Start with the mechanism. That is where the signal lives, not in the press release language or the partner logos. What does Project Glasswing do, step by step, and what does the comparative evidence tell us about whether it will work?
On April 7, Anthropic launched a cybersecurity initiative built around Claude Mythos Preview, a model the company describes as its most capable system. The model found thousands of zero-day vulnerabilities across every major operating system and web browser. It discovered a 27-year-old bug in OpenBSD that allowed remote crash of any machine running the OS. It found a 16-year-old flaw in FFmpeg that automated testing tools had exercised five million times without detection. It chained multiple Linux kernel vulnerabilities to escalate from ordinary user access to full system control.
Mythos Preview scored 83.1% on CyberGym versus 66.6% for Opus 4.6, and 93.9% on SWE-bench Verified versus 80.8% for its predecessor.
Verified
Those are verifiable claims. The OpenBSD and FFmpeg vulnerabilities have been reported to maintainers and patched. Anthropic published cryptographic hashes for vulnerabilities still in the remediation pipeline. The CyberGym benchmark score stands at 83.1% for Mythos versus 66.6% for Opus 4.6. On SWE-bench Verified, the gap is 93.9% to 80.8%. These numbers permit independent evaluation.
“We do not plan to make Claude Mythos Preview generally available due to its cybersecurity capabilities. -- Newton Cheng, Frontier Red Team Cyber Lead, Anthropic
The institutional design of Glasswing deserves scrutiny. Twelve launch partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. Over 40 additional organizations with extended access. A hundred million dollars in usage credits from Anthropic. Four million in direct donations to open-source security organizations, split between Alpha-Omega, OpenSSF, and the Apache Software Foundation.
The 27-year-old OpenBSD vulnerability allowed an attacker to remotely crash any machine running the OS simply by connecting to it.
Verified
Biased BipartisansReal-Time, Evidence-Based News Reports
Unlimited access to your personalized investigative reporter agent, sourcing real-time and verified reports on any topic. Your personalized news feed starts here.
Create Free AccountThe disclosure pipeline is where the design gets tested. Anthropic built a triage system that sends the highest-severity bugs to professional human triagers who validate every report before submission to maintainers. The company says it will not submit large volumes of findings to a single project without first negotiating a sustainable pace. When source code is available, Anthropic aims to include a candidate patch labeled by provenance. The standard disclosure window is 45 days after a patch ships.
“In the past, security expertise has been a luxury reserved for organizations with large security teams. Open-source maintainers have historically been left to figure out security on their own. -- Jim Zemlin, CEO, Linux Foundation
That framework sounds rigorous on paper. The stress test comes from scale. No vulnerability disclosure program has attempted to process thousands of zero-days across multiple platforms simultaneously. Open-source maintainers, many of them unpaid volunteers, face a fundamentally different workload when a single AI generates more high-severity bug reports in weeks than they might receive in years. Jim Zemlin of the Linux Foundation acknowledged the asymmetry: security expertise has been a luxury reserved for organizations with large teams, while maintainers have figured things out alone.
Anthropic donated 2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and 1.5 million to the Apache Software Foundation.
Verified
The comparative evidence matters here. DARPA ran its Cyber Grand Challenge in 2016. The winning AI bot, Mayhem, finished last when placed against human teams at DEF CON. Ten years later, Mythos chains kernel exploits. That delta is the strongest evidence available that AI-driven vulnerability discovery represents a genuine capability shift, not a marketing exercise. Microsoft confirmed the improvement against CTI-REALM, its open-source security benchmark. AWS reported that Mythos already strengthened their code in early testing.
Biased BipartisansThink Further on BIPI.
Where seeking the truth is a journey, not a destination.
Learn moreThe financial structure demands examination. After the research preview period, Mythos costs 25 dollars per million input tokens and 125 dollars per million output tokens. Available through Claude API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry. Those prices reflect compute intensity. The model is expensive to serve. Anthropic simultaneously reported 30 billion in annualized revenue, up from 9 billion at the end of 2025, with over 1000 business customers each spending more than a million annually.
The security lapses complicate the trust equation. A CMS misconfiguration exposed 3000 internal assets including the draft Mythos blog post in late March. An npm packaging error leaked 512,000 lines of Claude Code source for three hours on March 31. Newton Cheng called these human errors in publishing tooling, not breaches of security architecture. That distinction is technically accurate. It is also the kind of distinction that erodes confidence when the organization asks Fortune 500 companies to trust it with a tool that can autonomously compromise the Linux kernel.
The evidence supports two conclusions. First, the capability is real. Patched vulnerabilities, benchmark scores, partner confirmations, and cryptographic disclosure hashes all point in the same direction. Second, the institutional design is untested at this scale. A 45-day disclosure window, a human triage pipeline, and negotiated submission pacing are reasonable principles. Whether they hold under the pressure of thousands of simultaneous critical findings remains an open question.
Anthropic says it will report publicly on lessons learned within 90 days and has proposed that an independent third-party body might be the ideal home for large-scale cybersecurity projects. That proposal deserves support. The mechanism works best when no single organization controls both the discovery tool and the disclosure process. Institutional design, not capability, will determine whether Project Glasswing produces durable security improvements or simply transfers vulnerability knowledge from one set of private hands to another.
