Anthropic Project Glasswing and Claude Mythos AI security vulnerability discovery

Frontier AI labs usually ship their best work and let the market sort out the consequences. Project Glasswing is the opposite play. Anthropic has built its most capable security-relevant model so far, Claude Mythos Preview, and explicitly decided not to release it — describing the model as able to surpass 'all but the most skilled humans at finding and exploiting software vulnerabilities' and arguing no developer, itself included, has built safeguards strong enough to prevent Mythos-class misuse ^[1]. Instead, around fifty hand-picked partners — Amazon Web Services, Apple, Broadcom, Cisco, Cloudflare, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Mozilla, NVIDIA, Palo Alto Networks among them — were given gated access through a defensive coalition. The entire program is calibrated to put a dual-use capability into defensive hands first, before the equivalent shows up outside the fence.

The economic shape of the bet is unusual. Anthropic committed $100M in Mythos Preview usage credits to Glasswing partners and another $4M in direct cash to open-source security ($2.5M to Alpha-Omega/OpenSSF, $1.5M to the Apache Software Foundation) ^[1]. After the preview, Mythos Preview will be billed at $25 per million input tokens and $125 per million output tokens — among the most expensive frontier-model rates ever quoted ^[2]. The signal is that this is not a typical product launch: Anthropic is treating a frontier model as defensive infrastructure rather than as a consumer surface.

The productization end-state is already visible. Anthropic is wiring Mythos 1 into Claude Code, its agentic coding tool, and Claude Security, an Enterprise product that entered public beta on May 22, 2026 with a triage dashboard built specifically for the flood of findings the model generates ^[3]. The story Anthropic wants told is not 'we built a hacker' — it is 'we built a defensive utility, then built the triage tooling to make it usable, then began renting it to the few customers who can absorb the output.'

What makes Mythos different from prior LLM bug-finders is not just the hit rate — it is the unit economics. In Anthropic's own report, a fully working exploit chain was produced from a CVE identifier and a git hash in under one day for under $2,000 in compute, and roughly one thousand scaffold runs against OpenBSD cost under $20,000 in total ^[2]. That OpenBSD run is what surfaced a 27-year-old TCP SACK flaw that had survived nearly three decades of code review on a system whose entire reputation rests on auditability. Mythos was reliable enough on severity that human validators agreed exactly with the model's severity rating in 89% of 198 manually reviewed reports and were within one level in 98% of cases ^[2].

Independent evaluation backs the framing. The UK AI Security Institute reports Mythos Preview succeeds on 73% of expert-level CTF tasks 'which no model could complete before April 2025,' and is the first model to solve the multi-stage TLO attack range end-to-end ^[4]. The CTF gap is the part that matters: a 30-percentage-point jump on expert tasks in roughly one model generation is the kind of capability step that breaks planning assumptions for both attackers and defenders.

If the offensive marginal cost of a working exploit is now in the low four figures and the success rate on expert tasks is north of seventy percent, the strategic shape of cybersecurity flips. Bain's read is that the era of AI-enabled attacks 'is here, and organizations cannot afford to be reactive,' and that many enterprises will need to roughly double current cybersecurity spend rather than continue with the planned single-digit annual increases ^[5]. The boards that internalized 'detect and respond' as the dominant doctrine are now being told the next era is 'prevent at the source, or accept compromise.'

The eye-catching number from the one-month update is 10,000 zero-days. The number that actually changes how cybersecurity works is 97. Of 1,596 vetted Mythos findings disclosed to upstream maintainers, only 97 had been patched at the one-month mark — a roughly 16-to-1 gap between disclosure and fix ^[6]. Several open-source maintainers have explicitly asked Anthropic to slow the disclosure rate, and the Linux Foundation has flagged maintainer stress as a load-bearing risk of the program ^[9]. The bottleneck has cleanly moved from discovery to remediation.

The asymmetry shows up at the partner level too. Mozilla used Mythos against Firefox 150 and surfaced 271 vulnerabilities (180 sec-high, 80 sec-moderate, 11 sec-low) — roughly ten times the yield from Claude Opus 4.6 on Firefox 148 ^[8]. Cloudflare's deployment generated roughly 2,000 findings, 400 of them high or critical, at a lower false-positive rate than human-led testing ^[7]. ISACA argues the consequence is that 'the speed needed to exploit new vulnerabilities has been reduced from days or weeks to mere hours' ^[10]. In other words: even before any offensive equivalent of Mythos leaks, defenders have less grace period than the historical model assumes.

There is one hopeful counter-pressure: Linux kernel maintainer Greg Kroah-Hartman reports that AI-generated patches in early Glasswing testing have been 'pretty good' ^[9]. If Mythos-class models can also write the fix — not just find the bug — the loop closes. Until that happens, the question every CISO has to answer is whether their software dependency tree includes any project whose patch queue is now backed up by months.

The loudest contrarian voice on Mythos is not from academia but from working engineers. The single most-watched skeptical YouTube essay frames the launch as a marketing stunt comparable to ChatGPT-5 and Devin hype cycles, with the core argument that 'the moat is money, not models' — spending roughly twenty thousand dollars to surface a single bug does not, by itself, mean the model is doing software engineering. Inside the r/cybersecurity community, the dominant counter-frame is that Mythos is 'just faster SAST on GPUs,' and the most-cited concrete data point is the curl project's maintainer reporting that five 'confirmed' findings collapsed into one actual vulnerability under review. Reddit threads from practitioners with hands-on Preview access describe Mythos as 'a slightly better Opus 4.7' that needs heavy harness work, prompt engineering, and false-positive triage to be useful in production.

What the skeptical read does not dispute is the empirical floor. Human validators independently agreed with Mythos's severity rating on 89% of manually reviewed findings, and were within one level in 98% ^[2]. The AISI's 73% success rate on expert CTF tasks is independent of Anthropic's marketing surface ^[4]. And the Cloudflare and Mozilla numbers above were reported by those vendors directly, not by Anthropic. The honest synthesis is that both readings can be true at once: Mythos is unlocking real, expensive, previously-uneconomic vulnerability discovery, and the headline counts probably include duplicate root causes that telescope into smaller deduplicated lists.

The second-order question is what happens when the equivalent capability is no longer gated. Glasswing's design assumes that frontier-model bug-finding will diffuse — to other labs, to nation-state actors, eventually to open-weights — and that the only durable advantage is the head start defenders get from being inside the coalition. If the duration of that head start is months rather than years, the strategic question for everyone outside the fence is not whether to budget for AI-assisted vulnerability management, but how soon.