If you work in cybersecurity, last week changed everything. Anthropic announced Project Glasswing on April 7 — a $100 million initiative that pairs its unreleased Claude Mythos Preview model with a coalition of twelve major technology companies to hunt zero-day vulnerabilities across the world’s most critical software. The model autonomously discovered thousands of previously unknown flaws in every major operating system and every major web browser. The oldest: a 27-year-old remote code execution bug in OpenBSD, a system famous for its security. Project Glasswing is the first time a frontier AI lab has withheld a model from public release specifically because its offensive capabilities are too dangerous — and then turned those capabilities into a structured defense program.
This isn’t a research paper or a demo. It’s an operational deployment with Apple, Microsoft, Amazon, Google, CrowdStrike, NVIDIA, and the Linux Foundation already scanning their codebases.
What Claude Mythos Preview Actually Does
Claude Mythos Preview is a general-purpose frontier model, not a security-specific tool. It scores 93.9% on SWE-bench Verified, up from Claude Opus 4.6’s 80.8%. But the cybersecurity capabilities are what forced Anthropic’s hand on the release strategy.
During internal testing, Mythos Preview autonomously:
- Discovered thousands of zero-day vulnerabilities across every major OS (Windows, macOS, Linux, FreeBSD, OpenBSD) and every major browser (Chrome, Firefox, Safari, Edge)
- Achieved a 72.4% exploit success rate, compared to near-zero for prior models
- Chained 3 to 5 vulnerabilities together for privilege escalation and lateral movement — the kind of attack chain that typically requires a nation-state team
- Found a 27-year-old RCE in OpenBSD and a 16-year-old vulnerability in FFmpeg’s H.264 codec
- Developed 181 working exploits in a Firefox JavaScript engine benchmark alone, with register control achieved on 29 more
The flagship demonstration: CVE-2026-4747, a 17-year-old remote code execution vulnerability in FreeBSD’s NFS implementation. Mythos Preview found it, wrote the exploit, and achieved root — fully autonomously, without human guidance.
The Cost Collapse
What makes this a structural shift rather than a headline is the economics. According to Anthropic’s testing data:
- Scanning the entire OpenBSD codebase: under $20,000
- A Linux kernel root exploit: under $2,000 in roughly one day
- Individual vulnerability identification: under $50 in minutes
For context, a single zero-day exploit on the open market sells for $500,000 to $2.5 million depending on the target. Mythos Preview just compressed a capability that cost nation-states millions per year into something that costs less than a team lunch.
Why Anthropic Withheld the Model
This is the part that matters for the industry. Anthropic did not release Mythos Preview through its standard API. There is no waitlist. There is no enterprise tier. The model is restricted to Project Glasswing partners and will not be made generally available until new safeguards are in place.
Anthropic’s reasoning is straightforward: if Mythos Preview can find thousands of zero-days, so can the next model from any lab that reaches similar capability. The question isn’t whether AI-driven vulnerability discovery happens — it’s whether defenders get a head start.
Dario Amodei framed it as a race condition. Every week that defenders have access before attackers reach equivalent capability is a week of patching, hardening, and structural fixes that permanently reduces the attack surface. Project Glasswing is designed to maximize that window.
The Dual-Use Problem
The security community has debated this for years, but Mythos makes the argument concrete. Check Point’s research blog called it a “wake-up call,” noting that frontier models are accelerating attack lifecycles and enabling attackers to identify and exploit vulnerabilities at scale and speed previously limited to advanced nation-state entities.
But there’s a counterargument worth taking seriously. When independent researchers tested specific vulnerabilities that Anthropic showcased, eight out of eight smaller models — including one with only 3.6 billion active parameters — detected the same FreeBSD exploit. The implication: the capability gap between frontier and open-weight models may be narrower than Anthropic suggests, which makes the restricted-release strategy more of a speed advantage than a permanent moat.
Inside Project Glasswing: Who’s In and What They’re Doing
The twelve founding partners represent the infrastructure backbone of the internet:
| Partner | Focus Area |
|---|---|
| Amazon Web Services | Cloud infrastructure, Linux distributions |
| Apple | macOS, iOS, Safari, WebKit |
| Broadcom | Enterprise software, VMware stack |
| Cisco | Network infrastructure, IOS |
| CrowdStrike | Endpoint security, threat intelligence |
| Chrome, Android, cloud infrastructure | |
| JPMorgan Chase | Financial infrastructure, internal systems |
| Linux Foundation | Open-source kernel and ecosystem |
| Microsoft | Windows, Edge, Azure, Office |
| NVIDIA | GPU drivers, CUDA, AI infrastructure |
| Palo Alto Networks | Network security, firewall systems |
| Anthropic | Model development, coordination |
Beyond these twelve, Anthropic is providing up to $100 million in usage credits to roughly 40 additional organizations that build or maintain critical software infrastructure. The Linux Foundation’s participation is particularly significant — it means open-source projects that underpin everything from web servers to container runtimes get access to the same scanning capability as Apple and Microsoft.
How Disclosure Works
Anthropic published coordinated vulnerability disclosure principles for Glasswing. The process:
- Mythos Preview identifies a potential vulnerability
- Professional human triagers validate the highest-severity bugs
- Validated vulnerabilities are disclosed to the maintainer under standard responsible disclosure timelines
- Partners receive vulnerability intelligence relevant to their codebases
This is not a “scan and dump” operation. The human-in-the-loop validation prevents false positive floods that would overwhelm maintainers, and the structured disclosure follows existing norms that the security community has refined over decades.
What This Means for Enterprise Security Teams
If you’re running an enterprise security operation, here’s the practical impact:
Patch velocity just became existential. When a single AI model can find thousands of zero-days in weeks, the old cadence of monthly patch cycles is inadequate. Every organization scanning with Mythos-class capability will generate a surge of CVEs. Your team needs a process for rapid triage and deployment, not just periodic maintenance windows.
Vulnerability scanning is being commoditized. Today it’s restricted to Glasswing partners. Within 12-18 months, this capability will be available in commercial security products. CrowdStrike’s blog post explicitly positions their Glasswing participation as a precursor to integrating AI vulnerability discovery into their Falcon platform. Palo Alto Networks will do the same with Cortex.
The “good enough” security posture is dead. If you have legacy systems running code that hasn’t been audited in a decade, AI just made those systems high-priority targets. The FFmpeg H.264 bug sat undetected for 16 years. The OpenBSD NFS bug for 27 years. AI-driven scanning will systematically surface this class of ancient vulnerability, and you should assume attackers will have equivalent capability within a year.
Budget conversations just got easier — and harder. Easier because the threat is concrete and quantifiable. Harder because the scope of required remediation just expanded dramatically. As a practitioner running enterprise AI infrastructure at a telecom, I can tell you that most organizations have technical debt measured in decades of unaudited code. Glasswing is a forcing function.
The Bigger Picture: AI’s Cybersecurity Inflection Point
Project Glasswing represents a broader shift that’s been building since AI models first demonstrated coding ability. The progression was predictable: models that can write code can read code, models that can read code can find bugs, and models that can find bugs can write exploits. Mythos just proved the chain holds at scale.
Three implications for the industry:
1. Responsible AI capabilities policy now has a template. Anthropic’s decision to withhold Mythos and create a structured access program is the first real precedent for how labs should handle models with dangerous offensive capabilities. Expect other labs to reference Glasswing when they encounter similar capability thresholds.
2. The cybersecurity talent gap just shifted shape. The bottleneck isn’t finding vulnerabilities anymore — it’s triaging, prioritizing, and patching them. Security teams need to retool for a world where vulnerability discovery is abundant and cheap, but remediation remains expensive and slow. This mirrors the broader AI automation trend where AI handles discovery and analysis while humans handle judgment and action.
3. Open-source security gets a structural upgrade. The Linux Foundation’s participation means projects like the Linux kernel, OpenSSL, and Apache will receive systematic AI-driven auditing for the first time. These projects have historically relied on volunteer security researchers and occasional corporate audits. Continuous AI scanning is a fundamentally different security model, and it’s arriving at a time when supply chain attacks have already shattered open-source trust.
What Happens Next
Anthropic has stated it does not plan to make Mythos Preview generally available. But “Mythos-class capability” is a moving target. As SWE-bench scores continue climbing across all frontier labs, it’s a matter of when — not whether — multiple models reach similar offensive security capability.
The Glasswing partners have a 6-12 month window to scan, patch, and harden before equivalent capability becomes broadly accessible. That window is the entire point of the program.
For security leaders: the action item is not to wait for Glasswing access. It’s to assume that AI-driven vulnerability discovery is now a permanent feature of the threat landscape and plan accordingly. Audit your legacy code. Accelerate your patch cycles. And budget for a world where zero-days are found by the thousands, not the dozens.
FAQ
What is Project Glasswing?
Project Glasswing is Anthropic’s $100 million cybersecurity initiative that uses the unreleased Claude Mythos Preview model to find zero-day vulnerabilities in critical software. Twelve major technology companies — including Apple, Microsoft, Amazon, Google, and CrowdStrike — are founding partners, with roughly 40 additional organizations receiving access through usage credits.
Why didn’t Anthropic release Claude Mythos Preview publicly?
Anthropic withheld the model because its cybersecurity capabilities are unprecedented. Mythos Preview autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser. Releasing it publicly would give attackers the same capability before defenders have time to patch the flaws it found.
How many zero-day vulnerabilities did Claude Mythos find?
Anthropic reports that Mythos Preview discovered thousands of previously unknown vulnerabilities across every major operating system (Windows, macOS, Linux, FreeBSD, OpenBSD), every major web browser, and other critical software. The oldest was a 27-year-old remote code execution bug in OpenBSD.
How does Project Glasswing affect enterprise cybersecurity?
Enterprise security teams should expect a surge in CVEs as Glasswing partners scan their codebases. Patch velocity becomes critical. Within 12-18 months, AI-driven vulnerability scanning will likely be embedded in commercial security products from companies like CrowdStrike and Palo Alto Networks, making this capability broadly available.
Is Claude Mythos the only AI model that can find vulnerabilities?
No. Independent testing showed that smaller open-weight models could detect some of the same vulnerabilities Anthropic showcased. However, Mythos Preview’s ability to chain multiple vulnerabilities together and achieve a 72.4% exploit success rate at scale is currently unmatched. The capability gap is real but may narrow as other frontier models improve.