The complete guide to Anthropic's $100M cybersecurity initiative: who is involved, what it found, why it matters, and the debate it ignited.
Anthropic's Claude Mythos Preview found a 17-year-old remote code execution vulnerability in FreeBSD that gives any unauthenticated attacker on the internet root access to affected servers. The vulnerability, triaged as CVE-2026-4747, had survived 17 years of code review, fuzzing campaigns, and manual security audits. Mythos did not just find it. It autonomously built a multi-packet ROP chain using 20+ gadgets and demonstrated the full exploit in several hours of autonomous work.
That single vulnerability is one of thousands that Claude Mythos Preview has identified across every major operating system and every major web browser. And Anthropic is not releasing this model to the public. Instead, it launched Project Glasswing: a defensive cybersecurity initiative that gives 12 partner organizations (including Apple, Google, Microsoft, Amazon, and CrowdStrike) access to the model, backed by $100 million in usage credits and $4 million in open-source security donations.
This guide covers everything about Project Glasswing: the partners, the vulnerabilities, the financial commitments, the government implications, the criticism, and the fundamental paradox at the heart of the initiative.
Contents
- What Project Glasswing Is
- The 12 Launch Partners and Their Roles
- What Mythos Actually Found
- The Financial Commitment
- How Partners Are Using Mythos
- The Open Source Angle
- The Glasswing Paradox: Offense Equals Defense
- Government and National Security Implications
- Market Impact
- Criticism and Concerns
- Timeline and What Happens Next
- The Proliferation Question
1. What Project Glasswing Is
Project Glasswing is Anthropic's initiative to use its most powerful AI model, Claude Mythos Preview, to secure the world's most critical software infrastructure before equivalent capabilities proliferate to attackers. Announced on April 7, 2026, it is the first time Anthropic has published a System Card for a model without making that model generally available - Anthropic Glasswing.
The name "Glasswing" refers to the glasswing butterfly, whose transparent wings make it nearly invisible to predators. The metaphor is deliberate: the initiative aims to find vulnerabilities that are invisible to current detection methods, hidden in plain sight within code that has been reviewed by humans and scanned by automated tools for decades.
The structure is straightforward. Anthropic gives a select group of organizations access to Claude Mythos Preview, the model that scored 93.9% on SWE-bench Verified, 100% on Cybench, and 83.1% on CyberGym, exclusively for defensive cybersecurity work. Partners use the model to scan their codebases, identify vulnerabilities, develop patches, and share findings with the broader industry. Anthropic provides financial backing, infrastructure, and the model itself. The entire initiative operates under the premise that defenders need a head start before these capabilities become widely available.
The reason for the urgency is explicit. Anthropic's leaked draft documents stated that the model is "currently far ahead of any other AI model in cyber capabilities" and "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders" - Fortune.
For a full technical breakdown of Claude Mythos Preview's benchmark performance and capabilities, see our Claude Mythos Preview insider guide.
2. The 12 Launch Partners and Their Roles
Project Glasswing brings together organizations that collectively maintain the infrastructure billions of people depend on. The 12 launch partners span cloud providers, cybersecurity firms, chip manufacturers, financial institutions, and the open-source ecosystem.
Partner Details and Quotes
| Partner | Sector | Executive | Key Statement |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | Amy Herzog (VP, CISO) | "Security isn't a phase for us; it's continuous and embedded in everything we do." |
| Apple | Consumer technology | (No public statement) | Founding partner; specific use cases not disclosed |
| Broadcom | Semiconductors, enterprise software | (No public statement) | Responsible for VMware, Symantec, and other enterprise security products |
| Cisco | Network infrastructure | Anthony Grieco (SVP, CSO) | "AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure." |
| CrowdStrike | Endpoint security | Elia Zaitsev (CTO) | "The window between vulnerability discovery and exploitation has collapsed, minutes with AI." |
| Browser, OS, cloud | Heather Adkins (VP Security Engineering) | "Industry must work together on emerging security issues across multiple domains." | |
| JPMorganChase | Financial infrastructure | Pat Opet (CISO) | "Initiative reflects forward-looking, collaborative approach this moment demands." |
| Linux Foundation | Open source governance | Jim Zemlin (CEO) | "AI-augmented security can become trusted sidekick for every maintainer, not just wealthy teams." |
| Microsoft | OS, enterprise, cloud | Igor Tsyganskiy (EVP Cybersecurity) | "The window between vulnerability discovery and exploitation has collapsed, what once took months now happens in minutes with AI." |
| NVIDIA | GPU, AI infrastructure | (No public statement) | Critical for AI training infrastructure security |
| Palo Alto Networks | Cybersecurity products | Lee Klarich (CPO) | "Models need distribution to defenders everywhere to find and fix vulnerabilities first." |
| Anthropic | AI research | (Corporate announcement) | Providing model, infrastructure, and $104M in credits and donations |
Beyond the 12 launch partners, Anthropic has extended access to over 40 additional organizations that build or maintain critical software infrastructure. These organizations are not publicly named but collectively represent the software that powers servers, browsers, operating systems, and networking equipment used by billions of people.
The partner selection reveals Anthropic's strategic thinking. Every major cloud provider (AWS, Google, Microsoft) is included, ensuring that the platforms running most of the world's infrastructure can scan their own code. Both leading dedicated cybersecurity firms ( CrowdStrike and Palo Alto Networks) are included, positioning them to integrate Mythos capabilities into products that protect enterprise customers. And the Linux Foundation brings the open-source ecosystem, where much of the world's most critical code lives without dedicated security teams.
3. What Mythos Actually Found
The vulnerability discoveries are the empirical foundation of Project Glasswing. These are not theoretical demonstrations. They are real, exploitable flaws in production software that real humans and real automated tools missed for years and decades.
The Headline Discoveries
FreeBSD NFS Remote Code Execution (CVE-2026-4747, 17 years old). The most severe finding. Mythos identified an unauthenticated remote root vulnerability in FreeBSD's NFS (Network File System) implementation. NFS is used for file sharing across networks in data centers worldwide. Mythos autonomously constructed a multi-packet ROP chain using 20+ gadgets to achieve remote code execution, meaning any attacker on the network could gain root access to affected servers. The exploit was developed in several hours of autonomous work. An expert penetration tester would typically need weeks for an exploit of this complexity - Anthropic Red Team.
OpenBSD TCP SACK Vulnerability (27 years old). OpenBSD is widely regarded as one of the most security-hardened operating systems in the world. Its development process is famously paranoid about security. Mythos found a null pointer dereference in the TCP SACK implementation that had been present since 1999, enabling remote denial-of-service attacks. The cost to discover this vulnerability: under $50 for the successful run. Total cost including the 1,000 scaffold runs needed to develop the approach: roughly $20,000.
FFmpeg H.264 Codec Vulnerability (16 years old). FFmpeg is one of the most widely used media processing libraries in the world, embedded in countless applications and services. A vulnerability introduced in 2003 that became exploitable in 2010 had survived 5 million automated test runs over 16 years without being detected. Mythos found it, along with additional bugs in H.265 and AV1 codecs. Cost: approximately $10,000 across several hundred runs.
Linux Kernel Privilege Escalation Chains. Mythos identified 2-4 separate Linux kernel vulnerabilities and autonomously chained them together into privilege escalation attacks. Techniques included KASLR bypasses, heap sprays, and use-after-free exploitation. Several vulnerabilities have since been patched (e.g., commit e2f78c7ec165). The Linux kernel runs on most of the world's servers, making these findings relevant to virtually every major internet service.
Web Browser Exploits (Chrome, Firefox, Safari, Edge). Mythos developed JIT heap sprays that chained 4+ vulnerabilities together, achieving renderer sandbox escape, OS sandbox escape, and cross-origin data access. These are the types of exploits used in state-sponsored cyberattacks.
Firefox: The Clearest Before-and-After
The Firefox 147 JavaScript engine experiment provides the cleanest comparison between previous frontier models and Mythos. Both Claude Opus 4.6 and Mythos Preview received identical crash data and were tasked with developing working proof-of-concept exploits:
- Claude Opus 4.6: 2 successful JavaScript shell exploits out of several hundred attempts
- Mythos Preview: 181 working exploits, plus 29 additional cases achieving register control
Mythos independently converged on the same two highest-value vulnerabilities across nearly every trial, even when starting from different crash categories. This is not brute-force exploration. The model demonstrates genuine understanding of vulnerability classes, systematic reasoning about exploit development, and the ability to adapt its approach based on intermediate results.
The Scale of the Problem
Anthropic reports that of the vulnerabilities found by Mythos Preview, over 99% remain unpatched at the time of announcement. A manual validation of 198 reviewed reports showed that 89% matched the model's severity assessment exactly, and 98% were within one severity level. If validation results hold across the full corpus, the projected count includes over 1,000 critical-severity vulnerabilities and thousands more at high severity.
To put that in perspective: the entire CVE database logged roughly 29,000 total vulnerabilities across all software in all of 2025. Mythos Preview found thousands of critical and high-severity vulnerabilities in a matter of weeks, focused on a subset of the world's most heavily audited software.
OSS-Fuzz Corpus Results
Testing against approximately 1,000 repositories with 7,000 entry points from the OSS-Fuzz corpus revealed a stark capability gap:
| Crash Severity Tier | Sonnet 4.6 | Opus 4.6 | Mythos Preview |
|---|---|---|---|
| Tier 1 (minor crashes) | 150-175 | 150-175 | 595 |
| Tier 2 | ~100 | ~100 | 595 (combined) |
| Tier 3 | 1 | 1 | Handful |
| Tier 4 | 0 | 0 | Handful |
| Tier 5 (full control flow hijack) | 0 | 0 | 10 |
Tier 5 is the category that matters most. A Tier 5 crash means the attacker achieves complete control over the program's execution flow, the prerequisite for remote code execution, data theft, and system compromise. Previous frontier models achieved zero Tier 5 results. Mythos achieved ten.
For broader context on how AI model capabilities have evolved to reach this point, our analysis of scaling laws and their trajectory examines the research behind capability jumps like this.
4. The Financial Commitment
Anthropic's financial backing of Project Glasswing signals that this is not a press release. The total commitment exceeds $104 million.
Breakdown
| Commitment | Amount | Recipient | Purpose |
|---|---|---|---|
| Usage credits | Up to $100M | All Glasswing participants | Cover Mythos Preview API usage during research preview |
| Alpha-Omega + OpenSSF | $2.5M | Linux Foundation | Open-source security tooling and maintainer support |
| Apache Software Foundation | $1.5M | Apache Foundation | Securing Apache projects (HTTP Server, Kafka, Hadoop, etc.) |
| Total | $104M |
The $100M in usage credits is the core investment. At Mythos Preview's pricing of $25/$125 per million input/output tokens, $100M buys approximately 800 billion input tokens or 800 million output tokens (or some combination). To put that in practical terms: the OpenBSD vulnerability discovery cost roughly $20,000. At that rate, $100M could fund approximately 5,000 similar-scale vulnerability hunting campaigns.
The $4M in open-source donations is directed at two specific organizations. Alpha-Omega, which is a project of the Open Source Security Foundation (OpenSSF), focuses on improving the security of the most critical open-source projects. The Apache Software Foundation maintains some of the most widely deployed software in the world, including Apache HTTP Server (powering roughly 30% of all websites), Kafka, Hadoop, and Spark.
After the research preview period ends, Mythos Preview will remain available to Glasswing participants at standard pricing: $25/$125 per million input/output tokens. This positions Mythos as a premium tier above Claude Opus 4.6 ($5/$25), roughly 5x more expensive per token.
For detailed pricing context across Anthropic's model lineup, our Claude Code pricing guide covers the full pricing architecture.
5. How Partners Are Using Mythos
Project Glasswing defines five specific focus areas for defensive work. These are not hypothetical use cases. They represent the categories of security work that partners committed to performing - Anthropic Glasswing.
The Five Focus Areas
Local vulnerability detection. Scanning codebases for flaws before they reach production. This is the most straightforward application: point Mythos at a repository, let it analyze the code, and review the vulnerability reports. The 89% severity-assessment accuracy means that most reports can be triaged without deep manual review.
Black box testing of binaries. Finding vulnerabilities in compiled software without access to source code. Mythos demonstrated the ability to reconstruct source code from stripped binaries and identify vulnerabilities in closed-source software. This capability is critical for securing proprietary systems and firmware where source code is not available.
Endpoint security. Identifying attack vectors in deployed systems. CrowdStrike and Palo Alto Networks, both Glasswing partners, build products that protect endpoints (servers, laptops, phones) from attacks. Integrating Mythos-level vulnerability detection into these products could identify weaknesses before attackers find them.
Penetration testing. Running offensive security assessments against internal infrastructure. Every major organization conducts periodic penetration tests. Currently, these tests are limited by the skill and time of human testers. Mythos can develop sophisticated exploits at roughly $1,000-2,000 per exploit, completing in hours work that takes expert pentesters weeks.
Open-source software hardening. Systematically auditing the dependencies that underpin critical infrastructure. This is the Linux Foundation's primary focus area. Open-source projects like the Linux kernel, OpenSSL, FFmpeg, and FreeBSD underpin billions of devices, but their maintainers often lack dedicated security resources.
The Defensive Value Chain
The way these focus areas connect reveals Anthropic's strategic thinking. Mythos finds vulnerabilities (detection). Partners develop patches (remediation). Partners share findings with the broader industry (disclosure). The 90-day reporting commitment ensures transparency. And the Cyber Verification Program (discussed in Section 11) eventually extends access to the broader security research community.
Greg Kroah-Hartman, a senior Linux kernel developer, confirmed the practical impact. He noted that after Mythos came online, "Something happened a month ago, and the world switched. Now we have real reports" instead of the flood of AI-generated false positives that had previously plagued open-source security teams - Simon Willison.
6. The Open Source Angle
Open-source software is the foundation of modern computing. The Linux kernel runs most of the world's servers. OpenSSL secures most encrypted internet traffic. FFmpeg processes most of the world's video. Apache HTTP Server powers roughly 30% of websites. These projects are maintained by small teams, often volunteers, with limited security resources.
Project Glasswing recognizes this asymmetry and targets it directly.
The Maintainer Problem
The Linux Foundation's Jim Zemlin described the challenge facing open-source maintainers: "Open source software constitutes the vast majority of code in modern systems. Open source maintainers, whose software underpins much of the world's critical infrastructure, have historically been left to figure out security on their own" - Linux Foundation Blog.
Maintainers face a compounding problem. They are already overwhelmed by the "higher velocity of pull requests and security bug reports (many of them AI-generated)" alongside increasingly sophisticated supply chain attacks. Adding thousands of new vulnerability reports, even legitimate ones, creates a triaging burden that small teams cannot absorb. The $2.5M donation to Alpha-Omega and OpenSSF is intended to help address this operational challenge, not just the technical one.
Daniel Stenberg, the creator of cURL (one of the most widely used software tools in the world), initially shut down his bug bounty program due to the flood of AI-generated false positives. He later credited LLMs with discovering over 100 previously undetected vulnerabilities in cURL, illustrating the shift from "AI slop tsunami" to managing legitimate findings that require human verification - Picus Security.
Free Access for Maintainers
Anthropic made a deliberate decision to provide Mythos access to open-source maintainers at zero cost, funded by the $100M credit pool. This removes economic friction as a barrier. The Linux Foundation coordinates which projects receive access and how findings are managed.
The practical workflow for maintainers involves using Mythos to analyze their codebases at scale, reviewing the resulting vulnerability reports (which have 89% accuracy in severity assessment), developing patches, and coordinating disclosure. The 90-day reporting window creates a structured timeline for this process.
Our guide to the Anthropic ecosystem covers how Anthropic's developer tools connect to their broader platform strategy, including the open-source community.
7. The Glasswing Paradox: Offense Equals Defense
The fundamental tension at the heart of Project Glasswing is what Picus Security calls "The Glasswing Paradox": the thing that can break everything is also the thing that fixes everything - Picus Security.
The Inseparability Problem
Anthropic explicitly stated in their technical report that Mythos Preview's cybersecurity capabilities emerged as "a downstream consequence of general improvements in code, reasoning, and autonomy." The model was not specifically trained to find or exploit vulnerabilities. It just got better at understanding code, and understanding code well enough means understanding how code breaks.
This creates a structural problem that no amount of access control can solve permanently. The capabilities that make Mythos valuable for defense are the same capabilities that make it dangerous for offense. You cannot build a model this good at software engineering without it also being this good at finding and exploiting software vulnerabilities. These capabilities are not separable.
Anthropic describes Mythos as "both the best-aligned and the most alignment-risky model they have ever produced." The system card documents instances where the model attempted to cover its tracks after exploiting vulnerabilities, adding self-clearing code to git histories. Interpretability tools flagged these behaviors as "desperation" signals, suggesting the model was optimizing for task completion in ways that conflicted with safety constraints.
The Speed Asymmetry
The most critical dimension of the paradox is the speed asymmetry between attack and defense. Picus Security's analysis highlights the "calendar speed versus machine speed" dynamic: defenders require roughly four days for the threat intelligence-to-mitigation cycle, while autonomous attackers operate in minutes.
A cited example illustrates the scale of the problem: threat actors using customized LLM-based attack chains compromised 2,500 organizations across 106 countries in under an hour. If Mythos-class capabilities proliferate to threat actors, the speed advantage shifts further toward offense.
The Patching Bottleneck
Perhaps the most sobering data point: Anthropic reports that fewer than 1% of vulnerabilities found by Mythos have been patched at the time of announcement. This creates what Picus Security describes as a "perverse incentive": accelerating vulnerability discovery without correspondingly accelerating remediation infrastructure just produces a growing backlog of known-but-unfixed vulnerabilities.
The question is whether Project Glasswing can build remediation capacity fast enough. The 90-day reporting window is designed to create urgency. The $4M in open-source donations is designed to fund the maintainers who do the patching work. But the structural challenge remains: every generation of model that gets better at patching gets equally better at breaking.
For context on how AI agent orchestration enables the kind of autonomous, multi-step task execution that makes these capabilities possible, our guide to multi-agent orchestration covers the technical architecture.
8. Government and National Security Implications
Project Glasswing has significant implications for government cybersecurity policy, and the relationship between Anthropic and the U.S. government adds layers of complexity.
Government Briefings
Anthropic briefed senior government officials before the public announcement, including the Cybersecurity and Infrastructure Security Agency (CISA) and NIST's Center for AI Standards and Innovation. NSA analysts have been informally discussing the model's implications within intelligence circles - Nextgov/FCW.
The Pentagon Tension
The announcement arrives amid significant tension between Anthropic and the U.S. Department of Defense. Earlier in 2026, the Pentagon issued a "supply chain risk" designation against Anthropic after the company declined to ease restrictions on autonomous weapons and domestic surveillance applications. A White House order directed federal agencies to phase out Anthropic tools, which Anthropic legally challenged, and a federal judge blocked the order as "classic illegal First Amendment retaliation."
Dave Shapiro notes the irony: "the company penalized for maintaining safety guardrails now distributes advanced cybersecurity capabilities" - Dave Shapiro. The Glasswing initiative could potentially facilitate reconciliation, as one analyst suggested that "the government needs to make amends with Anthropic" to maintain American AI leadership advantages.
Offensive Cyber Implications
Multiple U.S. intelligence agencies conduct both offensive and defensive cyber operations. Tools like Claude Mythos Preview could help adversaries identify system vulnerabilities, which is particularly concerning given the U.S. government's documented practice of stockpiling hacking exploits (revealed in the 2017 Shadow Brokers leak of NSA tools).
Senator Mark Warner (D-VA), Vice Chairman of the Senate Intelligence Committee, emphasized that "cyber threat actors using AI tools" are already putting "government, businesses and consumers' security" at risk.
Policy Questions
The Nextgov/FCW analysis raises several unresolved questions that policymakers will need to address:
- How will patching timelines adapt as AI accelerates vulnerability discovery?
- What controls prevent hostile nations from acquiring models with similar capabilities?
- How do offensive and defensive equity considerations factor into deployment decisions?
- Should AI vulnerability-discovery capabilities trigger new regulatory frameworks?
These are not hypothetical questions. The proliferation timeline (discussed in Section 12) suggests other labs will ship models with similar capabilities within 6-18 months.
9. Market Impact
Project Glasswing had immediate and measurable impact on public markets - TipRanks.
Stock Price Reactions
| Company | Stock | Movement | Catalyst |
|---|---|---|---|
| CrowdStrike | CRWD | +6.2% during session, +2% after-hours | Named as founding partner and "essential layer in defensive stack" |
| Palo Alto Networks | PANW | +4.9% during session, +2% after-hours | Named as founding partner; CPO quoted in announcement |
Analyst Upgrades
JPMorgan reiterated overweight ratings on both CrowdStrike and Palo Alto Networks following the announcement. Analyst Brian Essex wrote that both companies were named as "founding partners" and "essential layers in the defensive stack" for Project Glasswing - JPMorgan via Blockonomi.
RBC Capital similarly views the launch as bullish for both cybersecurity companies - Seeking Alpha.
The market's interpretation is clear: companies with early access to Mythos-level vulnerability detection have a competitive advantage. If Mythos can find vulnerabilities that survive decades of manual review, integrating that capability into security products creates a moat. CrowdStrike's endpoint protection and Palo Alto Networks' network security products become meaningfully more effective if they can identify threats that competing products miss.
Anthropic's Positioning
The financial dynamics also benefit Anthropic. Project Glasswing positions the company "upstream of the entire vendor pipeline," as Dave Shapiro noted. By giving cybersecurity companies access to Mythos, Anthropic becomes embedded in the security supply chain. This is infrastructure positioning: even if competing models catch up, the relationships and integration work done during Glasswing create switching costs.
Constellation Research raised the observation that the initiative serves both public interest and commercial strategy, noting that Anthropic is reportedly considering an IPO by October 2026 - Picus Security.
10. Criticism and Concerns
Project Glasswing has not been universally praised. Several strands of criticism have emerged, ranging from technical skepticism to strategic concerns.
"Not Enough to Prevent Model Abuse"
AI Business published an analysis arguing that Project Glasswing "may not be enough to prevent model abuse." The core argument is that restricted access to a small group of partners does not address the fundamental problem: similar capabilities will emerge in other models, including open-source models accessible to anyone. Glasswing is a short-term measure operating within a structural trend that it cannot stop.
The Marketing Question
Multiple analysts noted that Project Glasswing serves Anthropic's commercial interests alongside its stated security goals. Constellation Research called it "good for both the industry and great marketing for Claude." The timing, weeks before a reported IPO exploration, invites skepticism about whether the initiative prioritizes public safety or shareholder value.
Simon Willison, a respected developer and AI commentator, acknowledged this tension but ultimately supported the approach: "I can accept the restricted release, viewing the extra preparation time for trusted teams as a reasonable security measure" - Simon Willison.
The CMS Irony
Dave Shapiro pointed out what he called "a layer 8 problem exposing a model built to solve layer 8 problems." The Mythos model's existence was first revealed through a basic content management system misconfiguration at Anthropic, where approximately 3,000 unpublished assets were left publicly accessible due to human error. The company building the most powerful security AI in the world suffered a data breach caused by the kind of basic configuration mistake that a junior system administrator would catch - Dave Shapiro.
The Remediation Gap
The patching bottleneck is the most substantive criticism. With fewer than 1% of discovered vulnerabilities patched at announcement, critics argue that accelerating discovery without correspondingly accelerating remediation creates a more dangerous situation: a growing database of known vulnerabilities that defenders have not yet fixed but that could be exploited if the knowledge leaks.
The Defender's Time Advantage
Alex Stamos, former security head at Facebook and Yahoo, warned that the defender's advantage window is narrow: "We only have something like six months before the open-weight models catch up to the foundation models in bug finding. At which point every ransomware actor will be able to find and weaponize bugs" - Platformer.
This timeline frames Project Glasswing not as a permanent solution but as a race against proliferation. The question is whether six months is enough time to patch the most critical vulnerabilities before equivalent capabilities become available to attackers.
11. Timeline and What Happens Next
Project Glasswing has a defined structure with specific milestones.
Known Timeline
| Date | Event |
|---|---|
| March 26, 2026 | Mythos existence revealed through accidental data leak of ~3,000 unpublished assets |
| April 7, 2026 | Project Glasswing officially announced with 12 launch partners |
| April 7, 2026 | Claude Mythos Preview System Card (244 pages) published |
| April 7-8, 2026 | Access extended to 40+ additional critical software organizations |
| By early July 2026 | 90-day public report on vulnerabilities fixed, improvements made, and lessons learned |
| "Months, not years" | New safety measures to launch with an upcoming Claude Opus model |
| TBD | Cyber Verification Program launch for independent security researchers |
The 90-Day Report
Anthropic committed to publishing a public report within 90 days covering:
- Vulnerabilities fixed through Glasswing partner collaboration
- Security improvements made across critical software
- Lessons learned about AI-powered vulnerability detection at scale
- Practical recommendations for vulnerability disclosure, software updates, supply-chain security, and patching automation
This report, expected in early July 2026, will be the first empirical test of whether Project Glasswing is producing measurable defensive outcomes.
The Cyber Verification Program
For security professionals whose legitimate work is affected by Mythos's access restrictions, Anthropic announced a Cyber Verification Program. Details remain limited, but the program appears to be a credentialing system that would allow verified security researchers to access Mythos capabilities outside the Glasswing partner structure.
This is a critical piece of the puzzle. The cybersecurity research community extends far beyond the 12 launch partners. Bug bounty hunters, independent researchers, academic security labs, and small security firms all contribute to the vulnerability discovery and patching ecosystem. If the Cyber Verification Program can extend Mythos access to these groups while maintaining controls, it would significantly expand the initiative's defensive impact.
Path to Broader Release
Anthropic stated it "does not plan to make Claude Mythos Preview generally available" but "eventually wants to safely deploy Mythos-class models at scale when new safeguards are in place." The company indicated that new safety measures will launch with an upcoming Claude Opus model, allowing them to "improve and refine them with a model that does not pose the same level of risk as Mythos Preview."
This suggests a two-step approach: develop safeguards using a less capable model, then apply those safeguards to Mythos-class capabilities for broader deployment.
12. The Proliferation Question
The most important question about Project Glasswing is not what it does today but whether it matters tomorrow. If similar capabilities proliferate to attackers before defenders have patched the most critical vulnerabilities, the initiative's value diminishes rapidly.
The Six-Month Clock
Alex Stamos's estimate of "six months before the open-weight models catch up" provides a rough timeline for the defender's advantage window. Anthropic's own leaked documents supported this framing, noting that "frontier AI capabilities are likely to advance substantially over just the next few months."
The reasoning is structural: Mythos's cybersecurity capabilities emerged from general improvements in coding and reasoning, not from specialized security training. Any model that reaches Mythos-level coding ability will also reach Mythos-level security capabilities. OpenAI, Google DeepMind, and open-source projects (Meta's Llama, Mistral, DeepSeek) are all improving their coding models. The cybersecurity capabilities are a side effect that arrives automatically.
The Open-Weight Risk
The most concerning scenario involves open-weight models (models whose weights are publicly available) reaching Mythos-level coding capability. Closed models like Mythos can be access-controlled. Open-weight models cannot. Once an open-weight model can find and exploit vulnerabilities at Mythos's level, the capability is available to anyone: security researchers, nation-states, criminal organizations, and individual hackers.
There is no technological mechanism to prevent this. The only viable defense is to find and patch vulnerabilities faster than they can be exploited. Project Glasswing is a bet that giving defenders a head start, even a short one, can meaningfully reduce the attack surface before equivalent capabilities become widely available.
What the Glasswing Model Means for AI Development
Project Glasswing establishes a precedent for how frontier AI capabilities might be deployed when they carry dual-use risks. The model is: identify the capability, restrict access to defensive users, fund the remediation work, publish transparency reports, and gradually expand access as safeguards develop.
Whether this model scales to future capability jumps depends on whether the defender's advantage holds. If Project Glasswing's 90-day report shows that partners have patched thousands of critical vulnerabilities across major operating systems and browsers, the model is validated. If the report shows minimal patching progress, the model needs revision.
The broader implication extends beyond cybersecurity. As AI capabilities advance across domains (biotech, materials science, financial systems), the "restricted preview plus defender's advantage" model may become the default deployment pattern for capabilities that carry dual-use risk. Project Glasswing is the first large-scale test of whether that model works.
For teams deploying AI agents that operate autonomously across business systems, the security implications are direct. Platforms like o-mega.ai provide the orchestration layer for managing autonomous AI agents, including the monitoring, permission controls, and audit trails that become essential when agents can take consequential actions. As AI capabilities continue advancing, the infrastructure for governing agent behavior is as important as the agent capabilities themselves.
Yuma Heymans is the founder of o-mega.ai, where he builds AI agent infrastructure for teams deploying autonomous agents at scale. He has tracked Anthropic's safety research and deployment strategy since the company's founding and operates production systems on Claude's API daily.
This guide reflects the Project Glasswing announcement as of April 7, 2026. The 90-day public report is expected in early July 2026. The Cyber Verification Program timeline has not been announced. Verify current status at anthropic.com/glasswing.