Anthropic’s release of Opus 4.7 marks an unusual moment in frontier AI: a model presented as stronger in broad capabilities while being deliberately narrower in one especially sensitive area. After the limited release of Mythos Preview, the company chose Opus 4.7 as the first post-Mythos model to ship with automatic cyber blocking, signaling that raw capability is no longer the only line metric that matters.
The decision reflects a broader industry shift from discussing AI cyber risk in theory to enforcing platform-level controls in practice. In Anthropic’s telling, Opus 4.7 is a real-world testbed for safeguards that could shape how more powerful Mythos-class systems are eventually released at scale.
Why Opus 4.7 became the first post-Mythos cyber test case
Anthropic tied the rollout directly to the aftermath of Mythos Preview. In its April 16, 2026 launch post, the company said that after announcing Mythos Preview’s limited release, it would “test new cyber safeguards on less capable models first,” adding plainly that “Opus 4.7 is the first such model.” That quote is the clearest link between the new restrictions and the company’s more cautious handling of Mythos.
The logic is straightforward: Anthropic says Opus 4.7 is not as advanced in cyber capability as Mythos Preview. During training, it also experimented with efforts to “differentially reduce” those capabilities. In other words, Opus 4.7 was positioned not merely as a new model, but as a controlled environment in which safety interventions could be deployed before broader exposure to a more capable successor.
This makes Opus 4.7 notable beyond its benchmark improvements. It represents a product strategy in which access controls are part of the release architecture itself. Anthropic is effectively saying that if it wants to broaden access to Mythos-class systems later, it first needs evidence from a safer deployment layer now.
What the new automatic cyber blocking actually does
According to Anthropic’s help-center policy updated April 18, 2026, Opus 4.7 now applies real-time cyber safeguards that automatically detect and block requests indicating “prohibited or high-risk cybersecurity usage.” The important point is that these are not passive policy statements. They are operational controls that intervene by default.
The company says the blocking system currently covers two categories: “Prohibited use” and “High Risk Dual use.” That distinction matters because Anthropic is drawing a line between cyber activity it sees as inherently malicious and cyber activity that can be legitimate in defensive settings but also dangerous if broadly enabled.
For users, the practical effect is clear: Opus 4.7 offers stronger general performance, but less cyber freedom out of the box. It is a model with built-in friction for certain classes of security-related prompting, a design choice that sharply contrasts with the earlier assumption that advanced coding systems should remain broadly open unless abuse is obvious after the fact.
Where Anthropic draws the line on prohibited and dual-use cyber requests
Anthropic defines “Prohibited use” as activity that is “almost always used maliciously and have little to no legitimate defensive application.” The examples it gives are revealingly concrete: “mass data exfiltration” and “ransomware code development.” These are blocked by default and cannot be relaxed through the company’s Cyber Verification Program.
The second category, “High Risk Dual use,” is more complicated. Anthropic says it includes work such as “vulnerability exploitation” and “offensive security tooling development.” These activities may support legitimate research, red teaming, or internal defense, but they also map directly onto offensive misuse scenarios. As a result, they too are blocked by default.
The difference is that dual-use requests can potentially be reopened for approved defensive users. That creates a tiered model of access: some cyber requests are simply off-limits, while others may become available only after identity, context, and intent are reviewed. The policy suggests Anthropic is trying to separate routine model availability from exceptional access for professional security use.
The Cyber Verification Program and its limits
To handle legitimate defensive workflows, Anthropic launched a Cyber Verification Program, or CVP, alongside the safeguards. The company says users of Claude.ai, Claude Code, and the Anthropic API can apply if the new restrictions interfere with approved security work, with a stated target of sending a decision within two business days after submission.
That timeline is fast enough to be meaningful for many enterprise or research teams, but the program is not universally available. Anthropic says CVP access exists on first-party surfaces and Microsoft Foundry, yet “is not available on Bedrock at this time” and “is not available on Vertex at this time.” For a model otherwise described as broadly distributed, that unevenness matters.
There is another notable exclusion: organizations on Zero Data Retention are “not currently eligible to participate in the CVP.” That means some users with the strongest privacy posture are, at least for now, shut out from the exceptions pathway. In practice, Anthropic is balancing cyber-risk reduction against convenience, platform consistency, and even privacy-oriented customer configurations.
Why Anthropic tightened access after Opus 4.6
The restrictions did not emerge in a vacuum. In March 2026, Anthropic reported that Claude Opus 4.6 discovered 22 Firefox vulnerabilities over two weeks in collaboration with Mozilla, with 14 assigned high severity. The company said that total represented almost a fifth of all high-severity Firefox vulnerabilities remediated in 2025, a remarkable real-world result for an AI system.
Anthropic went further, noting that “Claude Opus 4.6 found 22 vulnerabilities in February 2026, more than were reported in any single month in 2025.” That comparison reframed frontier-model cyber ability from speculative concern into measurable performance. A model that can materially accelerate bug discovery changes the safety conversation, even before one considers exploit generation.
Seen in that light, Opus 4.7 limits cyber use after Mythos not because Anthropic suddenly became cautious in the abstract, but because its own systems had already shown they could contribute meaningfully to real vulnerability research. Once a model demonstrates practical utility at that level, companies can no longer treat cyber misuse as a distant edge case.
Bug finding was easier than exploitation, but exploitation still worried Anthropic
Anthropic’s concern was not limited to vulnerability discovery. In its Frontier Red Team reporting, the company said Opus 4.6 was the first model it had observed writing a successful browser exploit with minimal hand holding. Repeated attempts with Opus 4.1, Opus 4.5, Sonnet 4.5, Sonnet 4.6, and Haiku 4.5 did not succeed, making Opus 4.6 stand out.
At the same time, Anthropic quantified how difficult those successes were to obtain. In the Mozilla write-up, it said exploit-creation tests were run several hundred times using about $4,000 in API credits, and Opus 4.6 succeeded in only two cases. The company concluded that bug-finding remained much easier than exploitation.
Even so, Anthropic called the result concerning. Its explicit warning was that the gap between vulnerability discovery and exploitation was unlikely to last very long. If future models cross that threshold more reliably, the company said additional safeguards or other actions may be necessary. Opus 4.7’s automatic blocking therefore looks less like an isolated feature and more like an early response to a narrowing capability gap.
Broad availability, unchanged pricing, and a narrower cyber lane
One of the most striking aspects of the release is that Opus 4.7 is broadly available despite these new restrictions. Anthropic says the model is accessible across all Claude products, the API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. By contrast, Mythos Preview remains limited-release as of April 2026, even though it is still listed on Anthropic’s system-cards page.
Pricing also stayed the same. Anthropic says Opus 4.7 remains priced like Opus 4.6 at $5 per million input tokens and $25 per million output tokens. So users are not paying a premium for the new safety layer, nor receiving a discount in exchange for reduced cyber latitude. The company is treating the controls as part of the standard product package.
This reinforces the core message of the launch: stronger model, narrower cyber freedom. Anthropic is promoting gains in coding, agents, vision, and multi-step work while simultaneously tightening one of the most sensitive use domains. The commercial posture is that capability growth and capability restriction can coexist in the same release.
What this means for Mythos-class deployment and the wider AI market
Anthropic has been explicit that Opus 4.7 is not the end state. The company says what it learns from the real-world deployment of these safeguards will help it work toward “our eventual goal of a broad release of Mythos-class models.” In that sense, Opus 4.7 is both a product and a policy experiment.
There is also an interesting nuance in how Anthropic describes relative model quality. It says Mythos Preview remains the “best-aligned model we’ve trained,” even though Opus 4.7 is the system chosen for first deployment of the new real-time cyber controls because its cyber capabilities are lower. That suggests overall alignment and cyber-specific risk are being treated as related but distinct dimensions.
The wider implication is that frontier AI launches may increasingly come with domain-specific access architectures rather than uniform openness. Project Glasswing provided the immediate public warning backdrop, and Opus 4.7 turned that warning into product policy. If this model works, other labs may follow with more granular restrictions around cybersecurity, biosecurity, and other high-risk capabilities.
Ultimately, Opus 4.7 limits cyber use after Mythos because Anthropic appears to believe the old release pattern is no longer sufficient for the cyber domain. Its own evidence from Firefox vulnerability discovery and early exploit generation suggested that frontier systems are becoming operationally meaningful to attackers and defenders alike.
The result is a compromise model for 2026: broad access for general intelligence tasks, automatic blocking for prohibited and high-risk cyber requests, and a gated exception process for vetted defensive users. Whether that balance proves durable will depend on how effective the safeguards are in practice, but Opus 4.7 already shows the direction of travel: more powerful AI, paired with more deliberate limits where the stakes are highest.
