Here’s a fun corporate riddle for you. What do you do when you build an AI so good at hacking that German banks start calling their regulators and the Bank of England cranks up its risk testing? You ship it to everybody. Sort of.
That’s basically the story of the week. On June 9, Anthropic released Claude Fable 5, the first time regular people get their hands on the company’s most powerful tier of AI. And it arrived with a twin sibling named Mythos 5 that stays locked in the back room. Same training, different execution paths. The whole thing is a little bit brilliant and a little bit unsettling, so let’s work through it like adults who’ve had one coffee.
So what is Fable, actually?
Fable 5 is, by Anthropic’s own telling, the strongest model it’s ever made generally available. The company says it’s “state-of-the-art on nearly all tested benchmarks” — Anthropic’s benchmarks, on Anthropic’s test set, so calibrate accordingly. But the specifics are substantial. It’s the top scorer on Cognition’s FrontierBench coding eval. It reads charts and tables buried inside messy PDFs. It can grind on a coding task for multiple days without a human babysitting it. Stripe reportedly said it “compressed months of engineering into days,” which, if you’ve ever waited on an engineering team, sounds either like a miracle or a layoff memo depending on your role.
It also reads diagrams, does finance-heavy analysis, and was the first model to crack 90% on Anthropic’s internal analytics benchmark. The pattern across all of it: the longer and gnarlier the task, the bigger Fable’s lead gets. It’s built for endurance, not just speed.
Now the price tag, because there’s always a price tag. Fable runs $10 per million input tokens and $50 per million output tokens — roughly double what GPT-4o and Claude Sonnet cost, and double what Opus 4.8 ran before. Through June 22 it’s bundled into Pro, Max, Team, and Enterprise plans for free, and then on June 23 it gets yanked back behind usage credits. Classic first-taste pricing.

Fable vs. Mythos: same training, different paths

Here’s where it gets interesting, and where that name riddle pays off. Fable comes from the Latin fabula, “that which is told.” Mythos is its Greek cousin. Anthropic basically admitted the naming is the whole point — but that naming is the marketing, not the safety architecture. The safety is what runs underneath.
Mythos is the less restricted version. Earlier this year it spooked the entire cybersecurity world by finding and exploiting software vulnerabilities at a level that beat almost every human expert. We’re talking zero-day flaws in major operating systems and browsers, some of which had survived decades of human review. Anthropic decided that was too dangerous to just toss onto the internet, so Mythos 5 stays restricted to vetted cybersecurity, infrastructure, and life-sciences partners through a program called Project Glasswing. This isn’t an open API anyone can sign up for — it’s a vetted-access program with curated institutional partners.
Fable and Mythos share the same training. But they’re different execution paths. When you wander into touchy territory — offensive cybersecurity, dangerous biology or chemistry, or attempts to clone the model’s capabilities — Fable routes your query to Opus 4.8 instead of processing it with Mythos’s more aggressive capabilities. That routing is architectural, not just a policy flag bolted on top. Anthropic says that handoff fires in under 5% of sessions (exact definition of “session” not publicly specified, so a per-message rate might differ), meaning for the overwhelming majority of normal work you’re talking to the real thing.
To be precise: the names don’t create the safety distinction. The guardrails do. Calling one Fable and one Mythos is a useful signal, but the technical boundary is the routing architecture.
What did the testers find?
This is the part where I have to be honest about what’s public and what isn’t, because there’s a lot of breathless coverage and not a ton of hard independent data yet.
The cleanest outside look comes from the UK AI Security Institute, a UK government cybersecurity body that evaluated an earlier Mythos Preview. Their numbers are notable. The model hit 73% on expert-level capture-the-flag hacking challenges — but, and this matters, on undefended test networks. Their own report was explicit: these networks “lack security features that are often present, such as active defenders and defensive tooling.” They flat-out said they “cannot say for sure whether Mythos Preview would be able to attack well-defended systems.” So the 73% is a real number on a practice network, not a real company with a security team fighting back. Those are meaningfully different claims.
AISI also documented it as the first model to fully complete a 32-step simulated corporate network attack, doing it in 3 of 10 tries and averaging 22 of those 32 steps — up from about 16 steps for the previous Claude.
On the safety side, Anthropic says its external bug bounty ran for more than 1,000 hours without anyone finding a universal jailbreak, and private industry red teams came up empty. AISI — a government institute, a different category from private red teams — did report making some early progress toward a jailbreak in a short window, so the architecture isn’t impenetrable, just difficult to crack quickly.

The good, the concerning, and the “we’ll see”
Let’s run the ledger. On the plus side, Anthropic is doing the responsible thing on paper. It kept the less restricted version locked up, shipped the safeguarded one, gave governments early looks, invited outside red teams, and imposed a mandatory 30-day data retention rule to catch novel attacks. That’s a more cautious rollout than the industry usually bothers with.
On the concern side, the capability is real and it’s now more accessible. The same talent for spotting vulnerabilities that defenders love is exactly what attackers want, and a routing architecture that catches sensitive queries 95-plus percent of the time still leaves room for iterative adversarial testing — the worry isn’t one failed attempt, it’s what repeated attempts do to a classifier over time. Financial regulators aren’t alarmed for fun.
But cooler heads are in the mix too. Cybersecurity veteran Ciaran Martin called it “a big deal, but it’s unlikely to prove to be the end of the world” (NBC News, June 9). Peter Swire pointed out the expected harm to defenders is probably “far lower than the worst-case scenarios would suggest,” while noting that institutions have incentives to make everything sound apocalyptic (CNBC, June 9). Both still said defensive teams should take it seriously, which is the most sensible takeaway available. And Mythos’s actual distribution remains restricted — Project Glasswing is vetted access, not a public API, which limits how many actors can actually run the capability at scale.
The bottom line
Anthropic shipped its most powerful public model the same week it warned that AI might be getting too dangerous, and somehow both of those things are true at once.

Fable is Mythos with a seatbelt. Whether the seatbelt holds is going to be answered not by benchmarks but by the next year of people actually using it — and by how fast the security community stress-tests the routing architecture.
If you’re a developer, go kick the tires before June 23 while it’s free. If you run security for anyone, this is your nudge to patch your stuff and turn on logging, because the cheap, fast, tireless vulnerability hunter is no longer hypothetical. And if you’re just here for the show, keep watching. The most interesting AI story right now isn’t what these models can do. It’s whether a clever bit of naming and a 5% deferral rate is enough to keep the genie polite.