Anthropic Launches Project Glasswing To Harden Software Security

Anthropic launched Project Glasswing on April 7, 2026, giving more than 50 vetted partners, including Apple, Google, Microsoft, AWS, Cisco, CrowdStrike, NVIDIA, JPMorganChase, and the Linux Foundation, gated access to Claude Mythos Preview, a frontier model Anthropic says autonomously found thousands of zero-day vulnerabilities across every major operating system and browser. Anthropic is not releasing Mythos publicly, citing offensive misuse risk, and is committing up to $100 million in usage credits plus $4 million in direct donations to open-source security groups. Disclosed examples include a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug missed by five million automated test runs. Anthropic has committed to publishing a public report on results within 90 days, due around July 6, 2026.
For security and ML teams, Project Glasswing is less a single product launch than a signal that frontier models have crossed a capability line: Anthropic says Claude Mythos Preview autonomously found and chained together vulnerabilities that survived decades of human review and millions of automated tests, including a 27-year-old flaw in OpenBSD and a 16-year-old bug in FFmpeg that automated testing had missed five million times. Anthropic is withholding the model from public release specifically because that same capability could accelerate attackers, and is instead routing access through a vetted coalition, an approach worth watching as a template for how labs handle other dual-use capability jumps.
What happened
Anthropic announced Claude Mythos Preview and Project Glasswing on April 7, 2026, giving vetted access to a coalition of technology and security organizations rather than releasing the model publicly. Core launch partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, alongside more than 40 additional organizations that build or maintain critical software infrastructure. Anthropic is committing up to $100 million in Claude usage credits to the effort, plus $4 million in direct donations split between the Linux Foundation's Alpha-Omega and OpenSSF programs and the Apache Software Foundation.
Technical context
Anthropic says Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and web browser, working autonomously without human steering in most cases. Three disclosed examples: a 27-year-old remote-crash vulnerability in OpenBSD, an operating system with a reputation for being security-hardened; a 16-year-old bug in the video library FFmpeg that automated testing tools had exercised five million times without catching it; and a chained set of Linux kernel vulnerabilities that let an attacker escalate from ordinary user access to full control of a machine. On Anthropic's CyberGym vulnerability-reproduction benchmark, Mythos Preview scored 83.1% versus 66.6% for Claude Opus 4.6, the company's next-best model; on SWE-bench Verified it scored 93.9% versus 80.8%.
For practitioners
The gap between Mythos Preview and Opus 4.6 on coding and cyber benchmarks previews how fast this capability class is moving, with concrete implications: teams should expect model-driven vulnerability discovery to become a normal part of red-team and dependency-audit workflows, and should treat long-unpatched code paths, like FFmpeg's, as newly exposed rather than safely dormant. Because Mythos itself stays gated, the near-term risk is asymmetric: defenders inside Project Glasswing get a head start, while everyone else should assume comparable offensive capability is 6 to 24 months away, per Anthropic's own estimate.
Timeline
A data leak exposed draft documents describing an unreleased Anthropic model under the working names Mythos and Capybara, first reported by Fortune.
Anthropic officially launched Claude Mythos Preview and Project Glasswing, giving vetted partners gated access to the model.
Anthropic's committed 90-day public report on Project Glasswing's findings and fixes is due.
What to watch
Anthropic's 90-day public report, due around July 6, 2026, should offer the first concrete evidence of Glasswing's real-world impact, including which vulnerabilities were fixed. Also watch whether Mythos-class capability proliferates to actors outside the partner group faster than the 6-to-24-month window Anthropic has floated, and how partners including Cisco, AWS, Microsoft, and Google operationalize Mythos findings into patches and advisories.
Key Points
- 1Claude Mythos Preview autonomously found a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug that missed five million automated tests.
- 2Anthropic withholds Mythos from public release and gates access to over 50 partners, judging its offensive potential too risky for open release.
- 3Anthropic must publish a public report on results within 90 days of the April 7 launch, meaning the disclosure is due around July 6.
Scoring Rationale
A frontier lab plus 11+ major tech/security/finance organizations coordinating gated access to an AI model that autonomously found concrete, verified vulnerabilities (a 27-year-old OpenBSD flaw, a 16-year-old FFmpeg bug, chained Linux kernel escalation) is a significant, well-evidenced marker of AI-driven offense/defense capability shift with direct national-security relevance. The 90-day public disclosure commitment (due ~July 6, 2026) makes this a live, trackable story rather than a one-off announcement, supporting a score at the top of the major/industry-shaking band.
Sources
Public references used for this report.
View 22 more sources
- 04Apple, Google, and Microsoft join Anthropic's Project Glasswing to ...zdnet.com
- 05Anthropic says its most powerful AI cyber model is too dangerous to ...venturebeat.com
- 06Tech giants launch AI-powered 'Project Glasswing' to identify critical ...cyberscoop.com
- 07Introducing Project Glasswing: Giving Maintainers Advanced AI to ...linuxfoundation.org
- 08Warner Statement on Anthropic's Project Glasswing - Press Releaseswarner.senate.gov
- 09Anthropic's Project Glasswing—restricting Claude Mythos to security ...simonwillison.net
- 10Anthropic just said this: "We formed Project Glasswing ... - Threadsthreads.com
- 11Anthropic debuts Project Glasswing, leveraging its powerful Mythos model to reinforce software securitysiliconangle.com
- 12Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiativeitsecuritynews.info
- 13Techmeme: Anthropic says it will make a preview of its Mythos model available to more than 40 organizations, as part of a new Project Glasswing cybersecurity initiative (Lucas Ropektechmeme.com
- 14Anthropic limits Mythos AI rollout over fears hackers could use model for cyberattackscnbc.com
- 15Anthropic unveils powerful Mythos AI model, working with Apple in cybersecurity initiative9to5mac.com
- 16Anthropic Launches ‘Project Glasswing’ to Stealthily Spot Cybersecurity Issues for Rivalsgizmodo.com
- 17Anthropic says its latest AI model is too powerful for public release and that it broke containment during testingbusinessinsider.com
- 18Anthropic Tests Latest Cybersecurity Tech With Big Tech, Banks - Apple (NASDAQ:AAPL), Amazon.com (NASDAQ:benzinga.com
- 19Anthropic Mythos model can find and exploit 0-daystheregister.com
- 20Anthropic touts AI cybersecurity project with Big Tech partnersthehindu.com
- 21New AI too dangerous for public release – Anthropic — RT Business Newsrt.com
- 22Top AI-Powered Cybersecurity Stocks Gain On Anthropic's Glasswinginvestorideas.com
- 23Anthropic's AI to Help Apple Find iOS, macOS, and Safari Vulnerabilitiesmacrumors.com
- 24Anthropic Project Glasswing: Mythos Preview gets limited releasenbcnews.com
- 25The Day the Locks Broke: Claude Mythos, Project Glasswing, and the Coming AI Cyber Stormspacewar.com
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

