Carapace

Posted on Jun 26 • Originally published at zenn.dev

Outside the Glasswing Circle: Why I Built a Local Security CLI

#ai #security #opensource #cli

Some AI releases are defined by what becomes available.

Claude Mythos Preview was defined by what did not.

Anthropic did not introduce Mythos as a model anyone could simply use. It described a model with cyber capabilities strong enough to find and exploit vulnerabilities at a level above everyone except the most highly skilled humans, and then chose not to release it publicly.

That is an unusual kind of product announcement.

The interesting part is not that AI is getting stronger. We already know that. The interesting part is distribution: who receives defensive capability first, who receives it later, and who is left outside the circle while offensive capability continues to spread.

Carapace started from that question.

It is a local security CLI that reads code, triages suspicious paths, deep-dives only where needed, and records the result locally. It is not a replacement for professional security teams, enterprise platforms, or human judgment. It is a small tool for the teams, maintainers, and builders who are not inside the privileged defensive programs.

I built it because I think that group is going to matter.

The Circle That Does Get Protected

Project Glasswing is a rational response to a dangerous capability.

If a model can help discover and exploit serious vulnerabilities, the safest first use is to put it in the hands of defenders protecting critical infrastructure.

Anthropic began Project Glasswing in April 2026 with roughly 50 major infrastructure organizations. The initial group included names such as AWS, Apple, Google, Microsoft, NVIDIA, JPMorgan Chase, Cisco, CrowdStrike, the Linux Foundation, and Palo Alto Networks.

On June 2, Anthropic expanded the program to approximately 150 more organizations across more than fifteen countries. The expansion included sectors such as power, water, healthcare, telecommunications, and hardware. Some reporting described the combined scale as roughly 200 organizations.

That matters.

The program is not just theoretical. Glasswing partners have reportedly found more than 10,000 high- and critical-severity vulnerabilities. Anthropic also scanned more than 1,000 open source projects with Mythos and reported 6,202 high- and critical-severity findings. Of the 1,752 findings independently reviewed by six security research firms, more than 90% were confirmed as true vulnerabilities.

One reported example was wolfSSL, a cryptographic library used across billions of devices. Mythos found a vulnerability that could support certificate forgery scenarios involving fake sites. The issue, CVE-2026-5194, has been fixed.

This is the right kind of work to do first.

If the capability exists, critical infrastructure should not wait for attackers to receive it. The strongest defensive use should happen before the strongest offensive misuse.

But a question remains.

What happens to everyone outside that circle?

Fable Was Public, Then It Wasn't

On June 9, Anthropic launched Claude Fable 5, a public Mythos-class model with additional safety layers. It also introduced Mythos 5 as a restricted model for Glasswing and infrastructure providers.

That briefly suggested a path for everyone else.

But Fable 5 was not simply "Mythos for the public." In security-related workflows, it was heavily restricted. Legitimate code review and vulnerability analysis could be blocked or routed back to Opus 4.8. The boundary was criticized as broad.

Then, on June 12, the U.S. Commerce Department issued an export-control directive under ECRA through a BIS "Is Informed" letter. Foreign-national access to Fable 5 and Mythos 5 was halted. Because Anthropic could not reliably determine nationality for every customer, it disabled both models globally.

As of June 26, both models are still unavailable. On June 25, an Anthropic staff member publicly said Fable 5 had zero traffic; reports that it had quietly returned were attributed to a UI bug.

There are negotiations. There are possible policy milestones. There are prediction markets. There are public letters from cybersecurity leaders asking for access to be restored.

But those are not availability.

I am a business owner and creator based in Japan. In this specific story, that means I am on the side that cannot use the model.

That is not a complaint. It is a design constraint.

Enterprise Is Not Defenseless

It would be wrong to say that nobody outside Glasswing has options.

Large organizations and verified defenders are already getting real movement. Anthropic is pushing security work through general-purpose Claude models and offers Claude Security, based on Opus 4.8, in public beta for Enterprise customers. Reporting says it was used to help fix more than 2,100 vulnerabilities in three weeks.

There are also paths for open source maintainers to apply for prioritized access in some security workflows.

OpenAI has its own Trusted Access for Cyber program. It has released GPT-5.5-Cyber and expanded access to verified defenders. GPT-5.5 with trusted access and GPT-5.5-Cyber are explicitly positioned for defensive security work under stronger verification and account controls.

So the point is not "enterprise has nothing."

The point is narrower:

For small teams, independent builders, and many open source maintainers, the options that are easy to run locally, paid with your own API key, and designed specifically for vulnerability reachability are still scarce.

That is the space Carapace is trying to occupy.

Capability Is Spreading Anyway

Anthropic has warned that other AI companies may develop Mythos-class capability within six to twelve months, and may release it without equally strong misuse safeguards.

That no longer feels abstract.

OpenAI has already released GPT-5.5-Cyber to many trusted defenders. GPT-5.5 itself is one of the strongest cyber-capable models evaluated by public institutions. Sakana AI has announced Fugu Ultra, a model-orchestration system positioned as reaching frontier-level performance on difficult engineering, scientific, and reasoning benchmarks.

I am deliberately staying with confirmed releases and programs here. Rumors are not a foundation for security planning.

The confirmed pattern is enough:

Cyber-capable AI is moving from a single frontier lab story into a broader ecosystem of specialized models, trusted-access programs, and orchestration systems. The defensive side is organizing. The offensive side will adapt too.

The question is not whether this will matter.

The question is whether small systems will have a way to prepare before the gap widens.

Why Carapace Is Local

Carapace does not run a hosted scanning service.

It runs locally. It reads files from your machine. It stores scan results locally. It uses your own Anthropic API key. It does not proxy model calls through a Carapace server, and it does not resell tokens.

That design is not only about privacy. It is also about cost and trust.

If I paid for everyone's tokens through a backend proxy, the worst possible outcome would be success: every viral spike would become a bill. A security tool for small teams should not be designed so that adoption creates hidden financial risk for the maintainer.

Using the user's own key keeps the economics honest.

You decide when to scan. You decide which model preset to use for triage. Your scan history stays on your machine. Carapace is a CLI, not a service you have to move your code into.

That local-first shape is also why Carapace can be useful before it becomes a platform.

It does one job:

Read a focused slice of code, find suspicious security paths, validate whether an attacker can plausibly reach them, and write down what it found.

Why It Does Triage First

The naive version of an AI security scanner is simple: send everything to the strongest model and ask for vulnerabilities.

That is expensive, noisy, and often unfair to the person who has to read the output.

Carapace uses two stages.

First, a cheaper model performs triage. It reads a focused set of files and shortlists suspicious areas. Then, only medium and high candidates are automatically sent to a stronger model for deep-dive. Low candidates are recorded, and stronger low candidates can be manually deep-dived later.

This split is not just about cost.

It is about attention.

Security reports consume human time. A tool that reports everything will eventually be ignored. A tool that reports only what it can support has a better chance of becoming part of a real workflow.

The goal is not to maximize the number of findings.

The goal is to maximize the number of findings worth interrupting someone for.

Why Reachability Matters

Many AI security reports fail at the same point: they confuse a dangerous-looking branch with an exploitable path.

There is code that looks risky.

Then there is code an attacker can actually reach.

Carapace is built around that distinction.

If an admin-only branch exists, the question is not just whether the branch is dangerous. The question is whether the attacker can become that admin, spoof that identity, control that request path, or otherwise satisfy the condition from outside the trust boundary.

If a server fetches a URL, the question is not only whether server-side fetch exists. The question is whether the attacker can set the URL, whether private destinations are blocked, whether redirects are revalidated, and whether runtime constraints change the outcome.

This is why Carapace deep-dives.

It asks for the attack story.

Not because it wants to help attackers, but because a finding without an attacker path is often just anxiety written in technical language.

Why the Prompts Are Public

Carapace does not treat its prompts as a secret moat.

The inspection logic is public by design. The value is not that the instructions are hidden. The value is in the methodology, the review loop, and the accumulated judgment about what should and should not be reported.

That is also a trust choice.

If a security tool asks to read your code, you should be able to see how it thinks. You should know what it sends to the model, how it wraps untrusted repository content, how it distinguishes triage from deep-dive, and how it records results.

This is not perfect security. It is transparency.

And for a tool that asks developers to trust its judgment, transparency matters.

The Strange Calm Before Wider Access

Right now, there is a strange calm.

The strongest defensive capability is being concentrated first around critical infrastructure, verified defenders, and enterprise programs. That is understandable.

At the same time, comparable capability is beginning to appear through other channels: trusted-access cyber models, strong general coding models, and orchestration systems that can combine public models into more capable workflows.

The attack side will not wait for every small team to become ready.

But small teams still have time.

That is the window Carapace is built for.

Not to promise "no vulnerabilities."

Not to replace human security work.

Not to turn every developer into a red team.

The goal is smaller and more practical:

Help people outside the Glasswing circle read their own code earlier, more carefully, and with fewer false alarms.

I do not know whether Carapace will become important.

I do know why I built it.

The attack capability is moving outward. The strongest defense is still concentrated. The space between those two facts is where small tools need to exist.

Carapace is one of those tools.

DEV Community