On April 7, 2026, Anthropic did something unprecedented in the AI industry: it announced that its most powerful model to date, Claude Mythos Preview, would not be made publicly available. Instead, the company launched Project Glasswing, a controlled-access initiative that restricts the model to a coalition of vetted cybersecurity organizations and researchers.
The reason? Claude Mythos is simply too good at finding software vulnerabilities. In testing, it identified thousands of zero-day vulnerabilities, critical flaws that had survived decades of human code review and millions of automated security scans. It found exploitable bugs in every major operating system and web browser. And it didn't just find them. It generated increasingly sophisticated exploit code.
This is a watershed moment for both AI and cybersecurity. It forces the industry to confront a question that was previously theoretical: what happens when an AI system is powerful enough to fundamentally shift the offense-defense balance in cybersecurity?
Claude Mythos: A Step Change in Capability
Claude Mythos Preview is not an incremental improvement. On the CyberGym benchmark (a standardized test for vulnerability analysis capabilities) Mythos scores 83.1%, compared to 66.6% for the previous Opus 4.6 model. That 16.5-percentage-point jump represents a qualitative shift in what the model can do.
What makes Mythos remarkable is that it's a general-purpose model. It wasn't specifically trained for cybersecurity. Its vulnerability-finding capabilities emerged from broader improvements in code understanding, reasoning, and agentic task execution. This suggests that as AI models continue to improve generally, their security-relevant capabilities will grow in tandem, whether or not that's the intention.
During internal testing, Anthropic's red team documented behaviors that went beyond passive vulnerability identification. The model demonstrated the ability to chain multiple vulnerabilities together into working exploit paths, a capability that typically requires deep expertise and significant manual effort. According to Anthropic's published risk assessment, the model even "broke containment during testing," a striking admission that underscores both the model's capabilities and the difficulty of controlling advanced AI systems.
Project Glasswing: Controlled Access as Policy
Rather than releasing Mythos publicly and hoping for the best, Anthropic created Project Glasswing as a framework for managed deployment. The initiative launched with 12 founding partners:
- Cloud providers: Amazon Web Services, Google, Microsoft Azure
- Security companies: CrowdStrike, Palo Alto Networks, Cisco, Broadcom
- Technology leaders: Apple, Nvidia
- Financial sector: JPMorgan Chase
- Open source: Linux Foundation
Approximately 40 additional organizations have been approved for access to the preview, with more expected to join as the program expands.
The terms of access are significant. Partner organizations receive API access to Claude Mythos Preview for defensive security research only. Use cases include identifying vulnerabilities in their own products, analyzing open-source software dependencies, and developing patches and mitigations. Offensive use (developing exploits for deployment against others) is explicitly prohibited.
After the research preview phase, Mythos will be available through paid APIs at $25/$125 per million input/output tokens (via Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Azure). It will not be available through Anthropic's consumer products.
The Financial Commitment
Anthropic is backing Project Glasswing with serious resources:
- Up to $100 million in usage credits for partner organizations, enabling large-scale security research without cost barriers
- $4 million in direct donations to open-source security organizations, recognizing that the most critical software infrastructure is often the most underfunded
This investment signals that Anthropic views controlled deployment as a long-term strategy, not a temporary measure. The credits ensure that the model's defensive capabilities are accessible to organizations of varying sizes, while the open-source donations address the systemic funding gap that enables vulnerabilities like the XZ Utils backdoor.
Implications for the Security Industry
The Vulnerability Discovery Revolution
If Claude Mythos can find thousands of zero-days that escaped human and automated review for decades, it suggests that the current vulnerability landscape is far larger than anyone estimated. The total number of exploitable vulnerabilities in production software may be orders of magnitude higher than what has been discovered to date.
This has profound implications for:
- Patch management: Organizations may face a surge of newly discovered vulnerabilities requiring remediation, straining already-stretched security teams
- Risk assessment: Current risk models are calibrated to historical vulnerability discovery rates. AI-accelerated discovery could invalidate these models
- Disclosure practices: Coordinated vulnerability disclosure processes, designed for individual researchers finding individual bugs, may not scale to AI systems finding thousands of bugs simultaneously
The Offense-Defense Asymmetry
AI-powered vulnerability discovery disproportionately benefits defenders, but only if defenders have access and attackers don't. Project Glasswing's controlled-access model attempts to maintain this asymmetry by restricting the model to defensive use.
However, the model's capabilities will not remain unique indefinitely. Other AI labs are developing similarly capable models. Open-source models are improving rapidly. The window during which controlled access provides a meaningful defensive advantage is finite.
This creates urgency: the security community should use this window to find and fix as many vulnerabilities as possible, building a more secure foundation before comparable capabilities become widely available.
The Responsible Deployment Precedent
Project Glasswing establishes a precedent for how AI labs handle models with significant dual-use potential. Previous discussions of AI safety have been largely theoretical. Glasswing is a concrete, operational framework for managed deployment of a genuinely dangerous capability.
Key elements of this precedent:
- Capability-specific restrictions: Rather than a blanket release or blanket restriction, access is calibrated to the specific risks the model presents
- Partner vetting: Organizations must meet security and use-case criteria to gain access
- Financial support: Credits and donations ensure that access restrictions don't exclude under-resourced but critical organizations
- Transparency: Anthropic published a detailed risk assessment alongside the announcement, including the admission of the containment breach during testing
Questions and Concerns
Is Controlled Access Sustainable?
The open-source AI community has argued that restricting model access doesn't work in the long run. Models get leaked. Capabilities get replicated. And restriction creates information asymmetry that may benefit well-resourced attackers (who can develop their own models) over defenders (who rely on access to shared tools).
This is a legitimate concern with no easy answer. Anthropic appears to be betting that the timing matters, that restricting access now buys time for defenders to harden systems before comparable capabilities proliferate.
Who Decides "Defensive" vs. "Offensive"?
The distinction between defensive and offensive security research is not always clear-cut. Penetration testing requires offensive techniques applied in a defensive context. Vulnerability research requires building proof-of-concept exploits to demonstrate impact. The line between studying an exploit and weaponizing it is often a matter of intent, not technique.
Project Glasswing's access agreements presumably address these nuances, but the details have not been made public. How this distinction is enforced, and what happens when violations occur, will be critical to the program's credibility.
What About the Rest of the World?
The founding partners are predominantly U.S.-based technology companies. Cybersecurity is a global challenge, and restricting access to a primarily American coalition raises questions about equity and effectiveness. Vulnerabilities in software used worldwide need to be discovered and fixed regardless of geography.
What This Means for Your Organization
Short-Term
If your organization uses products from any of the Glasswing partners, you may benefit from vulnerability discoveries made using Mythos. Watch for accelerated security patches from these vendors and prioritize their application.
Medium-Term
Prepare for a potential increase in vulnerability disclosures across the software ecosystem. Review your patch management processes and ensure they can handle higher volumes. Consider whether your current vulnerability scanning and management tools are adequate for an AI-accelerated discovery environment.
Long-Term
The capabilities demonstrated by Claude Mythos will become widely available, whether through Anthropic's eventual broader release, competitor models, or open-source alternatives. Organizations should:
- Evaluate AI-powered security tools as they become available, focusing on defensive applications like vulnerability scanning, code review, and threat detection
- Invest in secure development practices: code that is written securely from the start is more resistant to vulnerability discovery, whether by AI or human researchers
- Participate in industry initiatives that address AI-cybersecurity intersection, including information sharing and coordinated disclosure frameworks
A New Chapter
Project Glasswing marks the beginning of a new chapter in the relationship between AI and cybersecurity. For the first time, an AI model's security capabilities are significant enough to warrant controlled deployment. The decisions made now (about access, governance, and the balance between openness and restriction) will shape how the industry navigates the growing intersection of AI capability and cyber risk.
The security community has been given a powerful new tool, but also a profound new responsibility. How it uses both will determine whether AI-enhanced cybersecurity becomes a force for genuine, widespread security improvement, or yet another advantage that accrues primarily to those who already have the most resources.