Anthropic just announced Project Glasswing, and the partner list reads like a who’s who of tech: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and of course Anthropic itself. That’s not a press release name-drop—these companies are actually committing engineering teams and resources to this thing.
The impetus is Claude Mythos Preview, an unreleased frontier model that Anthropic says has reached a level of coding capability where it can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. That’s not hyperbole from a marketing deck. According to Anthropic, Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. These aren’t trivial bugs either—some have survived decades of human review and millions of automated security tests.
Let me be blunt: this is both terrifying and necessary. We’ve all seen the headlines about state-sponsored attacks from China, Iran, North Korea, and Russia compromising critical infrastructure. The global financial cost of cybercrime is somewhere around $500B annually, and that’s a conservative guess. The problem has always been that finding serious flaws required rare expertise—a handful of skilled security researchers who could spend weeks on a single codebase. AI changes that calculus completely.
What Mythos Preview actually does
Over the past few weeks, Anthropic has been running Mythos Preview against real-world software. The model reads code, spots vulnerabilities, and develops exploits. It’s not just finding buffer overflows or SQL injection points—it’s reasoning about complex logic flaws that automated scanners miss. The exploits it generates are increasingly sophisticated, and the speed is what makes this different from anything before.
Ten years after DARPA’s first Cyber Grand Challenge, we’re now at a point where AI models are competitive with the best human vulnerability researchers. That’s a milestone worth paying attention to, not just for security professionals but for anyone who uses software—which is everyone.
The defensive play
Project Glasswing is built on a simple premise: the same capabilities that make AI dangerous in the wrong hands can be turned into an advantage for defenders. The launch partners will use Mythos Preview as part of their defensive security work. Anthropic is also extending access to over 40 additional organizations that build or maintain critical software infrastructure—think banking systems, medical records, power grids, logistics networks.
Here’s where the commitment gets real: Anthropic is putting up to $100M in usage credits for Mythos Preview across these efforts, plus $4M in direct donations to open-source security organizations. That’s not chump change, and it signals they’re serious about this being a long-term play rather than a PR stunt.
The uncomfortable truth
I’ve been watching AI security capabilities advance for years, and I’ll say this: the rate of progress is faster than most people realize. The model that found these vulnerabilities today will look primitive in six months. Anthropic acknowledges this openly—they say frontier AI capabilities are likely to advance substantially over just the next few months. For defenders to stay ahead, they need to act now, not wait for the perfect solution.
The risks of AI-augmented cyberattacks are serious. Without safeguards, these capabilities could be used to exploit existing flaws in the world’s most important software, making attacks more frequent and destructive. But there’s genuine reason for optimism here. The same technology that can break software can fix it, and Project Glasswing is an attempt to tip the balance toward defense before offense gets out of hand.
No single organization can solve this alone. Frontier AI developers, software companies, security researchers, open-source maintainers, and governments all have roles to play. Project Glasswing is a starting point—an urgent one, and a necessary one.
Comments (0)
Login Log in to comment.
Be the first to comment!