Project Glasswing - Anthropic has crossed a line

Thoughts as a former IT infrastructure dude on Anthropic's new cybersecurity risk.

David Shapiro

Apr 08, 2026

Project Glasswing, Claude Mythos, and the New Shape of Cybersecurity

What Actually Happened

On April 7, 2026, Anthropic announced Project Glasswing, a cybersecurity initiative built around an unreleased AI model called Claude Mythos Preview. The model is being given to a select group of partners for defensive security work. Those partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, along with roughly 40 additional organizations responsible for building or maintaining critical software infrastructure.

Anthropic has committed $100 million in usage credits and $4 million in donations to open-source security organizations to support the effort. Mythos Preview is available to Glasswing participants at $25 per million input tokens and $125 per million output tokens through the Claude API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry. Anthropic has stated clearly that it does not plan to make the model generally available.

The Model

Mythos Preview is a general-purpose frontier model. Leaked internal documents from a CMS misconfiguration in late March pointed to approximately 10 trillion parameters using a Mixture-of-Experts architecture, though Anthropic has never confirmed the parameter count. The internal codename is “Capybara,” representing a new tier above Opus in Anthropic’s model lineup.

The benchmark results tell the story. On SWE-bench Verified, which measures real-world software engineering capability, Mythos scored 93.9% against Opus 4.6’s 80.8%. On SWE-bench Pro the gap widened to 77.8% versus 53.4%. On USAMO 2026, a proof-based math olympiad evaluation, Mythos hit 97.6% compared to Opus 4.6’s 42.3%. The long-context benchmark GraphWalks showed 80.0% versus 38.7%.

In the video I compared this to the leap from ChatGPT 3.5 to GPT-4. The numbers support that framing. These are step-change improvements across every axis of capability.

The Cybersecurity Capability

The headline finding is that Mythos Preview has autonomously discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser.

Three examples stand out. The first is a 27-year-old vulnerability in OpenBSD’s TCP SACK implementation that allowed an attacker to remotely crash any machine just by connecting to it. OpenBSD is known specifically for being one of the most security-hardened operating systems in existence. The second is a 16-year-old bug in FFmpeg, the audio and video codec library that powers an enormous amount of software. Automated testing tools had hit the vulnerable line of code five million times without ever catching the problem. The third is a Linux kernel privilege escalation chain where Mythos went from ordinary user access to complete machine control by exploiting subtle race conditions and KASLR bypasses.

The Firefox experiment is the clearest technical signal. Anthropic previously used Opus 4.6 to find vulnerabilities in Firefox 147’s JavaScript engine. Those bugs were all patched in Firefox 148. When they asked Opus 4.6 to turn those known vulnerabilities into working shell exploits, it succeeded only twice out of several hundred attempts. Mythos Preview developed working exploits 181 times and achieved register control 29 more. That is the difference between a model that can theoretically identify a problem and a model that can operationally weaponize it.

The exploit sophistication is staggering. In one case Mythos wrote a browser exploit that chained four vulnerabilities together using a JIT heap spray to escape both the renderer sandbox and the OS sandbox. It also autonomously wrote a FreeBSD NFS remote code execution exploit that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain across multiple packets.

On CyberGym, a vulnerability reproduction benchmark developed at UC Berkeley, Mythos scored 83.1% compared to Opus 4.6’s 66.6%. On Cybench, a set of 35 capture-the-flag challenges, Mythos solved every single one with a 100% pass rate. The benchmark is now fully saturated and no longer informative for frontier models.

The scaffold Anthropic uses is remarkably simple. They launch an isolated container with the target project and its source code, invoke Claude Code with Mythos Preview, and give it a prompt that essentially says “please find a security vulnerability in this program.” Then they let it run. Non-security-engineers at Anthropic asked Mythos to find remote code execution vulnerabilities overnight and woke up the next morning to complete working exploits.

What This Means for Enterprise Security

In the video I talked about what actually happens inside a Fortune 500 company when a threat like this emerges. The first thing every CISO does is panic a little. Then they start calling their vendors.

This is the reality of enterprise security that most coverage misses. Your average Fortune 500 company does not have deep cybersecurity expertise in-house. They outsource that expertise to Microsoft, Cisco, Dell, Oracle, IBM, and companies like CrowdStrike and Palo Alto Networks. Those vendors publish security bulletins, and the internal teams read those bulletins and implement the recommended mitigations.

Glasswing is Anthropic inserting itself upstream of that entire vendor pipeline. By giving every major vendor the same tool simultaneously, they are ensuring that the security bulletins flowing downstream to enterprise customers will be informed by the most capable vulnerability discovery tool ever built. The vendor perimeter that Fortune 500 companies already rely on becomes dramatically stronger.

The attacker-defender asymmetry is real but manageable. Agentic coding and AI-assisted vulnerability discovery do provide structural advantages to attackers first because attackers can adapt more quickly. A lone hacker or state-sponsored team can spin up a model and start scanning immediately. Defenders have change management processes, vendor relationships, and organizational inertia.

But in the long run, defenders have the home field advantage. Every single vendor in the security ecosystem will be using these tools to harden their products. Every internal team will use them to analyze logs, run penetration tests, and automate the sanity checks that humans should be doing every single time but often forget to do.

This is the real value proposition. Machines never become complacent. A security script that runs every five minutes runs the same way every time. Until now those automated processes were fixed and were never adaptive. They could not read logs and reason about what they found unless they had an updated definition of what to look for. Integrating models like Mythos into the defensive apparatus means automated security becomes dynamic for the first time. It can encounter something unfamiliar, search vendor documentation, cross-reference known vulnerability databases, and flag genuine threats without waiting for a human to write a new rule.

Humans remain the weakest link. This has always been true and always will be. The most robust cybersecurity posture in the world can be undermined by a single employee clicking a phishing email. And it is often the people you would least expect. In my experience the lawyers who think they know better than the IT team are among the easiest to dupe, followed closely by executives whose risk profile should make them more careful but often does not. The layer 8 problem, as we call it in infrastructure, is permanent. AI cannot eliminate human error, but it can automate many of the consistency checks that humans are supposed to perform and routinely skip.

The Political Backdrop

Glasswing lands in the middle of an extraordinary legal confrontation between Anthropic and the Pentagon. In February 2026, Anthropic refused to grant the Department of Defense unrestricted access to Claude for “all lawful purposes.” The company held two red lines. It would not allow its AI to be used in fully autonomous weapons. It would not allow its AI to be used for domestic mass surveillance.

Defense Secretary Pete Hegseth responded by designating Anthropic a supply chain risk. This designation had never before been applied to an American company and was traditionally reserved for entities connected to foreign adversaries. President Trump ordered all federal agencies to cease using Anthropic’s technology. Within hours of the Anthropic blacklisting, OpenAI signed a $200 million deal with the DoD.

Anthropic sued, and a federal judge blocked the designation, writing that the Pentagon’s actions constituted “classic illegal First Amendment retaliation” and that nothing in the governing statute supports branding an American company a potential adversary for expressing disagreement with the government.

The irony of Glasswing arriving against this backdrop is hard to overstate. The company that the Pentagon tried to blacklist for maintaining safety guardrails is now voluntarily distributing the most powerful cybersecurity tool ever built to defend critical infrastructure. Glasswing is a demonstration that responsible deployment and maximum capability can coexist.

One more layer of irony. The model that can find 27-year-old vulnerabilities in the most security-hardened operating system in the world was revealed to the public because someone at Anthropic misconfigured a content management system. A layer 8 problem exposed a model built to solve layer 8 problems. The memes, as they say, write themselves.