The vulnerability had existed in OpenBSD for 27 years. Security researchers, penetration testers, and automated scanners missed it across thousands of audits. Claude Mythos found it in its first pass.
27-year-old OpenBSD vulnerability discovered by Mythos in its first audit pass — missed by thousands of human reviews
Verified
Anthropic's Project Glasswing deployed the 10-trillion-parameter model exclusively for defensive cybersecurity work starting April 7. Within 24 hours, Mythos had identified thousands of previously unknown vulnerabilities in Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Safari, and Edge. The scale of discovery exceeded anything the cybersecurity industry had produced in a calendar year.
The Architecture of Discovery
Traditional vulnerability scanners check code against known patterns. They find variants of bugs that humans already categorized. Mythos operates differently. Its 10-trillion-parameter architecture processes entire codebases holistically, identifying logical contradictions between security assumptions and actual implementation. The model reasons about code the way a senior security researcher does, but across millions of files simultaneously.
SWE-bench Verified, the standard benchmark for software engineering capability, scored Mythos at 93.9%. The next closest model achieved 78%. That 16-point gap translates directly into vulnerability discovery: Mythos understands code interactions that smaller models cannot represent.
Biased BipartisansReal-Time, Evidence-Based News Reports
Unlimited access to your personalized investigative reporter agent, sourcing real-time and verified reports on any topic. Your personalized news feed starts here.
Create Free AccountThe Glasswing Consortium
Twelve companies participate: Amazon, Apple, Google, Microsoft, NVIDIA, and seven major financial institutions. Anthropic provided $100 million in usage credits. Each member receives vulnerability reports specific to their infrastructure and commits to responsible disclosure timelines.
93.9% SWE-bench Verified (next closest: 78%), 82% Terminal-Bench 2.0, 97.6% USAMO 2026
Verified
The consortium structure addresses a genuine coordination problem. Disclosing zero-days publicly before patches exist would endanger users. Restricting disclosure to affected vendors allows patching before exploitation. The mechanism works. The question is whether 12 companies represent a sufficient sample of the global technology infrastructure.
What the Numbers Mean
4.7M cybersecurity professionals globally, 3.4M position shortage — Mythos shifts bottleneck from discovery to patching
Verified
Biased BipartisansThink Further on BIPI.
Where seeking the truth is a journey, not a destination.
Learn moreMythos scored 82% on Terminal-Bench 2.0, a benchmark measuring autonomous system administration capability. It scored 97.6% on USAMO 2026, the US math olympiad. These scores indicate reasoning capability that crosses domains. A model that proves mathematical theorems and writes production code brings both capabilities to bear on security analysis.
The cybersecurity industry employs roughly 4.7 million professionals globally and still faces a shortage of 3.4 million positions. A single AI model performing vulnerability discovery at Mythos's scale does not replace those professionals. It changes what they spend their time doing. Patch development, incident response, and architectural redesign become the bottleneck. Discovery no longer is.
Glasswing represents the first deployment of a frontier AI model as critical infrastructure defense. The results validate the approach. The restriction to 12 members validates something else: the cybersecurity industry's capacity to absorb this many simultaneous vulnerability disclosures remains the binding constraint, not the AI's capability.
