TL;DR: Anthropic's Claude Mythos model found thousands of zero-days, including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw automated tools had missed after 5 million attempts. Rather than release it, Anthropic restricted access to 40+ vetted organizations under Project Glasswing. That decision is partly responsible, partly strategic, and entirely insufficient as a long-term posture. Here is what it means for security teams that are not inside the program.

What Glasswing actually is

Project Glasswing is Anthropic's restricted-access cybersecurity program built around Claude Mythos Preview, a frontier model the company has decided not to release publicly. Twelve organizations are named as launch partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Over 40 additional organizations maintaining critical software infrastructure have access. Anthropic committed $100 million in Mythos Preview usage credits across the program, plus $2.5 million to Alpha-Omega and OpenSSF via the Linux Foundation and $1.5 million to the Apache Software Foundation.

The reason for the restriction is what Mythos Preview can do. According to Anthropic's own red team assessment, the model achieved a near-zero-to-181-successes jump over the previous Claude Opus 4.6 at autonomous exploit development. Opus 4.6 had a "near-0% success rate at autonomous exploit development." Mythos Preview developed working Firefox JavaScript shell exploits 181 times across multiple attempts. It wrote a FreeBSD NFS remote code execution attack that split a 20-gadget ROP chain over multiple packets. It bypassed KASLR and stack protection. Human validators agreed with its severity assessments in 89% of cases reviewed. Over 99% of the vulnerabilities it found had not yet been patched when the program was announced.

That is a meaningful jump in capability, and Anthropic is correct that releasing it without controls would be irresponsible.

The narrative doing double duty

The framing around Glasswing is worth reading carefully. Restricting a dangerous capability because it could cause harm is a legitimate safety position. It is also excellent reputation management. Both are true at the same time, and treating them as mutually exclusive misses the point.

Anthropic built something that can find exploitable vulnerabilities in every major operating system and web browser. Its response was to give controlled access to Amazon, Google, Microsoft, and a list of their largest enterprise customers. That is not a criticism of the decision, but it is worth naming clearly: a private company, with no international oversight, no treaty, and no independent governance body, decided who gets access to what may be the most capable automated hacking tool ever demonstrated publicly. The 40+ organizations inside Glasswing now have something everyone else does not.

The insider/outsider gap in offensive capability is a security story that has received less attention than it deserves. It is not that access has been denied to bad actors, specifically. It is that access has been granted to a defined set of commercial organizations, and the rest of the defender community, including most enterprise security teams, government agencies outside the named partners, and independent researchers, is on the outside looking in.

The number that does not add up

$100 million sounds like a serious commitment. Nation states spend that on offensive cyber programs without issuing a press release. The NSA's budget for offensive operations runs into the billions. China's state-sponsored cyber programs, documented extensively through indictments and attribution reports from CrowdStrike, Mandiant, and US CISA, operate at a scale where $100 million is rounding error.

Restricting access to Mythos Preview buys time. Anthropic does not own this capability: other labs, state-sponsored and otherwise, are working toward the same endpoint. History does not show that controlled releases prevent proliferation. They delay it. The window between a capability existing in one place and existing everywhere is closing, and the question that matters more than who currently has access is what defenders are doing with the time they have.

The specific problem: exploitation speed, not attack surface size

The most important shift Glasswing makes concrete is not that the attack surface got larger. It is that exploitation got faster. Those are different problems, and most enterprise security programs are still structured to solve the first one.

CVE-based patching operates on an implicit assumption: that vulnerability discovery happens at human speed. A researcher finds a bug, writes it up, it gets assigned a CVE, vendors patch, organizations deploy. The cycle takes weeks to months. Repello's analysis of the zero-day collapse documented how the mean time from vulnerability disclosure to active exploit has compressed from 771 days to under four days across recent incidents. Mythos Preview does not operate on that timeline at all. It found a 27-year-old OpenBSD bug and a 16-year-old FFmpeg vulnerability that automated fuzzing tools had missed after 5 million attempts. It is not slower than human researchers. It is categorically faster.

That changes what patching cycles are for. A patching program calibrated to human-speed discovery is not defending against AI-speed discovery. It is defending against last year's threat model.

What a hard reset on threat modeling looks like

Glasswing's own documentation suggests four immediate changes: accelerate patch deployment cycles, use current frontier models for vulnerability finding, automate incident response pipelines, and prepare infrastructure for rapid security updates. Those are correct and insufficient.

The structural problem is that software was built, over decades, with the assumption that attackers were humans working at human speed. Buffer overflows, memory corruption bugs, type confusion issues: these have been exploitable for as long as software has existed, but finding them reliably required either automated fuzzing at scale or expert human researchers with months to spend. Mythos Preview obsoletes both constraints simultaneously. It finds the bugs, chains the exploits, and bypasses modern hardening. The 27-year-old OpenBSD bug was not waiting for a more creative human. It was waiting for a model that could reason about the code.

A threat model reset means accepting that assumptions about attacker capability are now wrong by default. If you are currently modeling your adversaries as operating at human speed with human resource constraints, you need to update that model without waiting to be invited into a program like Glasswing. Assume equivalents exist. Work backwards from what a Mythos-class model could do against your specific stack, and ask whether your detection, patching, and response infrastructure could handle that timeline.

For most organizations, the answer is no. The gap is not primarily a tooling gap. It is a process gap: security programs structured around quarterly assessments, annual penetration tests, and patch cycles measured in weeks are not compatible with exploitation that operates in hours.

The question Glasswing does not answer

Glasswing is a serious program addressing a genuine problem. Anthropic is putting real resources behind it, the partners are organizations with real infrastructure to protect, and the 90-day public reporting commitment is a meaningful accountability mechanism.

What it does not address is the structural condition that made Glasswing necessary: software built on assumptions that no longer hold. Restricted access to one model, from one lab, for one defined set of organizations, for a window that is measured in months to years, is a response to something structural. Every major operating system had unknown exploitable vulnerabilities sitting in it for decades. Mythos Preview found them. The next model, from Anthropic or anyone else, will find more.

The defensive answer is continuous AI-speed testing against your own systems before someone else runs that test for you. That means red teaming that operates on the same timeline as the threat: automated, continuous, mapped to your actual deployment, not a point-in-time assessment run once a year by a consulting firm.

ARTEMIS runs exactly that kind of assessment: context-specific, continuous, mapped to OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS, covering the agentic attack surfaces that traditional penetration testing does not reach. The gap between Glasswing insiders and everyone else is real. The way to close it is not to wait for an invitation.

Book a demo with Repello's red team to assess your AI attack surface before someone else does.

FAQ

What is Claude Mythos? Claude Mythos Preview is Anthropic's frontier AI model specialized for cybersecurity research. It found thousands of zero-day vulnerabilities, including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw that automated tools missed after 5 million fuzzing attempts. It can write working exploits, chain vulnerabilities, and bypass modern hardening techniques like KASLR and stack protection. Anthropic has not released it publicly.

What is Project Glasswing? Project Glasswing is Anthropic's restricted-access program that gives vetted organizations access to Claude Mythos Preview for defensive cybersecurity purposes. Launch partners include Amazon Web Services, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, and Palo Alto Networks, plus 40+ additional organizations maintaining critical software infrastructure. Anthropic committed $100 million in Mythos Preview usage credits to the program.

Why is Claude Mythos not publicly available? Anthropic determined that Mythos Preview's autonomous exploit development capabilities are too dangerous for general release. The model can develop working exploits for critical vulnerabilities, chain multiple bugs to bypass security controls, and do so at a scale and speed that would give adversaries a significant advantage if released without restriction.

Does restricting Mythos Preview actually improve security? It creates a temporary defensive window. Controlled releases historically delay proliferation, not stop it. Other AI labs and state-sponsored programs are working toward equivalent capabilities. The window buys time for defenders to find and patch vulnerabilities before adversaries develop comparable tools. What security teams do with that time determines whether the restriction achieves its purpose.

What should security teams do if they are not inside Project Glasswing? Assume the threat model has changed: adversaries may already have access to equivalent capabilities. Recalibrate patching cycles away from CVE-based timelines, which assume human-speed discovery. Run continuous AI-powered red teaming against your own systems rather than waiting for point-in-time assessments. Identify which of your AI applications and agentic workflows have not been tested against current attack patterns, and close that gap before someone else finds it.