Anthropic just dropped a bombshell. They’ve been training a new frontier model called Claude Mythos Preview, and it’s already found thousands of high-severity vulnerabilities in every major operating system and web browser. That’s not a typo. Every major OS. Every major browser. Flaws that survived decades of human review and millions of automated tests, now exposed by an AI.
This is both terrifying and promising. So Anthropic did something smart: they launched Project Glasswing, a coalition of heavy hitters including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The goal? Use this model’s offensive capabilities for defense, before the bad guys get their hands on similar tech.
The Mythos Preview reality check
Claude Mythos Preview isn’t publicly available yet, and for good reason. Anthropic describes it as a general-purpose frontier model that can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. That’s a big claim, but the results speak for themselves.
Think about what this means. The software running our banking systems, medical records, power grids, and logistics networks has always had bugs. Some are minor annoyances. Others are critical security flaws that, if discovered, could let attackers hijack systems, steal data, or disrupt operations. Historically, finding these required rare expertise and months of effort. Now, a single AI model can do it in weeks.
The cost, effort, and expertise required to find and exploit vulnerabilities have all dropped dramatically. Anthropic notes that over the past year, AI models have become increasingly effective at reading and reasoning about code. Mythos Preview represents a leap in these cyber skills, developing exploits that are increasingly sophisticated.
This isn’t just theoretical. State-sponsored attacks from China, Iran, North Korea, and Russia are already threatening critical infrastructure. The global financial costs of cybercrime might be around $500B every year, according to rough estimates. With AI-augmented attacks, things could get much worse.
Defenders need a durable advantage
Here’s the part I find genuinely encouraging: the same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws. Project Glasswing is explicitly designed to give defenders a durable advantage.
The launch partners will use Mythos Preview as part of their defensive security work. Anthropic is sharing what they learn so the whole industry benefits. They’ve extended access to over 40 additional organizations that build or maintain critical software infrastructure, covering both first-party and open-source systems.
Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, plus $4M in direct donations to open-source security organizations. That’s real money, not just PR.
But let’s be honest: this is a starting point. No single organization can solve these cybersecurity problems alone. Frontier AI developers, software companies, security researchers, open-source maintainers, and governments all have essential roles to play. The work of defending the world’s cyber infrastructure might take years, while frontier AI capabilities are likely to advance substantially over just the next few months.
The elephant in the room
I can’t help but wonder about the broader implications. Anthropic is essentially saying, “We built a model that can break into everything, but we promise to use it for good.” That’s a reasonable position, but it raises uncomfortable questions.
What happens when similar capabilities proliferate to actors who aren’t committed to deploying them safely? Anthropic acknowledges this concern directly: “Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely.” The fallout for economies, public safety, and national security could be severe.
This is why Project Glasswing feels urgent rather than optional. The window for defenders to get ahead is closing fast. If we wait until AI-powered attacks become commonplace, it’s too late.
What I’d like to see next
First, transparency about what Mythos Preview actually found. Anthropic says thousands of zero-day vulnerabilities across major systems, but they haven’t disclosed specifics. I get that full disclosure could be dangerous, but some level of detail would help the community understand the scale of the problem.
Second, clear metrics for success. How many vulnerabilities get fixed? How quickly? How does this compare to traditional security audits? Without numbers, it’s hard to know if this initiative is genuinely moving the needle.
Third, a plan for when these capabilities inevitably leak or are replicated by others. Project Glasswing is defensive, but the offensive genie won’t stay in the bottle forever.
For now, this is one of the most pragmatic moves I’ve seen from an AI company. Instead of just warning about risks, Anthropic is building the tools and coalitions to address them. Let’s hope it’s enough.
Comments (0)
Login Log in to comment.
Be the first to comment!