Claude Mythos and Project Glasswing: What Anthropic's AI Superhacker Means for Cybersecurity
On April 7, 2026, Anthropic announced something unusual for an AI company: it had built a model so capable that it would not release it to the public. Claude Mythos Preview, a general-purpose frontier model, turned out to be extraordinarily good at one thing in particular -- finding and exploiting software vulnerabilities. In the span of a few weeks, it discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser.
Rather than shipping it as a product, Anthropic restricted access to roughly 50 organizations through a new initiative called Project Glasswing. The partners include Microsoft, Google, Apple, AWS, NVIDIA, Cisco, CrowdStrike, JPMorgan Chase, Palo Alto Networks, the Linux Foundation, and Broadcom. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security to fund the effort.
This is either the most consequential AI safety decision of the year or the most sophisticated marketing campaign in AI history. The truth is probably somewhere in the middle, and that middle ground is where the interesting questions live.
What Mythos Preview Actually Did
The headline numbers are striking. Anthropic's previous public model, Claude Opus 4.6, had found approximately 500 zero-day vulnerabilities in open-source software -- already a meaningful number. Mythos Preview found thousands more in a fraction of the time, targeting not just open-source code but proprietary systems including Windows, macOS, Linux, Chrome, Firefox, and Safari.
The most dramatic finding was a 27-year-old vulnerability in OpenBSD, an operating system that has built its entire reputation on security. The bug was in OpenBSD's implementation of TCP Selective Acknowledgment (SACK). Two interacting flaws in the kernel's handling of SACK state -- a singly linked list of byte-range "holes" -- allowed an attacker to craft a packet that triggers an integer overflow, causing the kernel to write to a null pointer and crash the machine. The vulnerability had survived 27 years of human code review, automated testing, and security audits. Mythos found it autonomously.
On Firefox's JavaScript engine, Mythos Preview achieved a 181-out-of-250 exploit success rate. Opus 4.6 managed 2 out of 250 on the same test. That is not an incremental improvement. That is a qualitative shift in what an AI model can do.
Key benchmark comparison: Claude Mythos Preview scores 77.8% on SWE-Bench Pro (vs 53.4% for Opus 4.6), 82% on Terminal-Bench 2.0 (vs 65.4%), 83.1% on cybersecurity benchmarks (vs 66.6%), and solved all 35 CTF challenges on Cybench with 100% pass@1. It leads on 17 of 18 benchmarks Anthropic measured.
Perhaps most concerning: Mythos found several flaws in the Linux kernel and autonomously chained them together into an exploit that would give an attacker complete control of any machine running Linux. It did not just find individual bugs. It understood how multiple vulnerabilities interact and built a working attack pipeline from scratch.
How Project Glasswing Works
Anthropic's response to these capabilities was to create Project Glasswing, a structured program for using Mythos Preview defensively rather than releasing it into the wild.
The model works through four primary use cases:
- Local vulnerability detection -- scanning source code and compiled binaries for exploitable flaws
- Black-box testing of binaries -- reverse-engineering closed-source software to find weaknesses without access to the source
- Endpoint security testing -- probing live systems for attack surfaces
- Penetration testing -- simulating real attacks against complex, multi-component systems
Partner organizations receive access to Mythos Preview through Anthropic's infrastructure. They run the model against their own codebases and systems, identify vulnerabilities, and patch them. Critically, Anthropic says that what partners learn will eventually be shared back with the broader tech industry -- though the timeline and mechanism for that sharing remain vague.
The 50-partner list reads like a who's-who of critical infrastructure. If Mythos can find vulnerabilities in Windows, macOS, and Linux, it makes sense for Microsoft, Apple, and the Linux Foundation to have access. If it can break browsers, Google (Chrome) and Apple (Safari) need to know about it. If it threatens financial systems, JPMorgan Chase should be running it against their infrastructure. The logic of restricted access is sound on its face.
The Skeptics Have a Point
Not everyone is buying the narrative, and the counterarguments deserve serious consideration.
Meta's chief AI scientist Yann LeCun publicly downplayed the alarm, suggesting the capabilities do not match the dramatic framing. Former White House AI czar David Sacks was more blunt, noting that "Anthropic has a history of scare tactics" and recommending the claims be taken with a grain of salt.
Security researcher Bruce Schneier, writing on his widely-read blog, pointed out the structural incentives at play. Anthropic has strong commercial reasons to position itself as simultaneously cutting-edge and uniquely responsible. Withholding a model while telling the world it is too powerful creates mystique, drives headlines, and reinforces the company's safety-first brand. It is, in effect, the perfect marketing story: "We built something so powerful that we are too responsible to let you use it."
There is also a verification problem. No independent regulator approved Anthropic's decision about who gets access. No external body has fully verified the claimed capabilities. The UK AI Safety Institute (AISI) did evaluate Mythos Preview and confirmed genuine capability advances, but the full scope of claims has not been independently replicated.
A cybersecurity industry insider told Bloomberg that they found the announcement overhyped, noting the fundamental issue: "We have this powerful model, but you cannot evaluate it yourself."
Why the Capabilities Are Probably Real (Even If the Framing Is Strategic)
Here is where I land after reading everything I can find on this: the capabilities are almost certainly real, the framing is almost certainly strategic, and both things can be true at the same time.
The OpenBSD vulnerability is a concrete, verifiable result. A 27-year-old bug in a security-focused operating system is not something you fabricate. It was patched after Mythos found it, which means it was independently confirmed by the OpenBSD team. The Firefox exploit success rate of 181/250 is a specific, measurable claim that Anthropic put their name on in a formal research publication.
The progression from Opus 4.6 to Mythos also follows a trajectory that security researchers have been warning about for over a year. AI models have been getting better at code understanding at a rate that outpaces their improvements in other domains. A model that deeply understands code -- that can read, write, reason about, and modify complex software -- is inevitably going to be good at finding the places where that software breaks.
The skeptics are right that Anthropic benefits from the drama. But they would also benefit from releasing the model as a product and charging for it. The fact that they chose restricted access over revenue suggests that someone at Anthropic genuinely believes the risk calculus favors caution. Or at least, that the long-term brand value of being seen as cautious outweighs the short-term revenue. Either way, the practical outcome -- limited access, coordinated vulnerability patching -- is the same.
The balanced take: Mythos is probably real and probably overhyped. The evidence for genuine capability advancement is too strong to dismiss, but the framing is too strategically perfect to accept uncritically. The capabilities are real but likely narrower than the best-case presentation suggests.
What This Means for Developers
If you write software for a living, Mythos and Project Glasswing have concrete implications even though you cannot access the model yourself.
Your Code Will Be Audited by AI
Whether through Glasswing partners sharing findings, through future models with similar capabilities, or through attackers developing their own vulnerability-finding AI, the software you write today will eventually be scrutinized by models that can find bugs humans miss. This is not hypothetical. It is happening now with the Glasswing partners, and the capability will only become more widespread.
The practical response: double down on secure coding practices. Use memory-safe languages where possible. Run static analysis tools. Write tests that specifically target edge cases in parsing, memory management, and input validation. The bugs Mythos finds are the bugs that survive everything else -- the subtle interaction effects, the integer overflows, the race conditions in concurrent code.
Open-Source Software Gets a Security Upgrade
Anthropic's $4 million donation to open-source security organizations, combined with the Linux Foundation's direct participation in Glasswing, means that critical open-source infrastructure should see a wave of vulnerability patches in the coming months. If you maintain or depend on open-source projects, expect an uptick in security advisories and patch releases.
Keep your dependencies updated. Set up automated vulnerability scanning in your CI/CD pipeline if you have not already. Tools like Dependabot, Snyk, and Trivy are not optional anymore -- they are baseline hygiene.
The Attack Surface Is About to Shift
When defenders get better tools, attackers adapt. If the major operating systems and browsers get patched against the vulnerabilities Mythos found, attackers will shift their focus to less-scrutinized targets: IoT devices, embedded systems, legacy enterprise software, and smaller open-source libraries that are not part of the Glasswing initiative. If you build products in those categories, the pressure is increasing.
What This Means for Businesses
The Mythos announcement triggered immediate reactions from regulators and financial institutions. US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell urged major Wall Street banks to test the model for finding security weaknesses. UK financial regulators convened discussions with bank executives through the Cross Market Operational Resilience Group. Canadian banks and regulators held their own meetings, with Canada's finance minister planning direct talks with Anthropic.
The message from regulators is clear: AI-powered vulnerability discovery is here, and organizations that handle sensitive data need to prepare for a world where attack tools are significantly more sophisticated.
Practical Steps for Organizations
- Audit your legacy systems. The 27-year-old OpenBSD bug is a reminder that old code carries old risks. If you are running software that has not been thoroughly reviewed with modern tools, assume it has vulnerabilities that AI will find -- either your AI or someone else's.
- Invest in patch management. When Glasswing findings start generating CVEs and patches, you need to apply them quickly. Organizations with slow patching cycles are going to be the most exposed.
- Review your incident response plans. If AI-powered attacks become more common, your response playbooks need to account for faster, more sophisticated exploitation chains. The old assumption that attackers need significant time to develop working exploits may no longer hold.
- Watch for Glasswing disclosures. As partners share their findings, there will be a period where patches are available but not yet widely deployed. This window is when attackers -- who may develop their own vulnerability-finding AI -- will be most dangerous.
The Bigger Picture: AI and the Offense-Defense Balance
Cybersecurity has always been an asymmetric game. Defenders have to protect every possible attack surface. Attackers only have to find one hole. For decades, this asymmetry has favored offense -- it is cheaper and easier to break things than to secure them.
Mythos and Project Glasswing are interesting because they might -- emphasis on might -- shift this balance. If AI is dramatically better at finding vulnerabilities than humans, and if that capability is channeled into defense first through programs like Glasswing, then defenders could theoretically find and patch vulnerabilities before attackers discover them.
The problem is that "defense first" only works as long as the most capable models stay restricted. If a comparable model leaks, gets replicated by an adversary, or is independently developed by a state actor, the advantage evaporates. And the history of capability restrictions in technology is not encouraging -- powerful tools tend to proliferate, regardless of anyone's intentions.
This is the fundamental tension that Anthropic is trying to navigate. They have built something genuinely useful for defense but equally useful for offense. Restricting access helps in the short term. In the long term, the capability cat is already partway out of the bag -- other AI labs are building toward similar capabilities, and the underlying research is advancing rapidly.
What Comes Next
Several things to watch in the coming months:
- CVE disclosures from Glasswing partners. As Microsoft, Google, Apple, and others run Mythos against their systems, expect a wave of security patches. The volume and severity will tell us a lot about how real the claimed capabilities are.
- Independent capability evaluations. The UK AISI has done initial testing. Other evaluation bodies will follow. Watch for assessments from NIST, MITRE, and independent security research firms.
- Competitor responses. OpenAI, Google DeepMind, and Meta are all building frontier models. If Anthropic's claims are even partially accurate, competitors will race to develop similar cybersecurity capabilities -- and they may not all choose the restricted-access approach.
- Regulatory frameworks. The immediate response from Treasury, the Fed, and UK regulators suggests that governments are taking this seriously. Watch for new guidance or requirements around AI-powered vulnerability testing.
- The "general release" question. Anthropic says they have no plans to release Mythos Preview publicly, but they have mentioned releasing "other related models." Whether a neutered version eventually becomes available -- and how much capability it retains -- will be revealing.
Understand the AI Tool Landscape
Mythos is just one piece of a rapidly evolving AI ecosystem. See what tools are available today and what they actually cost.
Read: The Real Cost of AI Tools in 2026The Bottom Line
Claude Mythos Preview and Project Glasswing represent something new in the AI industry: a company voluntarily withholding a commercially valuable model because of genuine capability concerns. Whether Anthropic's motivations are purely altruistic, partially strategic, or some combination -- the practical outcome is that the world's most critical software is getting an AI-powered security audit from one of the most capable models ever built.
For developers, the lesson is straightforward: AI tools are already changing how software gets built, and now they are changing how it gets broken. Write code as if an AI will eventually audit it for vulnerabilities, because it will. Keep dependencies updated, invest in automated security testing, and pay attention to the CVE disclosures coming out of Glasswing over the next few months.
For businesses, the message from regulators is unambiguous: the bar for cybersecurity is rising. Legacy systems, slow patching, and "good enough" security postures are increasingly risky in a world where AI can find and chain exploits faster than any human team.
And for the AI industry as a whole, Mythos is a proof point that capability advances do not always lead to immediate product releases. Sometimes the responsible thing is to hold back. Whether that principle survives contact with competitive pressure and quarterly earnings targets is the real question.
Frequently Asked Questions
What is Claude Mythos Preview?
Claude Mythos Preview is an unreleased frontier AI model from Anthropic that demonstrates unprecedented capabilities in finding and exploiting software vulnerabilities. It found thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old bug in OpenBSD. Anthropic has decided not to release it publicly due to the cybersecurity risks it poses.
What is Project Glasswing?
Project Glasswing is Anthropic's cybersecurity initiative that provides restricted access to Claude Mythos Preview to approximately 50 partner organizations -- including Microsoft, Google, Apple, AWS, and JPMorgan Chase. Partners use the model to find and fix vulnerabilities in critical software infrastructure. Anthropic is committing up to $100 million in usage credits and $4 million in open-source security donations to support the program.
Is Anthropic's Mythos AI overhyped?
Opinions are divided. Meta's Yann LeCun and former White House AI czar David Sacks have expressed skepticism, suggesting the alarm may be overstated. Security researcher Bruce Schneier notes that Anthropic has commercial incentives to position itself as both cutting-edge and uniquely responsible. However, independent evaluations from the UK AI Safety Institute confirm genuine capability advances, and the OpenBSD vulnerability discovery is a concrete, verified result. The most reasonable position: the capabilities are real, but the framing is strategically optimized.