Project Glasswing: When AI Learned to Hack

Anthropic built a model it will not release publicly—and then used it to find vulnerabilities in every major operating system and web browser. The bugs it uncovered span decades: a 27-year-old flaw in OpenBSD, a 16-year-old defect in FFmpeg that survived five million automated test hits, and remote code execution paths in FreeBSD that gave a full root shell to any unauthenticated internet user. The company calls the initiative Project Glasswing. The security industry is calling it a wake-up call.

What Actually Happened

On April 8, 2026, Anthropic announced Project Glasswing, a cross-industry security effort backed by Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The initiative is built on top of an unreleased frontier model internally called Claude Mythos Preview—a general-purpose AI that Anthropic says surpasses all previously known models on software engineering and cybersecurity tasks.

Mythos Preview was not trained specifically for security. Its capabilities emerged as a downstream effect of general improvements in code understanding, reasoning, and autonomy. But those improvements turned out to be dramatic. On CyberGym benchmarks, Mythos scored 83.1% on vulnerability reproduction versus Opus 4.6's 66.6%. On SWE-bench Verified (the software engineering benchmark), the gap widened to 77.8% versus 53.4%. On Terminal-Bench 2.0, Mythos hit 94.6% against Opus 4.6's 91.3%.

The model has already identified thousands of zero-day vulnerabilities. The specific bugs Anthropic has disclosed publicly are striking enough on their own:

• OpenBSD (27 years old): A subtle TCP SACK implementation flaw that allowed a remote attacker to crash any exposed machine by sending a single packet. The bug involved two interacting integer overflow conditions that were independently harmless but catastrophic in combination.
• FFmpeg (16 years old): A vulnerability in the H.264 decoder where a slice counter collided with a memory sentinel, enabling a heap write out-of-bounds. Automated fuzzers hit the problematic code path five million times without triggering it.
• FreeBSD NFS server (17 years old): A remote code execution flaw that allowed any internet user to gain full root access. Mythos autonomously wrote a six-packet ROP chain exploit spanning roughly 200 bytes that added an attacker's SSH public key to the server's authorized_keys file. This earned CVE-2026-4747.

The pattern is consistent: Mythos finds bugs humans missed, and it writes working exploits for them without being prompted to do so.

Why This Is Different From Previous Security AI

Security tooling that uses AI is not new. Fuzzers, static analyzers, and vulnerability scanners have all been augmented with machine learning over the past decade. What makes Mythos Preview categorically different is the combination of three things it does simultaneously:

1. It finds zero-days autonomously. It doesn't just flag suspicious patterns—it reads code, forms hypotheses, runs experiments, and produces confirmed exploits.
2. It writes sophisticated exploits at scale. It has chained two, three, and four vulnerabilities together to achieve full privilege escalation in the Linux kernel. It wrote a browser exploit that chained four separate vulnerabilities with a complex JIT heap spray to escape both renderer and OS sandboxes.
3. It does all of this without security domain expertise. Anthropic engineers with no formal security training asked Mythos to find remote code execution bugs overnight and woke up to complete working exploits.

Anthropic's own red team documented this in their Frontier Red Team blog, noting that Opus 4.6—previously the strongest model—turned Firefox JavaScript engine vulnerabilities into working exploits in roughly 2 out of several hundred attempts. Mythos did it in 181 out of several hundred.

The Offensive/Defensive Symmetry Problem

The uncomfortable truth Anthropic is raising is this: the same capabilities that make Mythos exceptional at finding vulnerabilities make it exceptional at exploiting them. Better code understanding, stronger reasoning, and higher autonomy are universal improvements. They don't come with a moral direction.

The company cited the DARPA Cyber Grand Challenge as a historical parallel—where automated vulnerability finding became competitive with human experts over a decade ago. But even that milestone didn't collapse the economics of cyber defense the way current AI capabilities threaten to. The Cyber Grand Challenge systems required enormous infrastructure and specialized teams. Mythos Preview runs on commodity hardware.

The implications are direct. Non-expert attackers can now find and exploit vulnerabilities that previously required nation-state-level resources. The window between vulnerability discovery and exploitation, already compressed by automation, could shrink to minutes rather than months. And the blast radius isn't theoretical: the software Mythos has already audited includes operating systems running firewalls, web browsers handling billions of sessions, cryptography libraries securing financial transactions, and cloud infrastructure handling virtual machine isolation.

What Project Glasswing Actually Does

Project Glasswing's immediate function is to get Mythos Preview into the hands of defenders before the capability diffuses more broadly. The partner organizations will use the model for their own security work—internal vulnerability scanning, penetration testing, black-box binary testing, and endpoint hardening.

Beyond the core partners, Anthropic is extending access to over 40 additional organizations that build or maintain critical software infrastructure, with an emphasis on open-source maintainers. The company has committed $100 million in usage credits and an additional $4 million in direct donations split between Alpha-Omega, OpenSSF, and the Apache Software Foundation.

The pricing for post-credit usage reflects Anthropic's dual goal: accessible enough for open-source maintainers, meaningful enough for enterprise security budgets. The model will be available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.

Within 90 days, Anthropic has committed to publishing a public report on what the initiative found, the vulnerabilities fixed, and the lessons learned.

The Partnership Landscape

The partner roster is notable for its breadth. It spans cloud providers (AWS, Google, Microsoft), security vendors (CrowdStrike, Palo Alto Networks), financial institutions (JPMorganChase), hardware manufacturers (Apple, Broadcom, NVIDIA), and open-source governance bodies (Linux Foundation). That mix signals that the problem Anthropic is trying to solve isn't just a vendor issue—it's an infrastructure issue.

Cisco's SVP and chief security and trust officer Anthony Grieco put it plainly: "The old ways of hardening systems are no longer sufficient." CrowdStrike's CTO Elia Zaitsev added: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI."

JPMorganChase's CISO Pat Opet framed it as industry-wide necessity: "Anthropic's initiative reflects the kind of forward-looking, collaborative approach that this moment demands."

Google's involvement carries particular weight given its own AI-powered security work, including the Big Sleep and CodeMender projects. Google will make Mythos available through Vertex AI and has signaled intent to integrate the findings into its broader threat intelligence operations.

What This Means in Practice

For security teams, the immediate implication is that the bar for finding vulnerabilities has fundamentally changed. Organizations that aren't using AI-assisted code auditing are now working at a structural disadvantage against adversaries who will. This doesn't mean human security expertise is obsolete—human judgment remains essential for prioritization, context, and remediation decisions—but the reconnaissance and vulnerability identification phases are now AI-competitive.

For open-source maintainers, Project Glasswing represents the first time a frontier AI lab has made a genuinely capable model available at no cost to people who maintain software that the entire internet depends on. FFmpeg, the Linux kernel, OpenBSD, and dozens of other projects have historically operated with minimal security resources. This initiative changes that equation, at least temporarily.

For policymakers and governance bodies, the announcement raises hard questions about model access controls, responsible disclosure pipelines at AI-scale vulnerability discovery rates, and the international coordination needed to prevent AI-augmented cyber capabilities from proliferating to state-sponsored actors.

The Open Question

Anthropic describes Project Glasswing as a starting point, not a solution. The company acknowledges that the transition period—before AI-assisted defense reaches equilibrium with AI-assisted offense—may be turbulent. And there is a fundamental tension at the core of the initiative: Mythos Preview is too capable to release publicly, but the same capability that makes it dangerous also makes it useful. Keeping it in a closed partner circle is a delay tactic, not a strategy.

The company has signaled that its long-term plan involves developing safeguards that can be deployed in future models—detecting and blocking the model's most dangerous outputs. It intends to launch those safeguards with an upcoming Claude Opus model, using Opus to refine the guardrails before applying them to Mythos-class systems. That work is still in progress.

The next few months will determine whether Project Glasswing is the beginning of a durable defensive advantage or a band-aid on a structural problem. What is clear is that the old assumption—that finding and exploiting zero-day vulnerabilities requires rare expertise and significant resources—no longer holds. The software ecosystem has to adapt accordingly.