Project Glasswing: When AI Becomes the World’s Best Bug Hunter

A Bug That Survived 27 Years

It took an AI model a few hours and less than $50 to find a vulnerability that had lived inside OpenBSD for 27 years. The flaw itself (a signed integer overflow deep inside the operating system’s TCP stack), had survived decades of reviews by experts, aggressive fuzzing campaigns, and the scrutiny applied to a system whose entire identity is built around security. It was not found by a team of elite researchers. It was found autonomously, overnight, by an AI model running through a codebase the way a very skilled engineer would, but faster, cheaper, and without fatigue.

A few weeks later, the same model found a 16-year-old heap corruption bug in FFmpeg, the media-processing library that lives inside browsers, streaming services, phones, and televisions across the internet. The root cause was a 16-bit versus 32-bit slice counter mismatch: that’s the kind of subtle, spec-level reasoning that no fuzzer can replicate, but that an AI model capable of reading code and understanding intent can trace in minutes.

These two discoveries are not isolated curiosities : they are the opening act of something larger. Thousands of high-severity vulnerabilities have been identified across every major operating system and browser. For the broader set of findings not yet publicly disclosed, Anthropic has published encrypted hashes, with full details to follow only after patches are available. This reflects a structured approach to responsible disclosure.

It also operates at a scale the security community has not had to manage before.

What is Claude Mythos Preview?

On April 7, 2026, Anthropic announced both the model behind those findings and an unprecedented decision about what to do with it. The model is called Claude Mythos Preview. It is a general-purpose frontier AI — not a specialized security scanner — but its advanced reasoning and coding capabilities produce a security performance that, using Anthropic’s own words, “surpasses all but the most skilled humans at finding and exploiting software vulnerabilities”.

The numbers behind that claim are striking. On CyberGym, the field’s leading security evaluation benchmark, Mythos Preview scores 83.1%, compared to 66.6% for its predecessor, Claude Opus 4.6 — a gap of more than 16 percentage points. On Firefox’s JavaScript engine, the model converts 72.4% of identified vulnerabilities into working exploits. More tellingly, it was the first AI model to complete a private enterprise cyber range — a simulated corporate network with misconfigured software, reused credentials, and multi-hop attack chains — end-to-end, without human guidance, in a task estimated to take an expert security professional over ten hours.

What makes Mythos qualitatively different from previous tools is not just raw detection capability: it is the ability to chain vulnerabilities together. Any single flaw in a modern operating system rarely provides complete access on its own. Attackers need to discover two, three, sometimes four vulnerabilities and sequence them into a coherent exploit. Mythos does this autonomously: on Linux, it independently identified and chained together multiple kernel vulnerabilities to elevate privileges from an ordinary user account to full system control. On Firefox, it wrote an exploit that chained four vulnerabilities, constructing a complex JIT heap spray that escaped both the renderer and the operating system’s sandbox.

Critically, these capabilities were not engineered in. They emerged as an unintended consequence of general improvements in coding, reasoning, and autonomy. The same enhancements that make Mythos better at patching vulnerabilities make it better at exploiting them. That’s a duality that sits at the heart of everything Anthropic has decided to do next

Why has Anthropic decided not to release Mythos Preview?

In most technology cycles, a model this capable would be packaged, priced, and released. Anthropic did the opposite.

“We believe this represents a category of AI capability that demands a different kind of launch,” the company wrote in its announcement. Rather than a public API release, Mythos Preview is restricted to a closed coalition of organizations under a framework called Project Glasswing (named apparently after the glasswing butterfly, a creature whose main characteristic is its transparency).

The logic is straightforward: a model that can find zero-day vulnerabilities in every major operating system and web browser is, by definition, also a model that could be used to attack them. The gap between defensive and offensive capability is not a policy gap, it is architectural. The same engine that spots a flaw can write the exploit. Releasing it indiscriminately before the software ecosystem can absorb the findings would be, in the company’s framing, a security decision that looks like a marketing one.

This framing is itself a signal. It represents a conscious break from the standard product playbook and a bet that the reputational and institutional cost of restraint is lower than the systemic cost of premature access.

Who is part of the Project Glasswing coalition?

Project Glasswing is structured as a controlled, multi-party coalition. The founding partners (Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks) represent a substantial cross-section of the organizations responsible for building and maintaining the software the world runs on. Beyond this founding group, access has been extended to approximately 40 additional organizations that build or maintain critical software infrastructure, enabling them to scan and secure both proprietary and open-source systems.

To facilitate the work, Anthropic has committed up to $100 million in usage credits for Mythos Preview, eliminating API cost as a barrier for partners doing defensive security research. The company has also pledged $4 million in direct donations to open-source security organizations, acknowledging that the burden of vulnerability remediation will fall disproportionately on the volunteer maintainers of open-source software.

The coalition’s operating model is not purely hierarchical. Partners are expected to share what they learn, so the broader industry can benefit. The framing is explicitly collaborative: no single organization can address these challenges alone, and the velocity of AI capability improvement means the window for proactive defense is measured in months, not years.

Why does Project Glasswing matter for executive leaders?

Security leaders have long spoken of “mean time to patch” (MTTP) as a technical metric, relevant to operations teams, but rarely to C-suites. Project Glasswing is changing that framing. When AI can surface a critical vulnerability in hours rather than years, and when over 60% of newly disclosed vulnerabilities already see working exploits within 48 hours of public disclosure, the time between discovery and patch is no longer a process detail: it is a business risk.

The Glasswing model treats vulnerability scanning as a continuous function rather than a periodic audit, with a perpetual scan of foundational software, timed to stay ahead of the adversarial adoption of the same capabilities. For CISOs, this means rethinking security investment not as a capital cost but as a throughput problem: how fast can findings move from AI detection to human triage to deployed patch? Attackers who gain access to comparable models will be asking the same question from the other perspective.

Anthropic’s head of security research put it plainly: “Attackers will use AI to find exploitable weaknesses faster than ever. But defenders who move quickly can find those same weaknesses, patch them, and reduce the risk of an attack.”

What does Project Glasswing mean for security leaders?

For practitioners, the Glasswing announcement marks a change in how the security industry must think about AI. The capabilities it describes are not theoretical: they are demonstrated, measured, documented, and already in the hands of the world’s largest technology companies and financial institutions. Three immediate implications stand out.

First, the threat model has changed. State-level and well-funded adversarial actors will pursue access to comparable models through legitimate and illegitimate channels. The window in which defenders hold a capability advantage over sophisticated attackers is narrow and closing.

Second, the patch cadence must accelerate. AI-generated vulnerability discovery at scale means the volume of disclosed, validated, high-severity findings will grow. Organizations that continue operating on quarterly or monthly patch cycles will face an increasing backlog of known, unpatched risk.

Third, open-source infrastructure requires institutional investment. The projects that underpin global software (the Linux kernel, OpenSSL, FFmpeg, cURL, etc) are maintained by individuals and small teams operating on volunteer time. The asymmetry between AI-accelerated discovery and human-paced remediation cannot be addressed through tooling alone. It requires structural funding, governance, and coordination at a level that Glasswing has begun to outline but not fully defined yet.

The glasswing butterfly’s wings are transparent, visible to anyone who looks closely enough. The security of the software the world runs on has, for decades, benefited from the assumption that looking closely enough was beyond the reach of most attackers. That assumption no longer holds. Project Glasswing is Anthropic’s argument that the right response is not to restrict the looking, but to ensure that defenders look first.