Project Glasswing: Anthropic Mythos Hunts Critical Zero-Days

Anthropic unveiled Project Glasswing alongside the Claude Mythos Preview research model — a controlled cybersecurity initiative that arms the world’s most critical software vendors with what may be the most capable vulnerability-discovery AI ever publicly described. The launch partners read like a who’s-who of foundational software and security: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The story is dramatic and the technical claims are concrete — in pre-release testing, Mythos identified thousands of previously unknown zero-day vulnerabilities across every major operating system and every major web browser, including a 27-year-old flaw in OpenBSD, an OS famous for its security hardening.

The strategic decision matters as much as the technical capability. Anthropic deliberately did not ship Mythos Preview broadly. Citing the dangerous offensive potential of a model this capable at cybersecurity, the company restricted access to Project Glasswing partners with the explicit goal of patching critical software before the underlying capability becomes available to adversaries. The pricing is steep ($25 input / $125 output per million tokens), the access channels are enterprise-only (Claude API, Amazon Bedrock, Google Cloud Vertex AI, Microsoft Foundry), and Anthropic committed $100 million in model usage credits to fund the effort.

What’s Actually New

Three pieces of the announcement reshape the cybersecurity landscape. First, the model itself. Claude Mythos Preview is described as a general-purpose frontier model with exceptional capability across coding and agentic tasks, with cybersecurity strength emerging as a side effect of the broader capability rather than as a security-specific training objective. The pre-release findings — thousands of zero-days across every major OS and browser, including the 27-year-old OpenBSD bug — are the kind of result that would have been treated as science fiction in 2022 and as marketing hyperbole in 2024. In 2026 the numbers are real.

Second, the access model. Anthropic has consistently positioned itself as the safety-focused frontier lab; Project Glasswing is the most concrete operational expression of that positioning to date. Rather than ship Mythos Preview to the broad customer base where it would inevitably leak into adversary hands, Anthropic limited access to a curated coalition of critical-infrastructure software vendors and cybersecurity operators. The economic foregone (broad commercial deployment of a flagship model) is meaningful; the strategic statement is unambiguous.

Third, the launch partner roster. AWS, Apple, Cisco, Google, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation collectively maintain the software substrate that runs essentially every digital workload in existence. Putting Mythos Preview in the hands of these specific organizations means the highest-leverage software in the world gets a security pass by the most capable security-AI ever publicly disclosed. The 90 days following the Glasswing launch will produce a measurable improvement in the baseline security of the world’s most-deployed software — assuming the partners actually move the discovered vulnerabilities through to patch.

Why It Matters

• The defensive bookend to the Google AI-zero-day story. Google’s May 11 disclosure of an AI-generated zero-day in the wild made the offensive AI capability undeniable. Project Glasswing is the public demonstration that defenders have matched the capability — and the controlled-access strategy is what prevents the defensive capability from becoming offensive capability for adversaries.
• The 27-year-old OpenBSD vulnerability is the headline shock. OpenBSD is famous for paranoid security culture, code audits stretching back decades, and a “secure by default” reputation that the project has earned. A 27-year-old bug surviving that scrutiny — and being found by Mythos in pre-release testing — implies the previously-unknown attack surface in modern software is much larger than the security community assumed.
• The pricing positions Mythos as elite-only. At $25/$125 per million tokens, Mythos costs 5-10x more than current frontier models. That pricing is a deliberate access filter — only well-resourced organizations with serious security commitments can afford the volume of analysis the model enables. Adversaries with the budget would presumably still find it cheaper than building equivalent capability internally, which is why the access-list approach is the critical security control rather than the price.
• The launch partner alignment is itself a strategic move. The same companies that compete fiercely in many markets (AWS vs Google Cloud vs Microsoft Azure; Cisco vs Palo Alto Networks) are joint launch partners on Glasswing. The framing of “we are united on critical software security regardless of competitive dynamics” sets a precedent for how AI safety initiatives can structure cross-industry cooperation.
• The disclosure timeline pressure intensifies. The traditional 90-day disclosure window assumes attackers and defenders move at roughly comparable speed. With AI capability that can identify zero-days in hours of compute, the maintainers receiving disclosures face new pressure to patch faster than they have been built to.
• The frontier-model safety conversation gets a tangible reference point. “Should the most capable AI models be broadly released?” was an abstract policy question in 2024. The Glasswing precedent demonstrates one concrete alternative — selective release to vetted partners for specific defensive purposes — that the industry will reference for years.

How To Use It Today

Most readers will not be Project Glasswing partners — the initiative is structurally limited. The playbook below covers what you can do regardless of partner status, organized by role.

1. If you maintain critical open-source software — engage with the Linux Foundation’s Glasswing track. The Linux Foundation is positioned as a participant specifically to extend Glasswing’s reach into the broad open-source ecosystem. Vulnerability disclosures from Glasswing partners should land with appropriate context and remediation guidance; maintainers receiving these disclosures should treat them as the highest-priority security work in their backlog.
2. If you operate critical infrastructure dependent on Glasswing-partner software — accelerate your patch cadence on the partner products. The next 6-12 months will see a wave of patches addressing Mythos-discovered vulnerabilities. Patching faster than your historical baseline matters more during this window than it does in normal operation because the disclosure timeline pressure is real.

   # Quick audit: are you exposed to Glasswing-partner software?
   # Run a simple inventory of the major dependencies you're running.
   
   # Operating systems
   uname -a
   cat /etc/os-release
   # If you're on Linux, macOS (Apple), or any OS shipped through
   # Glasswing partners — bookmark their security advisory feeds.
   
   # Browser inventory across your fleet
   # Chrome, Edge, Safari, Firefox — all covered by Glasswing partners
   # Sign up for the security advisory feeds for each.
   
   # Critical infrastructure components
   # Check your stack against the partner list:
   # AWS, Apple, Broadcom, Cisco, CrowdStrike, Google,
   # JPMorganChase (FS-ISAC ecosystem), Linux Foundation,
   # Microsoft, NVIDIA, Palo Alto Networks
   

3. If you run a security operations function — update your vulnerability prioritization to give extra weight to vulnerabilities disclosed through Glasswing-partner channels through 2026. Allocate budget for accelerated patching of the highest-volume partner products. Update your tabletop exercises to include scenarios where a Mythos-discovered vulnerability requires emergency response.
4. If you build security tools — the bar just rose. The expectation buyers will increasingly have is that your tool’s vulnerability detection capability is at least competitive with what a Mythos-augmented security team can produce. The tools that previously relied on signature databases need to add AI-augmented detection capability or face increasing market pressure.
5. If you are a CISO building your 2026-2027 strategy — Glasswing reinforces the strategic case for AI-augmented security operations. The threat environment now includes AI-augmented adversaries (Google’s May 11 disclosure) and AI-augmented defenders (Glasswing). Operating without AI capability of your own positions your organization in the middle of an asymmetric capability gap. Your 2026 deployment timeline matters; the catch-up cost in 2027 will be larger.
6. If you are a developer working on production code — assume your code will be reviewed by something with Mythos-class capability within 18-24 months, either as a defensive scan by a vendor or as an offensive scan by an adversary. The hygiene practices that previously felt optional (memory safety, careful input validation, minimal trust assumptions, defense-in-depth) now have a much higher payoff. The leading 2026 developer tools (Cursor, Claude Code, GitHub Copilot with Advanced Security) all integrate vulnerability-aware patterns; using them well matters.

How It Compares

The AI-for-vulnerability-discovery landscape now has several distinct entrants with very different positioning. The table compares them on the dimensions that matter.

System	Access model	Capability tier	Use case	Risk profile
Claude Mythos Preview (Glasswing)	Controlled — Project Glasswing partners only	Top of public landscape (thousands of zero-days, 27-year-old OpenBSD bug)	Defensive vulnerability discovery on critical software	Cyber capability too strong for broad release per Anthropic
Claude Sonnet/Opus (production)	Public API and subscription	Strong code analysis; meaningful vulnerability discovery	Production code review, security research	Manageable; standard frontier-model controls
OpenAI GPT-5.5-Cyber	Limited — security-team customers	Strong security-tuned variant	SOC analyst augmentation, security research	Controlled access pattern similar to Glasswing in spirit
Google’s threat intel AI	Internal + select partners	Strong; produced the May 11 zero-day attribution analysis	Threat intelligence, exploit forensics	Google-controlled
Open-source LLMs (Llama, Mistral, etc.)	Public weights	Behind frontier; capable enough for adversary use	General-purpose; concerning for offensive use cases	Effectively no access controls

The pattern that emerges: the AI-vulnerability-discovery capability sits on a continuum. At the top, Mythos Preview is available only to Glasswing partners. Below that, GPT-5.5-Cyber and similar security-tuned variants are available to vetted security teams. Below that, the production frontier models (Claude, GPT-5, Gemini) handle competent security analysis at public-API access. And at the bottom, open-source models that anyone can download and run produce real but lower-tier capability. The control problem is real and the controls are imperfect, but the access tiers do meaningfully shape who can do what.

What’s Next

Three threads to watch over the next 90 days. First, the Glasswing-partner disclosure cadence. The partners are now systematically running Mythos against their respective software. Expect a wave of security advisories landing across Apple, Google, Microsoft, AWS, the Linux Foundation, Cisco, and the other partners as the discovered vulnerabilities move through coordinated disclosure. The volume and significance of these advisories will be the visible measurement of Glasswing’s impact. Second, the second-tier safety conversations. With Glasswing as a concrete precedent, other frontier labs face pressure to articulate their own selective-release policies for capabilities of comparable concern. Expect public statements from OpenAI, Google DeepMind, and Meta on how they handle high-risk capability releases — and potentially additional Glasswing-style initiatives. Third, the adversary response. The May 11 Google disclosure made clear that adversaries are already using AI for offensive vulnerability discovery. With Mythos-class capability now demonstrably available to defenders, expect adversaries to invest harder in their own AI capability and in techniques to evade AI-augmented defensive review.

The bigger structural question is whether the controlled-release model becomes the industry default for capabilities of similar dual-use risk. Bioweapon-class chemistry knowledge, certain categories of social engineering capability, and a handful of other capability classes face similar dual-use dynamics. The Glasswing precedent provides a template — selective release to vetted defensive use cases with explicit time-boxing and access controls — that other capability classes might adopt. The alternative (broad release of dual-use capability) becomes harder to defend with Glasswing as the comparison point.

Frequently Asked Questions

Can I get access to Claude Mythos Preview?

If you are not a Project Glasswing partner, no. Anthropic has explicitly limited the access to the partner list. The partners themselves can grant access to specific employees who need it for the work. Project Glasswing may expand its partner list over time, but the controlled-access pattern is structural rather than transitional.

Why is Anthropic limiting access to Mythos?

Anthropic’s published position is that the cybersecurity capability of Mythos is too strong for broad release. The model’s offensive vulnerability-discovery capability would, if available to adversaries, accelerate attack timelines faster than defenders could patch. The controlled-release model puts the capability in defenders’ hands first, with the goal of patching critical vulnerabilities before the underlying capability becomes broadly available. Critics argue this is paternalistic; supporters argue it is the responsible posture given the demonstrated capability.

What does “thousands of zero-days” actually mean?

Anthropic has not published a precise count or the specific vulnerabilities discovered. The “thousands” figure refers to internal pre-release testing where Mythos was run against major operating systems and browsers. The discovered vulnerabilities are now in the coordinated disclosure process with the affected vendors — many of which are Glasswing launch partners. The public will see these vulnerabilities surface as security advisories over the next 6-18 months as the patches ship.

How is Mythos different from Claude Sonnet or Opus?

Mythos Preview is described as a research model, distinct from the production Claude Sonnet and Opus families. The cybersecurity capability emerged as a side effect of the broader frontier capability, but the specific tuning, safety mitigations, and deployment context are different from the production models. Production Claude users will continue using Sonnet and Opus; Mythos is not a replacement for those products.

When will the discovered vulnerabilities be public?

Per coordinated disclosure norms, the affected vendors get time to develop and ship patches before public disclosure. The typical window is 60-90 days but can extend longer for complex fixes. Expect a steady stream of CVEs and security advisories crediting Anthropic and the Glasswing partners over the next 6-18 months as the discovered vulnerabilities work through the disclosure pipeline.

What does this mean for the Google AI-zero-day disclosure from May 11?

The two events are bookends of the same arc. Google’s May 11 disclosure proved adversaries are using AI for zero-day discovery at scale. The Project Glasswing announcement proves defenders have AI capability at least as strong and are deploying it through controlled channels. The asymmetry that worried security researchers — adversaries with AI, defenders without — is no longer the structural problem. The new structural problem is whether the controlled-access defensive model can deploy its discovered vulnerabilities into production patches faster than adversaries can find and exploit those same vulnerabilities independently.