TL;DR
Anthropic announced Project Glasswing on April 7, 2026 — a cybersecurity initiative with AWS, Apple, Google, Microsoft, NVIDIA, and 6 other partners. Their unreleased Claude Mythos Preview model found thousands of high-severity zero-day vulnerabilities across every major OS and web browser, mostly without any human involvement.
What is Project Glasswing?
Anthropic partnered with 11 major companies to protect critical open-source and commercial software using AI. The initiative is backed by $100M in model credits and $4M in direct donations to open-source security organizations like OpenSSF and Apache Software Foundation.
Partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks.
Claude Mythos Preview — The Model Behind It
This is an unreleased frontier model with no plans for public availability. Only defensive security partners get access.
Here's how it compares to Claude Opus 4.6:
Benchmark Mythos Opus 4.6 Delta
─────────────────────────────────────────────────────────
CyberGym (vuln reproduction) 83.1% 66.6% +16.5%
SWE-bench Verified 77.8% 53.4% +24.4%
SWE-bench Multilingual 59.0% 27.1% +31.9%
Terminal-Bench 2.0 93.9% 80.8% +13.1%
GPQA Diamond 94.6% 91.3% +3.3%
The SWE-bench Multilingual jump from 27.1% to 59.0% is particularly notable — it suggests a fundamental improvement in understanding code across different programming languages.
Real-World Discoveries
1. OpenBSD — 27-Year-Old TCP SACK Bug
Platform: OpenBSD (considered the most secure OS)
Bug age: 27 years
Impact: Remote server crash via TCP SACK option
Detection: Fully autonomous (no human guidance)
27 years of expert security review missed this. The AI found it.
2. FFmpeg — 16-Year-Old Vulnerability
Platform: FFmpeg (multimedia processing library)
Bug age: 16 years
Previous attempts: 5,000,000+ fuzzing runs (failed)
Detection: Claude Mythos Preview (succeeded)
3. Linux Kernel — Privilege Escalation Chain
This one is particularly impressive. Rather than finding a single bug, Mythos chained multiple vulnerabilities together to build a complete privilege escalation path:
Regular user → multiple exploit chain → root access
This is attack scenario design, not just bug hunting.
Firefox Exploit Success Rate
The starkest comparison:
Opus 4.6: ~2 successful exploits out of hundreds of attempts
Mythos: 181 successful exploits
This isn't incremental improvement. It's a different capability tier.
What The Industry Is Saying
"The world changed a month ago. Now real security reports made by AI are flooding in."
— Greg Kroah-Hartman, Linux Kernel maintainer"Vulnerability Research Is Cooked"
— Thomas Ptacek, security researcher"The time between vulnerability discovery and attacker exploitation has collapsed from months to minutes"
— CrowdStrike
Daniel Stenberg (curl maintainer) notes he's spending hours daily processing AI-generated security reports.
What's Next
- 90-day public report with recommendations on vulnerability disclosure, patch automation, and supply chain security
- New safeguards in the next Claude Opus model
- Ongoing discussions with US government officials
The Bigger Picture
For decades, security has been a cat-and-mouse game where attackers have the advantage. They only need to find one vulnerability; defenders need to find all of them.
Project Glasswing represents a potential shift: AI finding thousands of vulnerabilities before attackers do. Defense moving faster than offense for the first time.
The challenge? Ensuring this capability is used defensively. That's why Mythos Preview stays unreleased and restricted to vetted partners.
Source: anthropic.com/glasswing
Top comments (0)