Published Apr 08, 2026 • 7 min
Project Glasswing brings together AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in a coordinated effort to secure the world’s most critical software infrastructure.
The initiative was formed in direct response to capabilities observed in Claude Mythos Preview, an unreleased general-purpose frontier model that has demonstrated a level of cybersecurity skill that surpasses all but the most skilled human researchers. The core premise is straightforward: the same capabilities that make advanced AI dangerous in the wrong hands make it extraordinarily valuable for finding and fixing flaws before attackers can exploit them.
Over a short testing window, Claude Mythos Preview identified thousands of zero-day vulnerabilities, previously unknown flaws, across every major operating system and every major web browser, along with a range of other critical software.
Three examples illustrate the depth of what the model found. It uncovered a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in the world, that allowed an attacker to remotely crash any machine running the system simply by connecting to it. It discovered a 16-year-old vulnerability in FFmpeg, in a single line of code that automated testing tools had reached five million times without ever flagging the problem. And it autonomously found and chained together multiple Linux kernel vulnerabilities to allow privilege escalation from ordinary user access to complete machine control.
All three have since been patched. Cryptographic hashes for additional vulnerabilities have been published, with full disclosure following each fix.
The significance of Project Glasswing is not the specific vulnerabilities found, it is what finding them autonomously signals about where AI capability now sits.
For decades, the difficulty of finding and exploiting serious software vulnerabilities acted as a natural barrier. Serious attacks required serious expertise. That barrier is eroding. Claude Mythos Preview scores 83.1% on the CyberGym cybersecurity benchmark, compared to 66.6% for Claude Opus 4.6, a gap that reflects a qualitative shift in what the model can do, not just an incremental improvement.
The global cost of cybercrime is estimated at roughly $500B annually, against a backdrop of state-sponsored attacks from multiple adversarial actors actively targeting critical civilian and military infrastructure. The emergence of AI-level vulnerability discovery capability in that context is not a technical footnote, it is a strategic inflection point.
Anthropic is committing up to $100M in Mythos Preview usage credits across Project Glasswing partners and an additional group of over 40 organizations that build or maintain critical software infrastructure. Access covers first-party and open-source system scanning, with expected focus areas including local vulnerability detection, black box binary testing, endpoint security, and penetration testing.
Beyond the major launch partners, Anthropic has donated $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5M to the Apache Software Foundation, enabling open-source maintainers to respond directly to the changing landscape. A Claude for Open Source programme will extend model access to maintainers working on qualifying projects.
Within 90 days, Anthropic will publish a public report covering vulnerabilities fixed, improvements made, and lessons that can be shared across the broader industry.
Project Glasswing is framed explicitly as a starting point. Anthropic has noted that frontier AI capabilities are likely to advance substantially over just the next few months, meaning the window for defenders to establish an advantage is narrow and closing.
The initiative invites broader AI industry participation in setting security standards, with the possibility of an independent third-party body to coordinate ongoing large-scale cybersecurity work across public and private sectors. Anthropic has also been in ongoing discussions with US government officials on both the offensive and defensive implications of these capabilities, and has indicated readiness to work with legislators at all levels.
For the technology industry, the message is clear: the tools exist to get ahead of this problem. The question is whether the industry moves fast enough to use them.
