Project Glasswing: Anthropic builds a hacker's dream weapon

A TWENTY-SEVEN-YEAR-OLD vulnerability sat undisturbed inside OpenBSD, an operating system widely reckoned to be among the most security-hardened ever shipped, running quietly inside firewalls, routers and high-security servers around the world. It had survived repeated audits and the scrutiny of a famously paranoid maintainer community. Then Anthropic pointed its newest model at the codebase, and the model found it.

The model, called Mythos Preview, is the latest tier of Claude and the first that Anthropic has refused to release publicly on safety grounds. According to Axios, Mythos can surface "tens of thousands" of vulnerabilities — orders of magnitude more than Opus 4.6, last year's flagship, which turned up roughly 500 zero-days in open-source software over its lifetime. It writes working exploits to accompany them, and reproduces a known vulnerability on the first attempt in 83.1% of cases. In testing it found bugs in every major operating system and browser, and chained several Linux kernel flaws together in a way that would let a single operator commandeer most of the world's servers. Logan Graham, who runs the company's frontier red team, told Axios that rival labs are between six and eighteen months from comparable capability.

Glasswing and the gun show

Rather than ship Mythos broadly, Anthropic is seeding it to roughly forty organisations under a program called Project Glasswing, whose initial cohort reads like a defence industry roll-call: Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks. The company has earmarked $100m in usage credits for participants and another $4m for open-source security stalwarts including the OpenSSF and the Apache Software Foundation. The premise is the oldest one in security research: tell the defenders first, give them a head start, and the world is safer when the capability eventually leaks into the wild.