How once-unimaginable catastrophes become baseline assumptions

There is a particular kind of hubris that infects markets in the long stretches between catastrophes. Volatility compresses. Risk premia decay. The insurance gets quietly cancelled because it hasn’t paid out in years and the premiums feel like wasted money. Then the disaster arrives — not as a distant rumble but as a wall of water — and the entire analytical framework investors have spent years constructing turns out to have been a map of the wrong country.

We are living through one of the most instruction-rich moments in modern financial history. Since February 28, 2026, when the United States launched military operations against Iran and Tehran responded by closing the Strait of Hormuz, markets have been running a live masterclass in catastrophe pricing. West Texas Intermediate crude surged from $67 to $111 per barrel in under a fortnight — the fastest oil spike in four decades. War-risk insurance premiums on shipping through the Gulf soared more than 1,000 percent. The S&P 500 lost 5 percent in a single week, and the ECB and Bank of England are now staring down a renewed tightening scenario they spent the first quarter of 2026 insisting was off the table.

And yet — and this is the part that should make every portfolio manager uncomfortable — the analytical mistakes driving losses right now are not new. They are the same six structural errors investors have made in every previous crisis. Understanding them, really understanding them, is not an academic exercise. It is the difference between surviving the next disaster and being liquidated by it.

Key Takeaways at a Glance

• Markets price first-order disaster impacts; second- and third-order cascades are systematically underpriced
• Volatility is information; price-discovery failure is the true systemic risk — monitor private-to-public valuation spreads
• Tight CAT bond spreads signal capital crowding, not benign risk — use compression as a contrarian indicator
• Emerging market currencies and credit spreads lead developed-market pricing of global disasters
• Geopolitical risk premia decay faster than structural damage — separate the transitory from the permanent
• The best time to buy tail protection is when every indicator says you do not need it

Lesson One: Markets price the disaster they know, not the one that is compounding behind it

The economics of disaster pricing contain a fundamental asymmetry. Markets are reasonably good at incorporating a known risk — geopolitical tension, elevated VIX, stretched valuations — into current prices. What they catastrophically underprice is the second-order cascade that no single model captures.

Consider what the Hormuz closure actually detonated. Yes, oil went to $111 per barrel. Obvious. What was less obvious: the inflation feedback loop that forced investors to reprice central bank paths they had already discounted as settled. The Federal Reserve was expected to hold rates in 2026; futures now assign a 74 percent probability it does not cut at all this year. Europe’s energy import dependency made the ECB’s position worse. That transmission — from oil shock to rate-repricing to credit stress to equity multiple compression — is a chain, not a point event. Most risk models price the first link.

The academic framework for this is well established but rarely operationalised. The NBER disaster-risk literature, particularly Wachter (2013) and Barro (2006), argues that rare disasters produce risk premia that appear irrational in calm periods but are in fact the rational price of tail exposure across long time horizons. What these models miss, however, is that real-world disasters rarely arrive as clean, isolated point events. They arrive as cascades. The COVID-19 pandemic was not just a health shock — it was simultaneously a supply-chain shock, a demand shock, a sovereign-debt shock, and a labour-market restructuring shock. The Hormuz closure is not just an oil shock. It is an inflation shock, a monetary policy shock, a EM balance-of-payments shock, and an AI-investment sentiment shock, all at once.

Key takeaway: Map not just the primary disaster scenario but every second- and third-order transmission mechanism it activates. The primary impact is already partially in the price. The cascades are not.

Lesson Two: The real crisis is not volatility — it is the collapse of price discovery

Scott Bessent, the US Treasury Secretary, said something in March 2026 that deserves to be read not as politics but as a precise financial concept. Asked what genuinely frightened him after 35 years in markets, Bessent answered: “Markets go up and down. What’s important is that they are continuous and functioning. When people panic is when you’re not able to have price discovery — when markets close, when there is the threat of gating.”

Volatility is information. A price moving sharply up or down is a market doing exactly what it should: integrating new signals, adjusting expectations, clearing. The true systemic catastrophe is not a 10 percent drawdown. It is the moment when buyers and sellers can no longer find each other at any price — when the mechanism that produces prices breaks entirely.

This is not theoretical. Private credit markets are currently exhibiting exactly this dynamic. US BDCs — business development companies that provide credit to mid-market companies — have seen share prices fall 10 percent and trade 20 percent or more below their latest stated NAVs. Alternative asset managers that collect fees from these vehicles are down more than 30 percent. The public market is rendering a verdict on private valuations that the private market itself cannot yet deliver, because the private marks have not moved. There is no continuous clearing mechanism. There is no daily price discovery. There is only the last funding round — which is a negotiated fiction, not a price.

Investors who understand this distinction can do something useful with it: treat the spread between public-market pricing and private-market marks as a real-time fear gauge. When that gap widens sharply, the market is not panicking irrationally. It is pricing the absence of price discovery itself.

Key takeaway: Distinguish between volatility (information-rich, manageable) and price-discovery failure (structurally dangerous, contagion-prone). Monitor private-to-public valuation spreads as a leading indicator of the latter.

Lesson Three: Catastrophe bond complacency is always a warning, never a reassurance

In February 2026, Bloomberg reported that catastrophe-bond risk premia had fallen to levels not seen since before Hurricane Ian struck Florida in 2022. The cause was a surge of fresh capital chasing ILS yields. Managers called it a healthy market. A more honest reading is that it was a market pricing the wrong risk for the wrong reasons.

Here is the structural problem with catastrophe bonds, and indeed with most insurance-linked securities: the risk premium is set by the supply of capital chasing the trade, not by the true probability distribution of the underlying disaster. When capital floods in — as it has, driven by institutional allocators seeking uncorrelated returns — spreads compress regardless of whether the actual hurricane, flood, or geopolitical catastrophe risk has changed. The academic literature on CAT bond pricing, including recent work in the Journal of the Operational Research Society, confirms that cyclical capital flows consistently distort the risk-neutral pricing of catastrophe events.

The counter-intuitive lesson: when CAT bond spreads are tightest, protection is cheapest to buy and most expensive to have sold. The compression that looks like market efficiency is often capital crowding masquerading as a risk assessment. A catastrophe-bond market trading at pre-Ian yields six months before an Iran-driven energy crisis was not a serene market. It was a complacent one.

Key takeaway: Use catastrophe-bond spread compression not as a signal of benign risk conditions but as a contrarian indicator of under-priced tail exposure. Buy protection when it is cheap; do not sell it because it is cheap.

Lesson Four: Emerging markets absorb the shock first — and price it most honestly

There is a geographic hierarchy to disaster pricing that sophisticated global investors routinely ignore. When a major geopolitical or macro catastrophe detonates, the signal appears first in emerging market currencies, credit spreads, and energy import bills — not in the S&P 500 or the Dax. This is not because EM markets are more efficient. It is because they have less capacity to absorb shocks and therefore less incentive to pretend the shock is temporary.

The Hormuz closure is a case study. Developed-market investors spent the first week debating whether oil at $111 per barrel was “priced in.” Meanwhile, Gulf states were issuing precautionary production-cut announcements and Middle Eastern shipping had effectively ceased. Economies in South and Southeast Asia — which import 80 percent or more of their petroleum needs — faced simultaneous currency pressure (oil is dollar-denominated), fiscal pressure (fuel subsidies explode), and inflation pressure (food and transport costs surge). Countries like Pakistan, Sri Lanka, and Bangladesh were pricing a recession before most DM economists had updated their Q1 2026 forecasts.

The BIS research on disaster-risk transmission across 42 countries documents precisely this dynamic: world and country-specific disaster probabilities co-move in complex, non-linear ways. When global disaster probability rises, EM asset prices move first and fastest. For a DM investor, this is an early-warning system hiding in plain sight.

Key takeaway: Monitor EM currency indices, sovereign credit spreads, and fuel import data as leading indicators of how the global market is actually pricing a disaster — before the consensus in New York or London has caught up.

Lesson Five: Geopolitical risk premia have a half-life problem — and it is shorter than you think

Markets are extraordinarily good at normalising the catastrophic. This is not a character flaw; it is a survival mechanism. But for investors, the normalisation of extreme risk is one of the most financially treacherous dynamics in markets.

Consider the structural pattern Tyler Muir documented in his landmark paper Financial Crises and Risk Premia: equity risk premia collapse by roughly 20 percent at the onset of a financial crisis, then recover by around 20 percent over the following three years — even when the underlying structural damage persists. Wars display an even more dramatic version of this pattern. The initial shock is priced aggressively. But as weeks become months, the equity market begins to discount the conflict as background noise, even if oil remains $20 per barrel above pre-war levels and inflation continues to compound.

This half-life problem cuts in two directions. On the way in: investors are often too slow to price a new geopolitical risk, underestimating how durable its effects will be. On the way out: investors often reprice risk premia too quickly back to baseline, treating a structural change in the global system as if it were a weather event that has now passed. The Strait of Hormuz may reopen. But global shipping has permanently re-priced war-risk. Sovereign wealth funds in the Gulf are permanently reconsidering their US dollar reserve holdings. Indian and Japanese energy policymakers are permanently accelerating domestic diversification. These structural changes do not vanish when the headline risk premium fades.

Key takeaway: When pricing geopolitical disasters, separate the acute risk premium (which will fade) from the structural repricing (which will not). The former is a trading signal. The latter is an asset allocation decision that most portfolios have not yet made.

Lesson Six: The moment you feel safest is precisely when you are most exposed

The final lesson is the most counter-intuitive, and arguably the most important. There is a specific period in any market cycle — often 18 to 36 months after the previous crisis — when the cost of tail protection is at its cheapest, investor confidence is high, and catastrophe risk feels entirely theoretical. This is exactly when the next disaster is being loaded.

We can locate this period with precision in the current cycle. In early 2026, the CAPE ratio on US equities reached 39.8, its second-highest reading in 150 years. The Buffett Indicator (total market cap to GDP) hovered between 217 and 228 percent — historically associated with the period immediately before major corrections. CAT bond spreads were at post-Ian lows. VIX had compressed back to mid-teens. Private-credit redemption queues were elevated but not yet alarming. And the macroeconomic consensus — including, notably, within the US Treasury — was that tariff-driven inflation would prove transitory and that central banks would be cutting before mid-year.

Every one of those conditions has now reversed. The reversal took six weeks.

The academic literature on learning and disaster risk, particularly the Kozlowski, Veldkamp, and Venkateswaran (2020) framework on “scarring” from rare events, finds that markets systematically underestimate disaster probability in long stretches without disasters, then over-correct sharply when one arrives. This is not irrationality in the pejorative sense — it is Bayesian updating in the presence of genuinely ambiguous information. But the practical implication is stark: the time to buy disaster insurance is not after the disaster has arrived and the VIX has spiked to 45. It is in the quiet months when every indicator says you don’t need it.

Key takeaway: Maintain systematic, rule-based disaster hedges that do not depend on a real-time catastrophe forecast. The moment it feels unnecessary to hold tail protection is the moment the portfolio is most exposed to needing it.

The Synthesis: From Lessons to Portfolio Architecture

These six lessons converge on a single architectural principle: disaster pricing is not a moment-in-time forecast exercise. It is a permanent structural feature of portfolio construction.

The real mistake — the one that has cost investors dearly in 2020, in 2022, and again in 2026 — is not failing to predict the next disaster. It is believing that markets have already priced it in. The history of catastrophe pricing teaches us, with brutal consistency, that they have not. The cascade is underpriced. The price-discovery failure is unmodelled. The CAT bond spread is supply-driven, not risk-driven. The EM signal is ignored. The geopolitical risk premium is given a shorter half-life than the structural damage it caused. And the tail hedge is cancelled precisely when it is most needed.

The investors who will outperform across the full cycle are not those who predicted the Hormuz closure or the tariff escalation or the next crisis that has not yet been named. They are those who understood that unpriceable disasters are not unpriceable because they are impossible to imagine. They are unpriceable because the incentive structures of the investment industry consistently penalise the premiums required to hedge them.

That gap between what disasters cost and what markets charge for protection is not a market inefficiency. It is the most durable alpha in finance. Learning to harvest it is, in the deepest sense, the only lesson that matters.

Applications close May 27, 2026. TechCrunch Disrupt runs October 13–15 in San Francisco. The clock is already ticking — and the smartest founders I know aren’t waiting.

Let me tell you about a founder I met in Lagos last spring. Her name is Adaeze, and she builds infrastructure for cross-border health payments across West Africa. She submitted to the Startup Battlefield 200 with nine months of runway, a product live in three markets, and the kind of quiet conviction that doesn’t photograph well but moves rooms. She didn’t make the Top 20. She didn’t step onto the Disrupt Main Stage. She didn’t shake hands with Aileen Lee under the camera lights.

What she did get was a TechCrunch profile, two warm intros from Battlefield alumni, a due diligence process that forced her to compress her pitch to its sharpest possible form, and — six weeks later — a Series A term sheet from a fund that had discovered her through the Battlefield ecosystem. “Not winning,” she told me, “was the best thing that happened to my company.”

That’s the story no one tells loudly enough. The Startup Battlefield Top 20 is real, legendary, and worth obsessing over. But the Battlefield 200 is where category-defining companies are actually forged — and the moment you hit submit, the real prize has already begun to arrive.

The Myth of the Main Stage: Why Everyone Chases Top 20 (And Why They’re Half Right)

The cultural mythology of the Startup Battlefield is formidable. Since its inception, the competition has introduced the world to companies including Dropbox, Mint, and Yammer at a moment when most of the investing world hadn’t yet heard their names. That legacy creates an understandable gravitational pull: every founder imagines themselves under those lights, six minutes on the clock, a panel of the most consequential venture capitalists alive leaning slightly forward.

And the 2026 judges panel is, frankly, extraordinary. Aileen Lee of Cowboy Ventures — the woman who coined the term “unicorn” — sits alongside Kirsten Green of Forerunner, whose consumer instincts have been quietly prescient for fifteen years. Navin Chaddha of Mayfield, Chris Farmer of SignalFire, Dayna Grayson of Construct Capital, Ann Miura-Ko of Floodgate, and Hans Tung of Notable Capital round out a panel whose collective portfolio value runs into the hundreds of billions. Six minutes in front of that group is, genuinely, not nothing.

But here’s the contrarian truth most competition coverage won’t say plainly: the Main Stage is a broadcast mechanism, not a selection mechanism. The investors in that room — and the far larger audience watching the livestream globally — are equally attentive to the Battlefield 200 track, the hallway conversations, the TechCrunch editorial context that frames every competing company. Making the Top 20 amplifies a signal. The Battlefield 200 creates the signal in the first place.

The real mistake isn’t failing to reach Top 20. It’s failing to apply.

What It Actually Takes to Make Startup Battlefield Top 20 in 2026

TechCrunch is not secretive about its selection criteria, which makes it all the more remarkable how many applications fail to address them directly. The official 2026 Battlefield selection framework prioritizes four factors — and most founders stack-rank them incorrectly.

1. Product Video: The Most Underestimated Requirement

The two-minute product video is where the majority of applications functionally end. Judges watch hundreds of these. They are, by professional training, pattern-matching for momentum, clarity, and differentiated function — not production quality. A founder filming in a Lagos apartment who shows the actual product moving actual money in real time will outperform a polished agency reel showing a UI mockup every single time.

Your product video needs three things: a real user doing a real thing in thirty seconds, a founder who speaks with the specificity of someone who built it themselves, and a problem framing that makes the viewer feel slightly embarrassed they hadn’t noticed it before. That’s it. That’s the whole brief.

2. Founder Conviction, Not Founder Charisma

There is a widespread and damaging conflation of conviction with performance. TechCrunch’s editorial team has been explicit: they are selecting for companies they believe will define markets, not founders they believe will win pitch competitions. Conviction means you have answered — specifically, not philosophically — why this market, why now, why you, and what happens if you’re right at scale. Charisma is pleasant. Conviction is decisive.

3. Competitive Differentiation That’s Immediately Legible

In a category saturated with AI-adjacent pitches, the differentiation bar has risen sharply for 2026. Judges are looking for what PitchBook’s 2025 venture trends analysis identified as “structural moats” — advantages rooted in proprietary data, regulatory positioning, hardware-software integration, or distribution relationships that aren’t easily replicated by a well-funded incumbent. If your differentiation is “we’re faster/cheaper/cleaner,” you haven’t found it yet.

4. An MVP That’s Actually in Market

The Battlefield 200 accepts pre-revenue companies, but the Top 20 almost universally goes to founders with real users experiencing a real product. This isn’t a formal criterion — it’s an observable pattern. Live usage creates a gravitational narrative that hypothetical TAMs simply cannot replicate. If you’re three months from launch, apply to Battlefield 200 now, use the application process to sharpen your story, and come back with stronger ammunition when your product is breathing.

The Hidden Premium Package: What Every Battlefield Applicant Gets

This is the part of the Battlefield story that receives almost no coverage, and I think that’s partly intentional. TechCrunch benefits from the mythology of the Main Stage. But the Battlefield 200 package — available to every company selected from thousands of global applicants — is, frankly, staggering for an early-stage company.

Every Battlefield 200 company receives:

• A dedicated TechCrunch article — organic, editorial, indexed globally. At a domain authority that rivals the FT for technology coverage, this is not a press release. This is coverage.
• Full Disrupt conference access — three days in the room where allocation decisions happen informally, between sessions, over coffee. Harvard Business Review research on startup ecosystems has consistently found that informal investor touchpoints at concentrated events produce conversion rates multiple times higher than formal pitch processes.
• Exclusive partner discounts and resources — AWS credits, legal services, SaaS tooling — the kind of operational runway extension that actually matters when you’re still pre-Series A.
• The Battlefield alumni network — a cross-vintage community of founders who have navigated similar scaling inflection points and are, as a cultural matter, unusually generous with warm introductions.
• The due diligence forcing function — this is the hidden premium feature nobody talks about. The application process forces you to compress your narrative, clarify your defensibility, and confront your assumptions in ways that three months of internal planning rarely achieves. The best founders I know treat Battlefield applications as strategic planning exercises with publishing rights.

You do not need to win to receive these. You need to be selected for the Battlefield 200. And you need to apply by May 27, 2026.

A Global Economist’s Lens: Why Battlefield Matters Far Beyond San Francisco

Here’s the dimension of this competition that the tech press chronically underweights: the Startup Battlefield is no longer a California story.

The 2026 applicant pool will draw from startup ecosystems that, five years ago, barely registered in global VC data. Lagos. Nairobi. Bangalore. Jakarta. São Paulo. Warsaw. Riyadh. These aren’t edge cases — they’re the growth frontier. The World Economic Forum’s 2025 Global Startup Ecosystem Report found that emerging-market startup activity grew at 2.3 times the rate of Silicon Valley across the prior two years, even as absolute capital remained concentrated in traditional hubs.

The Battlefield, when it amplifies a Nairobi health-tech company or a Warsaw defense-technology startup, isn’t being charitable. It’s being correct about where the next wave of valuable companies is actually forming. The judges know this. The TechCrunch editorial team knows this. The AI wave, the climate infrastructure wave, and the defense-tech wave are all, fundamentally, global waves — and the founders best positioned to ride them often sit far outside Sand Hill Road.

For international founders specifically, the Battlefield 200 functions as a credentialing mechanism in a way that no local competition can replicate. A TechCrunch editorial mention is legible to any investor in any timezone. That’s an asymmetric advantage worth crossing an ocean for.

The Insider Playbook: Application Tactics That Separate Top 20 from the Rest

Let me be direct. After studying Battlefield alumni companies and talking with founders across multiple cohorts, the differentiation between Top 20 and the broader Battlefield 200 comes down to a handful of consistent patterns.

Lead with the insight, not the solution. The most memorable applications open with a counterintuitive observation about a market — something that makes the reader feel briefly disoriented before the product snaps everything into focus. Don’t open with your product. Open with the thing you know that most people don’t.

Show the unfair advantage early. Judges are filtering for irreplaceability. What do you have that a well-funded competitor cannot simply buy? Name it explicitly. Don’t make judges infer it.

Let your numbers do the emotional labor. Retention rates, NPS scores, revenue growth trajectories — when these are strong, they communicate conviction more credibly than any adjective. If your numbers aren’t strong yet, show the qualitative signal with the same specificity: customer quotes, use-case depth, early partnership terms.

Apply even if you think you’re not ready. This is perhaps the most counterintuitive piece of advice I can offer, and I give it with full conviction. The application process itself — the forcing function of articulating your thesis, differentiation, and trajectory in a compressed format — is a strategic tool. The companies that use Battlefield applications as a planning discipline, regardless of outcome, emerge sharper. Apply now. Sharpen later if needed.

Target the Battlefield 200 explicitly, not just the Top 20. Frame your application for a reader who wants to discover a company worth writing about. TechCrunch’s editorial team is not just selecting pitch competitors — they’re selecting companies they want to cover. Give them a story.

The Founder Mindset Shift: Applying Is Never a Risk

There’s a question I hear constantly from founders considering the Battlefield: What if we apply and don’t get in?

I want to reframe this question entirely, because it misunderstands the nature of the opportunity.

The risk isn’t applying and not making Battlefield 200. The risk is building a company in 2026 without forcing yourself through the disciplined articulation that serious competition requires. The risk is arriving at your Series A pitch without having stress-tested your narrative against the sharpest editorial and investor judgment available for free. The risk is letting the May 27 deadline pass while you wait for more traction, more polish, more time — none of which will make the application easier, only theoretically safer.

The $100,000 equity-free prize awarded to the Top 20 winner is real and meaningful. But the actual prize structure of the Startup Battlefield is far more democratic than that figure suggests. Every company in the Battlefield 200 receives resources, visibility, and credibility that early-stage startups typically spend years accumulating through slower, more expensive channels.

The Main Stage is where careers are validated. The Battlefield 200 is where they’re launched.

Apply before May 27, 2026. TechCrunch Disrupt runs October 13–15 in San Francisco. The application is free. The upside is not.

The question isn’t whether you’re ready for the Battlefield. The question is whether you’re ready for what not applying costs you.

→ Submit your Startup Battlefield 2026 application at TechCrunch Disrupt before May 27, 2026. Applications are free. The stage is global. Your category is waiting.

Anthropic Mythos, the most powerful AI model any lab has ever disclosed, arrived this week draped in the language of altruism. Project Glasswing — the initiative through which a curated circle of Silicon Valley aristocrats gains exclusive access to Mythos — is pitched as an act of civilizational defense. The framing is elegant, the mission is genuinely urgent, and at least part of it is true. But behind the Mythos AI release lies a second story that Dario Amodei’s beautifully worded blog posts conspicuously omit: Mythos is enterprise-only not merely because Anthropic fears hackers, but because releasing it to the open internet would trigger the single greatest act of industrial-scale capability theft in the history of technology. The cybersecurity rationale is real. The economic motive is realer still. Understanding both is how you understand the AI industry in 2026.

What Anthropic Mythos Actually Does — and Why It Terrified Silicon Valley

To appreciate the gatekeeping, you must first reckon with the capability. Mythos is not an incremental model. It occupies an entirely new tier in Anthropic’s architecture — internally designated Copybara — sitting above the public Haiku, Sonnet, and Opus hierarchy that most developers work with. SecurityWeek’s detailed technical breakdown describes it as a step change so pronounced that calling it an “upgrade” is like calling the internet an “improvement” on the fax machine.

The numbers are staggering. Anthropic’s own Frontier Red Team blog reports that Mythos autonomously reproduced known vulnerabilities and generated working proof-of-concept exploits on its very first attempt in 83.1% of cases. Its predecessor, Opus 4.6, managed that feat almost never — near-0% success rates on autonomous exploit development. Engineers with zero formal security training now tell colleagues of waking up to complete, working exploits they’d asked the model to develop overnight, entirely without intervention. One test revealed a 27-year-old bug lurking inside OpenBSD — an operating system historically celebrated for its security — that would allow any attacker to remotely crash any machine running it. Axios reported that Mythos found bugs in every major operating system and every major web browser, and that its Linux kernel analysis produced a chain of vulnerabilities that, strung together autonomously, would hand an attacker complete root control of any Linux system.

Compare that to Opus 4.6, which found roughly 500 zero-days in open-source software — itself a remarkable achievement. Mythos found thousands in a matter of weeks. It then attempted to exploit Firefox’s JavaScript engine and succeeded 181 times, compared to twice for Opus 4.6.

This is also, importantly, what a Claude Mythos vs open source cybersecurity comparison looks like at full resolution: no freely available model comes remotely close, and Anthropic knows it. That gap is the entire product.

The Official Narrative: “We’re Protecting the Internet”

The Anthropic enterprise-only AI decision is framed through Project Glasswing as a coordinated defensive effort — an attempt to patch the world’s most critical software before capability equivalents proliferate to hostile actors. Anthropic’s official Glasswing page commits $100 million in usage credits and $4 million in direct donations to open-source security organizations, with founding partners that read like a geopolitical alliance: Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, and Palo Alto Networks. Roughly 40 additional organizations maintaining critical software infrastructure also gain access. The initiative’s name — Glasswing, after a butterfly whose transparency makes it nearly invisible — is a metaphor for software vulnerabilities that hide in plain sight.

The security rationale for why Anthropic limited Mythos is not confected. In September 2025, a Chinese state-sponsored threat actor used earlier Claude models in what SecurityWeek documented as the first confirmed AI-orchestrated cyber espionage campaign — not merely using AI as an advisor but deploying it agentically to execute attacks against roughly 30 organizations. If that was possible with Claude’s then-current models, what becomes possible with a model that autonomously chains Linux kernel exploits at a near-perfect success rate?

Anthropic’s Logan Graham, head of the Frontier Red Team, captured the threat succinctly: imagine this level of capability in the hands of Iran in a hot war, or Russia as it attempts to degrade Ukrainian infrastructure. That is not science fiction. It is the calculus driving the controlled release. Briefings to CISA, the Commerce Department, and the Center for AI Standards and Innovation are real, however conspicuously absent the Pentagon remains from those conversations — a pointed omission given Anthropic’s ongoing legal war with the Defense Department over its blacklisting.

So yes: the security case is genuine. But it is, at most, half the story.

The Distillation Flywheel: Why Frontier Labs Are Really Gating Their Best Models

Here is the economic argument that no TechCrunch brief or Bloomberg data point has assembled cleanly: Anthropic model distillation is an existential threat to the frontier lab business model, and Mythos is as much a response to that threat as it is a cybersecurity initiative.

The mathematics of adversarial distillation are brutally asymmetric. Training a frontier model costs approximately $1 billion in compute. Successfully distilling it into a competitive student model costs an adversary somewhere between $100,000 and $200,000 — a 5,000-to-one cost advantage in the favor of the copier. No rate-limiting policy, no terms-of-service clause, and no click-through agreement closes that gap. The only defense is controlling access to the teacher in the first place.

Frontier lab distillation blocking is not a new concern, but 2026 has given it terrifying specificity. Anthropic publicly disclosed in February that three Chinese AI laboratories — DeepSeek, Moonshot AI, and MiniMax — collectively generated over 16 million exchanges with Claude through approximately 24,000 fraudulent accounts. MiniMax alone accounted for 13 million of those exchanges; Moonshot AI added 3.4 million; DeepSeek, notably, needed only 150,000 because it was targeting something far more specific: how Claude refuses things — alignment behavior, policy-sensitive responses, the invisible architecture of safety. A stripped copy of a frontier model without its alignment training, deployed at nation-state scale for disinformation or surveillance, is the nightmare scenario that animated Anthropic’s founding. It may now be unfolding in real time.

What does this have to do with Mythos being enterprise-only? Everything. A model that autonomously writes working exploits for every major OS would, if released via standard API access, provide Chinese distillation campaigns with not just conversational capability but offensive cyber capability — the very thing that makes Mythos commercially unique. Releasing Mythos at scale would be, simultaneously, the greatest act of market self-destruction and the greatest gift to adversarial state actors in the history of enterprise software. Enterprise-only access eliminates both risks at once: it monetizes the capability at maximum margin while denying it to the distillation ecosystem.

This is the distillation flywheel in action. Frontier labs gate the highest-capability models behind enterprise contracts; enterprises pay premium rates for exclusive capability access; the revenue funds the next generation of training runs; the new model is again too powerful to release openly. Each rotation of the wheel deepens the competitive moat, raises the enterprise price floor, and tightens the grip of the three dominant labs over the global AI stack.

Geopolitics at the Model Layer: The Three-Lab Alliance and the New AI Cold War

The Mythos security exploits announcement arrived within 24 hours of a Bloomberg-reported development that is arguably more consequential for the global technology order: OpenAI, Anthropic, and Google — three companies that have spent the better part of three years competing to annihilate each other — began sharing adversarial distillation intelligence through the Frontier Model Forum. The cooperation, modeled on how cybersecurity firms exchange threat data, represents the first substantive operational use of the Forum since its 2023 founding.

The breakdown of what each Chinese lab extracted from Claude reveals something remarkable: three entirely different product strategies, fingerprinted through their query patterns. MiniMax vacuumed broadly — generalist capability extraction at scale. Moonshot AI targeted the exact agentic reasoning and computer-use stack that its Kimi product has been marketing since late 2025. DeepSeek, with a comparatively tiny 150,000-exchange footprint, was almost exclusively interested in Claude’s alignment layer — how it handles policy-sensitive queries, how it refuses, how it behaves at the edges. Each lab was essentially reverse-engineering not just a model but a business plan.

The MIT research documented in December 2025 found that GLM-series models identify themselves as Claude approximately half the time when queried through certain paths — behavioral residue of distillation that no fine-tuning has fully scrubbed. US officials estimate the financial toll of this campaign in the billions annually. The Trump administration’s AI Action Plan has already called for a formal inter-industry sharing center, essentially institutionalizing what the labs are now doing informally.

The geopolitical stakes here extend far beyond corporate IP. When DeepSeek released its R1 model in January 2025 — a model widely believed to incorporate distilled knowledge from OpenAI’s infrastructure — it erased nearly $1 trillion from US and European tech stocks in a single trading session. Markets now understand something that policymakers are only beginning to grasp: control over frontier AI model capabilities is a form of strategic leverage, and distillation is a vector for transferring that leverage without a single line of export-controlled chip silicon crossing a border.

Enterprise Contracts and the New AI Treadmill

The economics of Anthropic enterprise-only AI are becoming increasingly clear as 2026 revenue data enters the public domain.

Sources: CNBC, Anthropic Series G announcement, Sacra

Anthropic’s annualized revenue has now surpassed $30 billion — having started 2025 at roughly $1 billion — representing one of the most dramatic B2B revenue trajectories in the history of enterprise software. Sacra estimates that 80% of that revenue flows from business clients, with enterprise API consumption and reserved-capacity contracts forming the structural backbone. Eight of the Fortune 10 are now Claude customers. Four percent of all public GitHub commits are now authored by Claude Code.

What Project Glasswing does, in this context, is elegant: it creates a new category of enterprise relationship — not API access, not subscription, but strategic partnership with a frontier safety lab deploying the world’s most capable unrestricted model. The 40 organizations in the Glasswing program are not merely beta testers. They are, from a revenue architecture standpoint, being trained — habituated to Mythos-class capability before it becomes generally available, embedded in their security workflows, their CI/CD pipelines, their vulnerability management systems. By the time Mythos-class models are released at scale with appropriate safeguards, the switching cost will be prohibitive.

This is the AI treadmill: each generation of frontier capability, released exclusively to enterprise partners first, creates a loyalty layer that commoditized open-source alternatives cannot easily displace. The $100 million in Glasswing credits is not charity. It is customer acquisition at an unprecedented model tier.

The Counter-View: Responsible Deployment Has a Principled Case

It would be intellectually dishonest to leave the distillation-flywheel critique standing without challenge. The counter-argument is real, and it deserves full articulation.

Platformer’s analysis makes the most compelling version of the responsible-rollout defense: Anthropic’s founding premise was that a safety-focused lab should be the first to encounter the most dangerous capabilities, so it could lead mitigation rather than react to catastrophe. With Mythos, that appears to be exactly what is happening. The company did not race to monetize these cybersecurity capabilities. It briefed government agencies, convened a defensive consortium, committed $4 million to open-source security projects, and staged rollout behind a coordinated patching effort. The vulnerabilities Mythos found in Firefox, Linux, and OpenBSD are being disclosed and patched before the paper trail of their discovery becomes public — precisely the protocol that responsible security research demands.

Alex Stamos, whose expertise in adversarial security spans decades, offered the optimistic framing: if Mythos represents being “one step past human capabilities,” there is a finite pool of ancient flaws that can now be systematically found and fixed, potentially producing software infrastructure more fundamentally secure than anything achievable through traditional auditing. That is not corporate spin. It is a coherent theory of defensive AI benefit.

The Mythos AI release strategy also reflects a genuinely novel regulatory challenge: the EU AI Act’s next enforcement phase takes effect August 2, 2026, introducing incident-reporting obligations and penalties of up to 3% of global revenue for high-risk AI systems. A general release of Mythos into that environment — without governance infrastructure in place — would be commercially catastrophic as well as potentially harmful. Enterprise-gated release buys time for both the regulatory and technical scaffolding to mature.

What Regulators and Open-Source Advocates Must Do Next

The policy implications of Anthropic Mythos extend far beyond one company’s release strategy. They illuminate a structural shift in how frontier AI capability is being distributed — and by whom, and to whom.

For regulators, the Glasswing model raises questions that existing frameworks cannot answer. If a private company now possesses working zero-day exploits for virtually every major software system on earth — as Kelsey Piper pointedly observed — what obligations of disclosure and oversight apply? The fact that Anthropic is briefing CISA and the Center for AI Standards and Innovation is encouraging, but voluntary briefings are not governance. The EU’s AI Act and the US AI Action Plan both need explicit provisions covering what happens when a commercially controlled lab becomes the de facto custodian of the world’s most significant vulnerability database.

For open-source advocates, the distillation dynamic poses an existential dilemma. The same economic logic that drives labs to gate Mythos also drives them to resist open-weights releases of any model that approaches frontier capability. The three-lab alliance against Chinese distillation is, viewed from a certain angle, also an alliance against open-source proliferation of frontier capability — regardless of the nationality of the developer doing the distilling. Open-source foundations, university research labs, and sovereign AI initiatives in Europe, the Middle East, and South Asia should be pressing hard for access frameworks that allow defensive cybersecurity use of frontier capability without being filtered through the commercial relationships of Silicon Valley.

For enterprise decision-makers, the message is unambiguous: the organizations that embed Mythos-class capability into their vulnerability management workflows now will hold a structural security advantage — measured in patch latency and zero-day coverage — over those that wait for open-source equivalents. But that advantage comes with dependency on a single private entity whose political entanglements, from Pentagon disputes to Chinese state-actor confrontations, introduce supply-chain risks that no CISO should ignore.

Anthropic may well be protecting the internet. It is certainly protecting its empire. In 2026, those two imperatives have become so entangled that distinguishing them may be the most important work left for anyone who cares about who controls the infrastructure of the digital world.