document said.

Anthropic appears to be especially worried about the model’s cybersecurity implications, noting that the system is “currently far ahead of any other AI model in cyber capabilities” and “it presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” In other words, Anthropic is concerned that hackers could use the model to run large-scale cyberattacks.

The company said in the draft blog that because of this risk, its plan for the model’s release would focus on cyber defenders: “We’re releasing it in early access to organizations, giving them a head start in improving the robustness of their codebases against the impending wave of AI-driven exploits.”

The latest generation of frontier models from both Anthropic and OpenAI have crossed a threshold that the companies say poses new cybersecurity risks. In February, when OpenAI released GPT-5.3-Codex, the company said it was the first model it had classified as “high capability” for cybersecurity-related tasks under its Preparedness Framework—and the first it had directly trained to identify software vulnerabilities. 

Anthropic, meanwhile, navigated similar risks with its Opus 4.6, released the same week. The model demonstrated an ability to surface previously unknown vulnerabilities in production codebases, a capability that the company acknowledged was dual-use, meaning that it could both help hackers as well as help cybersecurity defenders find and close vulnerabilities in code.

The company has also reported that hacking groups, including those linked to the Chinese government, have attempted to exploit Claude in real-world cyberattacks. In one documented case, Anthropic discovered that a Chinese state-sponsored group had already been running a coordinated campaign using Claude Code to infiltrate roughly 30 organizations—including tech companies, financial institutions, and government agencies—before the company detected it. Over the following ten days, Anthropic investigated the full scope of the operation, banned the accounts involved, and notified affected organizations.

An exclusive executive retreat

The leak of not-yet-public information appears to stem from an error on the part of users of the company’s content management system (CMS), which is the software used to publish the company’s public blog, according to cybersecurity professionals. 

Digital assets created using the content management system are set to public by default and typically assigned a publicly accessible URL when uploaded—unless the user explicitly changes a setting so that these assets are kept private. As a result, a large cache of images, PDF files, and audio files seem to have been published erroneously to an unsecured and publicly-accessible URL via the off-the-shelf content management system.

Anthropic acknowledged in a statement to Fortune that “an issue with one of our external CMS tools led to draft content being accessible.” It attributed this issue to “human error.” 

Many of the documents appeared to be discarded or unused assets for past blog posts like images, banners, and logos. However, several appeared to be what were meant to be private or internal documents. For example, one asset has a title that described an employee’s “parental leave.” 

The documents also included a PDF containing information about an upcoming, invite-only retreat for the CEOs of European companies being held in the U.K., and which Anthropic CEO Dario Amodei will attend. Names of the other attendees are not listed, but are described as Europe’s most influential business leaders.

The two-day retreat is described as an “intimate gathering” to engage in “thoughtful conversation” at an 18th-century manor-turned-hotel-and-spa in the English countryside. The document says that attendees will hear from lawmakers and policymakers about how businesses are adopting AI and experience unreleased Claude capabilities.

An Anthropic spokesperson told Fortune the event “is part of an ongoing series of events we’ve hosted over the past year. We look forward to hosting European business leaders to discuss the future of AI.”

This story was originally featured on Fortune.com