Anthropic Launches Project Glasswing to Fight Cyberattacks with New Mythos AI Model

by priyanka.patel tech editor

Anthropic is deploying its most advanced AI capabilities to shore up the world’s digital defenses, launching a wide-scale effort to identify and patch critical software vulnerabilities before they can be exploited by malicious actors. The company announced Tuesday that it is sharing a preview of its upcoming “Claude Mythos” model as part of a new cybersecurity initiative known as Project Glasswing.

The initiative brings together a coalition of industry giants—including Amazon, Apple, Microsoft, Google, Broadcom, Cisco, CrowdStrike, and Palo Alto Networks—alongside the Linux Foundation. This group will utilize the model’s advanced reasoning and coding abilities for defensive security work, with the intent to distribute their findings across the broader tech industry to harden critical infrastructure.

To support the effort, Anthropic is committing up to $100 million in model usage credits for security research and providing $4 million in direct donations to open-source security organizations. The company is also extending access to approximately 40 additional organizations responsible for maintaining essential software infrastructure.

The move comes as a response to the accelerating “arms race” in AI-driven cyber warfare. As large language models grow more proficient at writing code, there is a growing concern that they will be used to automate the discovery of “zero-day” vulnerabilities—security holes unknown to the software vendor—and the creation of sophisticated exploits.

The Emergent Power of Claude Mythos

The capabilities of the new model, referred to as Claude Mythos Preview, were discovered organically. Anthropic researchers noted that while training the model for general coding and reasoning skills, it developed a potent ability to identify security flaws without being specifically programmed to do so. This “emergent” capability allows the AI to act autonomously to find and exploit weaknesses in complex codebases.

In recent weeks, the Mythos model has already identified thousands of zero-day vulnerabilities. Among its most notable finds was a 27-year-old bug in OpenBSD, an operating system renowned for its rigorous security standards. The model also uncovered a 16-year-old vulnerability in a widely used piece of video software that had previously evaded traditional automated testing tools.

To quantify the leap in performance, Anthropic researchers conducted a benchmark test involving 1,000 open-source software repositories. They categorized the resulting “crashes” or exploits on a scale from one to five, where tier one represents basic crashes and tier five represents a complete control flow hijack—the most severe form of exploit.

AI Model Vulnerability Detection Performance
Model Version Tier 1 & 2 Crashes Tier 3 Crashes Tier 5 (Full Hijack)
Sonnet 4.6 / Opus 4.6 150–175 / 100 1 0
Mythos Preview 595 Multiple 10

The data shows a stark contrast: while previous iterations like Sonnet 4.6 and Opus 4.6 struggled to move beyond basic crashes, Mythos Preview achieved full control flow hijacks on 10 separate, fully patched targets. This level of proficiency suggests that the model can navigate the most modern defenses, making it a powerful tool for defenders—and a potentially dangerous one if accessed by bad actors.

Balancing Defense and Offensive Risk

The urgency of Project Glasswing is rooted in a timeline mismatch. While patching the global cyber infrastructure is a process that can seize years, AI capabilities are advancing in months. As Anthropic stated in a blog post, “For cyber defenders to come out ahead, we require to act now.”

Though, the existence of such a powerful tool creates a delicate tension between security and safety. A model capable of finding a 27-year-old bug in a secure OS is, by definition, capable of finding new bugs in banking systems, power grids, or government networks. This “dual-leverage” nature of the technology has led Anthropic to maintain ongoing discussions with U.S. Government officials regarding the model’s offensive and defensive potential.

This relationship with the state has not been without friction. Just last month, Anthropic was embroiled in a dispute with the Pentagon over the terms of a defense contract. The company opposed provisions that would have permitted the government to utilize its technology for domestic surveillance or within autonomous weapons systems. That disagreement led to the current dissolution of their working relationship.

What This Means for the Broader Ecosystem

For the average user, the immediate impact of Project Glasswing is invisible but critical. By empowering a coalition of the world’s largest software vendors to use Claude Mythos for “red teaming”—the process of attacking one’s own systems to find weaknesses—the goal is to eliminate vulnerabilities before they are ever weaponized.

The strategy shifts the AI paradigm from a simple coding assistant to an autonomous security auditor. If the coalition can successfully distribute their findings, it could lead to a systemic hardening of the open-source libraries and proprietary kernels that underpin the modern internet.

The primary stakeholders in this initiative include:

  • Infrastructure Providers: Companies like Microsoft and Amazon who maintain the cloud environments where most global data resides.
  • Open Source Communities: Organizations like the Linux Foundation, who benefit from the $4 million in direct donations and the identification of long-standing bugs.
  • Government Agencies: Who must balance the need for a secure infrastructure with the risks of deploying high-capability AI in sensitive environments.

As the project progresses, Anthropic intends to grant wider access to other members of the Mythos-class models. The next phase of the initiative will involve the coalition of tech firms applying these tools to their internal production environments to identify “silent” vulnerabilities that have existed for decades.

We invite you to share your thoughts on the use of autonomous AI for cybersecurity in the comments below.

You may also like

Leave a Comment