Two weeks ago, a CMS misconfiguration leaked Anthropic’s internal assessment of Mythos: “unprecedented cybersecurity risks,” “currently far ahead of any other AI model in cyber capabilities.” The framing was a liability. Today, Anthropic launched Project Glasswing and turned that liability into the pitch.
The model that posed unprecedented risk is now the one finding zero-days in your infrastructure. Same capabilities. Different narrative.
What Glasswing Actually Is
A cross-industry cybersecurity initiative using Claude Mythos Preview to autonomously discover and fix vulnerabilities in critical software. Not a product launch. A research preview with a carefully curated partner list.
The partners: Apple, Microsoft, Google, AWS, NVIDIA, Broadcom, Cisco, CrowdStrike, JPMorganChase, Palo Alto Networks, Linux Foundation. Plus 40+ additional organizations maintaining critical infrastructure.
Anthropic committed $100M in usage credits. An additional $2.5M goes to Alpha-Omega and OpenSSF through the Linux Foundation, $1.5M to the Apache Software Foundation. Open-source maintainers can apply through a “Claude for Open Source” program.
Post-preview API pricing: $25/$125 per million input/output tokens. Roughly 5x Opus 4.6 pricing.
The Numbers
The benchmarks tell the story:
- CyberGym (vulnerability reproduction): 83.1% vs 66.6% for Opus 4.6
- SWE-bench Verified: 93.9% vs 80.8%
- SWE-bench Pro: 77.8% vs 53.4%
- Humanity’s Last Exam (with tools): 64.7% vs 53.1%
What it found during testing: a 27-year-old OpenBSD flaw enabling remote crashes. A 16-year-old FFmpeg bug missed by 5 million automated test runs. Linux kernel vulnerabilities chained together to achieve full machine control.
The model operates fully autonomously. No human steering. It finds the vulnerability, develops the exploit, and chains attack paths on its own.
Mythos Preview is invite-only through the Glasswing program. It won’t appear in the API or Claude Code. Anthropic is being deliberate about deployment, which is probably the right call given what it can do.
The Strategic Timing
Let’s be honest about what’s happening here. In the past two weeks, Anthropic has:
- Had its source code leaked via npm
- Been blacklisted by the Pentagon as a supply chain risk
- Faced a user revolt over quality regressions and third-party harness crackdowns
- Shipped critical CVEs in its own tooling
- Had the Mythos model leaked, framed as a cybersecurity threat
Glasswing reframes every one of these. The leaked model? Here it is, finding bugs no one else can. The Pentagon dispute? We’re now partnered with every major defense contractor’s tech supplier. The security criticism? We just committed $100M to fixing the problem at industry scale.
This is crisis management executed at an extremely high level. Whether it’s genuine or cynical depends on whether the 90-day public report materializes and whether the vulnerabilities actually get patched.
The Attack Surface Paradox
I’ve written before about how AI tools themselves become attack vectors. Glasswing confronts the inverse: what happens when the attack vector becomes the best defender?
The model that can chain Linux kernel vulnerabilities into full machine control is also the model best positioned to find and patch those vulnerabilities before someone else does. This is the dual-use problem made concrete. Every capability that makes Mythos dangerous for offense makes it indispensable for defense.
The supply chain attack on LiteLLM showed how fragile the dependency ecosystem is. The Claude Code leak demonstrated that even Anthropic’s own packaging pipeline is a security surface. Glasswing is Anthropic betting that the best response to AI-accelerated offense is AI-accelerated defense, and that they should be the ones running it.
— Anthony Grieco, CiscoAI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure.
What’s Missing
The guardrails question looms large. Glasswing is invite-only with a curated partner list. But Mythos-class models won’t stay exclusive forever. When competitors build equivalent capabilities, there’s no Project Glasswing gatekeeping deployment.
A few things I’m watching:
- The 90-day report. Anthropic promised a public accounting of findings and patched vulnerabilities. If it’s substantive, this is a genuine contribution. If it’s vague, it was marketing.
- Open-source maintainer access. The “Claude for Open Source” program sounds good. The question is scale. Do 10 maintainers get access, or 10,000?
- The Pentagon paradox. Anthropic is partnering with Apple, Microsoft, Google, and AWS while being banned by the government those companies serve. CrowdStrike and Palo Alto Networks are major defense contractors. The politics here are wild.
- Pricing at $25/$125. At 5x Opus pricing, this is firmly enterprise-tier. The open-source projects that need this most can’t afford it without the credit program.
The Bigger Picture
Glasswing is the most strategic thing Anthropic has done this year. It takes the Mythos leak, the Pentagon dispute, and the security criticism and turns them all into a single narrative: we build the most capable models, we take the risks seriously, and we’re using them to protect everyone.
The walled garden strategy makes more sense in this light. If you’re going to deploy a model that can autonomously chain zero-days, you need to control who uses it. The same instinct that led to the OpenClaw crackdown and the harness wars is now being applied to capabilities that actually warrant restriction.
Whether you trust Anthropic to be the gatekeeper depends on how you weight two things: the genuine danger of unrestricted Mythos-class models versus the concentration of defensive capability in a single company. Both concerns are valid. Glasswing doesn’t resolve the tension. It just makes the stakes clearer.
There’s a circularity here that’s hard to ignore. The zero-days Mythos finds so efficiently are the same class of vulnerabilities that Mythos-class models will make easier to exploit. We’re building AI to find the holes that AI will tear open. The defense is real, but so is the arms race it implies. Every generation of model that gets better at patching gets equally better at breaking. Glasswing is Anthropic selling the cure to a disease they’re helping create.
Related Posts
