Today Anthropic announced Claude Mythos Preview — a general-purpose model that happens to be devastatingly good at finding and exploiting security vulnerabilities.
And they are not releasing it to the public.
Instead, they launched Project Glasswing: a coordinated effort to give Mythos Preview to security researchers and major software vendors first. The goal? Fix the vulnerabilities before the capabilities proliferate to actors who will not use them responsibly.
What makes Mythos different
According to Anthropic's Red Team blog, Mythos Preview can:
- Find and exploit zero-day vulnerabilities in every major operating system and every major web browser
- Chain together four vulnerabilities to write browser exploits that escape both renderer and OS sandboxes
- Construct local privilege escalation exploits using subtle race conditions and KASLR-bypasses
- Write remote code execution exploits on FreeBSD's NFS server that grant full root access to unauthenticated users
The oldest bug it found? A 27-year-old vulnerability in OpenBSD — an operating system literally famous for its security.
Non-experts can use it too
This is the part that should worry everyone:
Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit.
The barrier to sophisticated attack development just dropped from "needs a security research team" to "needs API access."
Why the restriction matters
Anthropic claims over 99% of the vulnerabilities Mythos has found have not yet been patched. They're following coordinated vulnerability disclosure practices — which means they're sitting on a mountain of zero-days while vendors scramble to fix them.
The official position: this capability will proliferate anyway. Better to use it defensively first.
What this signals for the industry
This is a watershed moment.
The defensive advantage is over. For decades, finding zero-days required specialized expertise. Now a model can do it overnight.
Responsible deployment is now a competitive pressure. Anthropic chose to restrict access. Other labs might not.
Every major software project needs to assume their codebase has discoverable vulnerabilities. Mythos-style capabilities are coming for everyone's code.
Security researchers are about to become the most important people in the room. If you're not working with AI-assisted vulnerability discovery, you're already behind.
What happens next
Project Glasswing partners will focus on:
- Local vulnerability detection
- Black box testing of binaries
- Securing endpoints
- Penetration testing foundational systems
The rest of the industry gets to wait — and hope the good actors find the bugs before the bad actors get the same capabilities.
The full technical details are in the Mythos Preview system card and the Anthropic Red Team blog. Simon Willison has excellent coverage as well.
Top comments (0)