Key Takeaways
- Anthropic launched Project Glasswing on April 7, 2026, giving 50+ large organizations exclusive access to Claude Mythos Preview — an AI model that finds software vulnerabilities at superhuman speed and scale.
- Glasswing has already found thousands of previously unknown bugs, including a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in the video processing software FFmpeg — both used by millions of devices worldwide.
- Anthropic is not releasing Claude Mythos to the public because the same capability that finds bugs can also be used to exploit them — a dual-use problem the company says is too dangerous to ignore.
- The $100 million in usage credits and $4 million in open-source security donations represent Anthropic's bet that getting defenders ahead of attackers by even 6 to 12 months is worth concentrating this power in trusted hands.
- This is not a permanent fix. When AI that finds bugs becomes widely available — and it will — the window Glasswing is buying the industry will close. What companies do with that window is the real story.
What is Project Glasswing, and why should anyone who uses software care?
Project Glasswing is Anthropic's program to use its most powerful AI model to hunt for dangerous security flaws in widely used software, before attackers find them first.
If you use a computer, a phone, or a bank account — and you do — you rely on software written by humans. Humans make mistakes. Sometimes those mistakes create holes in software that bad actors can slip through to steal your data, take over your accounts, or disrupt the services you depend on. Finding those holes before the bad guys do has always been the goal of cybersecurity. The problem is scale: there's far more software in the world than there are security experts to check it.
That's the gap Anthropic is trying to close with Glasswing. The program gives a select group of major organizations access to Claude Mythos Preview, Anthropic's most capable AI model, specifically trained and tuned for finding these security holes — what security professionals call vulnerabilities. The launch partners include household names: AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, NVIDIA, and Palo Alto Networks, plus about 40 more organizations that operate critical infrastructure — the kind of systems that power hospitals, financial markets, and electrical grids.
Anthropic is also putting money behind it: $100 million in AI usage credits so these organizations can actually run the scans, plus $4 million in direct donations to open-source security projects. The butterfly-wing logo on the Glasswing site isn't just branding — the glasswing butterfly's near-invisible wings are a genuine metaphor for what the program aims to do: find what's hiding in plain sight.
What bugs has this AI already found — and what does "27 years old" mean in practice?
Claude Mythos found thousands of unknown bugs across operating systems and software libraries, including flaws hiding undetected for over two decades.
To understand why a 27-year-old bug matters, think about it this way. OpenBSD is an operating system used in firewalls and servers. It's been reviewed and maintained by security-focused engineers since 1995 — people specifically trying to find and fix exactly this kind of problem. Despite that, a flaw existed in the code for 27 years without anyone catching it. Claude Mythos found it. The same AI found a 16-year-old vulnerability in FFmpeg, a piece of software that handles video on hundreds of millions of devices, from iPhones to smart TVs to video conferencing apps.
These aren't obscure pieces of software. OpenBSD sits underneath countless internet-facing systems. FFmpeg processes video on your devices right now. A vulnerability in either piece of software, in the hands of a sophisticated attacker, isn't just embarrassing — it's potentially a door into infrastructure that millions of people rely on daily.
The scale of what Mythos can review also matters here. A human security expert — even an elite one — can realistically audit a few thousand lines of code in a day and a large codebase in weeks or months. Mythos can scan files at a rate that's orders of magnitude faster, across codebases that no human team could cover in a reasonable timeframe. That speed difference isn't just efficiency. It changes what's possible.
Why did Anthropic keep Claude Mythos private instead of releasing it to everyone?
Because a tool that finds security holes can just as easily be turned into a tool that exploits them — and Anthropic decided that risk is too high to ignore.
This is the central tension in any powerful cybersecurity technology. Knowing that a door has a weak lock is useful information for the building's owner. It's equally useful for a burglar. The same AI capability that lets Apple find and patch a vulnerability in its operating system would let a criminal or a nation-state find that same vulnerability and use it to break in before the patch exists. In security terms, this is called a zero-day exploit — a flaw that's known to an attacker but unknown to the software's developer, giving the attacker a window of opportunity with zero days' warning to the victim.
Anthropic's previous internal research — some of which leaked ahead of the Glasswing announcement — showed that Claude Mythos had reached what the company internally described as "cyber dominance" in benchmark testing: it outperformed elite human penetration testers on standardized vulnerability discovery challenges. That result is what triggered the decision to pivot to a controlled, defense-first release model rather than making Mythos broadly available via the standard Claude API.
This is a genuine ethical call, and it's worth acknowledging that reasonable people could disagree. Open-sourcing powerful tools has a strong track record of accelerating both defense and research. But Anthropic looked at Mythos's capabilities and concluded the asymmetry favored keeping it private for now: defenders using it in a structured consortium gain more than an open release would distribute evenly.
How is AI vulnerability hunting different from what security teams already do?
Human penetration testers work slowly and mostly find known patterns. Mythos is faster, covers far more code, and finds genuinely novel flaws.
| Approach | Speed | What it finds | Scale | Human overhead |
|---|---|---|---|---|
| Human penetration tester | Days to weeks per codebase | Known attack patterns, logic flaws | One codebase at a time | High — requires elite skill |
| Claude Mythos Preview | Hours across large codebases | Known patterns + novel zero-days | Thousands of files simultaneously | Low — reviews flag for human follow-up |
| Traditional automated scanner | Minutes to hours | Known signatures only | Millions of lines | Low — rule-based, no reasoning |
| Bug bounty program | Ongoing, unpredictable | Varies with researcher skill | Dependent on participant pool | Medium — requires coordination |
The key difference from traditional automated vulnerability scanning is that those tools work from rule libraries. They match code patterns against a list of known bad patterns. Mythos reasons about code — it can understand what a function is supposed to do, identify where the logic diverges from safe practice, and flag something it's never seen a signature for. That's the capability that explains the 27-year-old OpenBSD find. No rule-based scanner would have caught it because no rule existed for it.
For the security teams at Glasswing's launch partners, this changes the economics of responsible disclosure. Responsible disclosure is the process by which a researcher who finds a vulnerability notifies the software developer privately and gives them time to release a patch before the finding becomes public. Mythos drastically compresses the time between discovery and patch-ready notification — which is the phase where defenders are most exposed.
Is AI actually better than human hackers at finding bugs?
Based on Anthropic's internal benchmarks, Claude Mythos surpasses even elite human security researchers on standardized vulnerability discovery tests — not occasionally, but consistently.
The honest caveat here is that benchmarks are controlled environments. A red team exercise against a real-world production system with custom configurations, unusual architectures, and non-standard libraries is different from a standardized test. Human experts still bring contextual judgment, institutional knowledge, and creative lateral thinking that AI systems struggle to replicate.
But here's what matters practically: the gap is closing fast, and on the measurable dimensions — coverage speed, volume of code reviewed, breadth of pattern recognition — AI has already passed human capability at scale. Most organizations don't have access to elite human penetration testers. The waiting lists for top-tier firms are long. The cost is significant. Mythos can do in hours what a skilled contractor would need weeks and five-figure invoices to accomplish. For the organizations in Glasswing's consortium, this isn't a replacement for human security expertise. It's a force multiplier that makes their existing teams dramatically more effective.
This also connects to a question researchers have been probing separately: when you deploy a powerful AI model to assist with sensitive technical work, including safety research, does it behave the way you expect? The UK AI Security Institute's recent evaluation found no confirmed sabotage, but did find that Claude models sometimes refused safety-relevant tasks entirely — a different kind of reliability question that security teams deploying Mythos will need to keep in mind.
Who gets access, and what does the $100 million in credits actually mean?
The 50+ consortium organizations were selected for the reach and criticality of their software — a defense-first distribution strategy, not a commercial one.
AWS infrastructure underlies a significant share of the internet. Apple's operating systems run on over a billion devices. Google's Chrome browser is the entry point to the web for most of the world. Microsoft's products are embedded in enterprise computing globally. These companies have their own substantial security teams and budgets. The value Glasswing adds is not replacing those teams — it's giving them a capability tier they couldn't buy elsewhere at any price, because Anthropic hasn't made it available for purchase.
The $100 million in usage credits is a subsidy designed to remove the friction of cost from adoption. Security scanning at scale generates substantial API usage. By pre-funding it, Anthropic makes it easy for organizations to run the scans at the pace and depth that actually moves the needle — rather than rationing usage to fit a budget. The $4 million going to open-source security projects addresses a different gap: the foundational libraries and tools that underpin most of the internet's software are often maintained by volunteer contributors with no paid security budget. That money goes directly to funding audits and patches in the codebases Glasswing can't fully reach on its own.
The Linux Foundation's involvement is notable specifically for this reason. The Linux kernel runs millions of servers, embedded systems, and Android devices. Security flaws in Linux have historically had enormous downstream impact. Having the Linux Foundation in the consortium means Glasswing's findings can flow directly into the patch and release process for one of the most widely deployed pieces of software on the planet.
What does this mean for regular people — and what should developers do right now?
For most people the impact is invisible but real: software gets patched faster, and vulnerabilities that might have gone undiscovered for decades get found before attackers exploit them.
The invisible nature of that value is actually the point. The best security outcome is the one where nothing bad happens. When a Glasswing scan finds the 27-year-old OpenBSD flaw, it gets patched in a routine update. You never know anything was wrong. The counterfactual — where a nation-state finds it first and uses it to compromise government servers — is the scenario that doesn't happen. That's the value, and it's genuinely hard to put a number on.
For developers and technical teams, the near-term action is clearer. Glasswing's launch means patches are coming for some significant codebases over the next few months. Staying current on updates from the Linux Foundation, Microsoft, Google, Apple, and other consortium members is more important than usual. The Glasswing scans are generating a queue of patches that will land as responsible disclosure timelines expire. Teams running older versions of key dependencies — FFmpeg in particular — should treat upcoming updates as security-critical rather than routine.
If your organization runs agentic workflows or automated pipelines that interact with externally exposed software, audit those surfaces now. AI agents that access external systems carry new classes of risk that traditional security scanning wasn't designed to catch. Mythos-style scanning is available inside the Glasswing consortium; for everyone else, the tooling coming out of that process will eventually make its way into mainstream security products — but not immediately.
What Glasswing actually buys — and what it can't fix
The framing Anthropic is using positions Glasswing as a defensive inflection point: AI defenders racing to weaponize capabilities before attackers do. That framing has merit, but it's worth being precise about what it means and what it doesn't.
Glasswing buys time. It doesn't buy a permanent advantage. Claude Mythos is Anthropic's most capable model as of today. Google, Microsoft, and other Glasswing partners have their own internal AI research programs that are building equivalent or superior capabilities. Nation-state threat actors with serious computing resources are doing the same. The capability gap that makes Mythos special today will narrow. The commonly cited estimate in security circles is 6 to 12 months before comparable offensive capability is available to well-resourced attackers who aren't in the Glasswing consortium. Anthropic's $100 million in credits may be buying the industry that window — and no more.
The deeper issue this project surfaces is one I've been watching since Dario Amodei's governance admission last year: who decides when a capability is too dangerous to release broadly? Anthropic made that call unilaterally here. Their reasoning is sound given what we know about Mythos's capabilities. But the process of one company deciding what the rest of the world gets access to — even with good intentions — is structurally uncomfortable. The Glasswing program is one of the more defensible versions of that power exercise I've seen. Using extraordinary capability to fund patches for open-source software the volunteers at the Linux Foundation can't afford to audit is hard to argue against.
What I'm watching: whether the responsible disclosure pipeline from Glasswing scans actually produces patches that get deployed at scale before the capability gap closes. Bug discovery is only half the equation. Patch deployment — especially across the long tail of organizations running old versions of critical dependencies — is where the security improvement either lands or evaporates. The Linux Foundation and FFmpeg maintainers will be the real test cases. If Glasswing-triggered patches move through the ecosystem before attackers independently find the same flaws, the program will have done exactly what it promised.
Sources
Related Articles on Nexairi
Fact-checked by Jim Smart
